A group of security experts, organised through US-based nonprofit the Information Technology – Information Sharing and Analysis Center (IT-ISAC), have come together to pilot a “clear and concerted approach” to establishing a process under which the cyber community and providers of election technology such as voting machines can work together to enhance election security and help renew public faith in the political process.
Given the Russia-influenced cyber attacks that tainted previous elections in the US, and with the next presidential election a little over a year away, concerns are growing in many quarters that despite facing multiple criminal proceedings, disgraced former president Donald Trump may yet present an electable alternative to the current incumbent, Joe Biden.
But the core of the problem lies less in the world of political intrigue and nation-state espionage, and rather in the nature of how elections are conducted in the US, a country that has made significant strides towards digitising its electoral processes. In doing so, it has increased the cyber risk to its political process in a way that countries such as the UK – where voting is still done with pencil and paper with votes counted manually – have not.
As such, the newly created Election Security Research Forum proposes to get out in front of the election’s cyber problem, bringing together security experts and companies including ethical hacking firms Bugcrowd and HackerOne, Microsoft, and Protect AI, as well as nonprofits such as the Center for Internet Security, and former state and local election officials.
It’s being facilitated by IT-ISAC’s Elections Industry Special Interest Group (EI-SIG) and hosted by MITRE, which is opening up its own labs for technology testing.
“This forum was a long time in the making and we are grateful and thrilled that it has come together,” said Scott Algeier, IT-ISAC executive director. “We are thankful to each election systems provider, researcher and advisory board member who has worked tirelessly to make this happen.
“The experience and lessons learned from the last three days are invaluable to the elections industry and to democracy. We look forward to the lasting relationships this forum has provided and what the future holds for more Election Security Research Forums.”
As its first step, the Forum has enlisted three prominent researchers to probe the cyber resilience of some of the new election technology that will be fielded in 40 of the 50 states next autumn.
This technology includes systems developed by Election Systems & Software, Hart InterCivic, and Unisyn Voting Solutions, and the equipment in scope will include digital scanners, ballot-marking devices and electronic pollbooks, with the primary focus being on the technology that Americans will encounter when they step into the voting booths on 5 November 2024.
Across all of the participating companies, the configuration of the software to be tested has yet to be deployed in a live environment, although some of the hardware is already in use.
Both the researchers and companies involved have committed to following Coordinated Vulnerability Disclosure policies and best practice, including timelines for public disclosure of any nasties they may find.
New vulnerabilities uncovered will be addressed through direct collaboration from all sides to evaluate whether or not they would impact the correct operation of the system in question. Additionally, the researchers and manufacturers will take into account if any existing compensating controls are in place to either reduce or eliminate the risk or severity of a validated vulnerability.
Existing controls
The technology used in US elections already conforms to a strict set of cyber and physical security guidelines, and must comply with federal testing and certification standards known as the Voluntary Voting System Guidelines. Most US states require compliance with these guidelines, and several have adopted even stricter methods.
Some of the measures already mandated under the guidelines include system-hardening, role-based access and multi-factor authentication; the use of hardened and encrypted flash drives to protect voting information in transit from polling stations; and strict internal security training.
On the physical side, measures include 24/7 video surveillance of storage facilities where equipment is kept; secure containers to house it in transit; and the use of tamper-evident seals.
As such, the Forum said voters should be able to trust the equipment they use to cast ballots because of the robust and accountable design of the process. Its work is intended to go a step further to add even more transparency to this process, with the goal being just as much public education as it is improving resilience.
It’s also important to note that not all vulnerabilities are equal in their severity, and the fact that one may be discovered doesn’t automatically mean it will be exploited, or exploitable, especially at the scale needed to alter the result, whatever that may be.