SAN FRANCISCO—With voters heading to the polls later this year, securing American elections was a frequent theme at the RSA Conference, but voting machines have taken a backseat to concerns like voting rolls and the software used to report outcomes.
Aaron Wilson, Senior Director of Election Security at the Center for Internet Security (CIS), says his organization has the solution.
Bringing Down an Election in 3 Simple Steps
Election technology is more than just voting machines, Wilson explained.
Electronic poll books, for example, contain lists of eligible voters, election night reporting systems, voter registration systems, and the electronic ballot delivery used by citizens living overseas.
And those books have "a greater attack surface than our voting systems because [they're] internet-connected in one way or another," he said.
Take the app used to report Iowa caucus results, where poor design led to a long delay in releasing the results.
Denial-of-Service Attack
Wilson has three election-related concerns he believes are likely to occur.
The first is a denial of service (DoS) attack.
In this scenario, attackers might flood critical websites or services with bogus requests that make them unusable. It's “particularly concerning to me because you know exactly when to wage the attack," Wilson said.
Ransomware Attack
Similarly, Wilson fears a ransomware attack, which could hold critical infrastructure or data hostage and throw an election into chaos.
Last year was a banner year for ransomware, with hospitals and municipalities among those victimized.
As with a DoS attack, the bad guys would know that if they launch the attack the day of the election, it will be much harder for officials to recover and report results.
These two attacks offer "the best return on investment for a rational attacker...and we agree that they are rational actors," Wilson said.
Unauthorized Data Modification
The last likely attack Wilson imagines is unauthorized data modification.
This would include “anything from website defacement to manipulation of results transmitted to an online portal.” A defaced website might be used to spread disinformation, perhaps incorrect dates or voting locations.
Vote totals being manipulated is a real nightmare scenario, and demonstrates how outcomes could be swayed or confidence in elections shaken without touching the voting machines or ballots.
Back It Up Early and Often
Election technology has always been a bit of a niche industry, and that’s even more true for supporting technologies, Wilson said.
Of the companies that serve this space, the largest has 40 to 50 employees.
Wilson and the CIS have compiled 160 best practices, which are divided into groups ranging from easy to advanced tactics, so companies can quickly raise baseline security.
“While we geared it for technology providers we also wanted to give election officials something to read and understand,” said Wilson.
The goal is to “teach them the right questions to ask of their technology providers and of their staff.”
Companies and election organizations should, for example, set up backup communications in case established lines are disabled.
During the Iowa caucuses, the backup phone number for reporting results was tied up by trolls from 4chan.
Recommended by Our Editors
Wilson also emphasized advanced planning.
Individuals should know their roles in an emergency situation, for example.
He also stressed that companies and election agencies should have complete system backups of their equipment and train on how to quickly access and distribute those backups.
Banishing Complex, Costly Equipment Updates
CIS also designed a system for testing and validating systems and updates to those systems, called RABET-V.
“Current voting system process doesn’t support change very well,” said Wilson.
“Change, including security patches, are expensive to deploy.”
Other speakers at the RSA Conference touched on the issue of certifying voter equipment, where there are currently "disincentives to updating that equipment," said Jeffrey Rothblum, Senior Professional Staff Member on the Senate Homeland Security and Governmental Affairs Committee.
The issue is that to apply an update requires that the equipment be re-certified, creating a "false choice between a certified thing versus a more secure thing," Rothblum said.
With RABET-V, a system might take 2-3 months to pass an initial review, but subsequent reviews would be much faster.
A RABET-V pilot program launched this month with two poll book systems, two result reporting systems, and one auditing platform, and the goal is to further refine RABET-V and make it a viable process.
“We’re submitting we can reduce the cost of re-verification of a system,” said Wilson.
“But we need to be able to prove that.”