Without adequate software security, from voter registration through the certification of results, electoral trust can be called into question.
It’s fair to say that regardless of where you live, assuming you have democratic elections, you want your vote to count—without any form of external influence or tampering. It’s also fair to say that until the most recent election cycle, for many Americans, election tampering was pretty low on their list of things to worry about. But since the 2016 election, we’ve seen investigations into what impact foreign governments might have had on the electoral process, how social media might have influenced the perception of candidates, and even how data brokers like Cambridge Analytica could be part of how campaigns target specific voters.
All these are legitimate concerns, but as with most aspects of modern life, there’s a technology component getting lost. Next week the annual Black Hat conference will occur in Las Vegas, and as you’d expect, we have a session on electronic voting. In this session, a forensic analysis of the notoriously insecure WinVote machines used in Virginia elections from 2004 through 2015 will be presented. This session is particularly interesting in that it’ll move beyond issues of insecure configurations, well-known administrator passwords, and lack of a patch process.
This is of interest to me as earlier this year I wrote an article asking the question of whether open source voting software would be more secure than proprietary counterparts. The answer, of course, was the proverbial “You get out of it what you put in,” and that’s really the question. In the 2018 Open Source Security and Risk Analysis report, we found that the average commercial software package contained 64 vulnerabilities—up 134% from the prior year. Making matters worse, the average age of those vulnerabilities was six years. Put another way, if enterprises struggle to keep their systems secure and avoid major breaches like what we saw with Equifax, how are we going to properly secure electoral systems from attack and exploit when elections by definition happen every few years?
Electoral trust is created through a series of successful elections without irregularities. Unfortunately, without adequate security throughout the process, from voter registration through the certification of an election, trust can be called into question. This requires us to look at the security of not just federal elections but also the supporting components at the state level. For example:
A malicious actor intent on discrediting our electoral process has multiple opportunities to attack within this process. To counter this sophisticated threat, a detailed model of potential attacks and weaknesses must be created. The model should identify weaknesses in the applications used, in how the applications are configured and networked, and in how the entire system is administered. These tasks are commonplace within corporate America, but as the Equifax breach last year demonstrated, even with the resources available to a public company, hackers will breach defenses. Unfortunately for us, the periodic nature of our election cycle doesn’t permit continuous improvement of our voting apparatus against evolving cyber threats to the same degree a corporate data center experiences.
Resolving these issues will clearly require a concerted effort at the federal and state levels. On July 23, a number of U.S. state attorneys general sent an open letter to the chairman of the House Homeland Security Committee. In this letter, they prioritized their concerns and expressed a desire to develop cyber security standards for electoral systems. This follows on the heels of several states announcing funding to update electoral security. As we all know, security is a process, not an act, and it’s my hope that with each new funding act and legislation, we recognize electoral security is also a process to counter motivated threats. After all, it takes only one lapse in security within the systems in one state to foster concerns for the electoral process.