Connecting state and local government leaders
“When it comes to hackers you have to think in terms of an ongoing arms race, which is not very comforting to people in elections,” according to a chief technologist with the Center for Democracy and Technology.
State and local elections officials need to build relationships with their government IT personnel and information security community in the wake of Russian efforts to scan 21 state election systems for vulnerabilities last cycle, cybersecurity experts said Wednesday at a U.S. Election Assistance Commission roundtable.
The U.S. Department of Homeland Security officially notified the chief election officials in those states on Sept. 22 that they had been targeted by hackers, although news of the cyberattacks was leaked in June.
“Up until the beginning of 2016, the elections environment seemed like a pristine meadow with a bunch of rabbits hopping around, and I think what we see now is some wolves in that meadow,” said Joe Lorenzo Hall, Center for Democracy and Technology chief technologist on its Internet Architecture project. “And there are some deep holes in that meadow—things that are out to get you but also things you can stumble into that unfortunately cause problems.”
Nation-states are increasingly targeting U.S. elections systems seeking both intelligence and to undermine the credibility of the process, said Ben Spear, Multi-State Information Sharing and Analysis Center senior intelligence analyst, but more traditional cyber criminals are interested in elections as well. That make information sharing critical.
But cybersecurity is often a zero sum game, where focusing on shoring up elections systems forces cash-strapped jurisdictions, absent grants, to pull funds from other areas.
Officials in the city and county of Denver, including CIO Scott Cardenas and Elections Director Amber McReynolds have overseen a new partnership intended to foment a culture of securing elections. Both entities committed themselves to a framework and embraced a “freeze window,” where the city freezes technology around the election system to allow for easier patching and securing of assets.
“When it comes to hackers you have to think in terms of an ongoing arms race, which is not very comforting to people in elections,” Lorenzo Hall said.
Any IT that is used needs to be accounted for in threat modeling, he added.
Spear stressed the importance of maintaining logs, tracking features within them for anomalies and collecting as much information as possible to be stored for at least 90 days, though some cases he’s dealt with have gone back more than a year.
“Don’t be so full of pride that you don’t want to bring anyone into your house,” said Tom Connolly, New York State Board of Elections director of operations, to fellow elections officials.
CDT uses white hat hackers, the good ones, to prepare for the worst black hat hackers whenever possible.
Meanwhile, New York’s elections board has already embarked on a number of outside partnerships. Google’s Project Shield balances loads when a large number of users flood the board’s site to check returns, and if they haven’t been updated a copy of the current tally is provided. More importantly, Project Shield protects against distributed denial of service attacks that could prevent users from accessing returns entirely—casting doubt on the process.
The board also provided information on poll site locations to the Voting Information Project so that there would be redundant data available should a hacker crash their election system.
“It’s important to have those redundancies built into the process,” Connolly said.
Government IT and elections officials should be thinking about the “attack surface,” what infrastructure to protect in other words, and run through scenarios such as what they would do in the event a ransomware attack shut down their poll worker model or an undetectable change was made somewhere, Lorenzo Hall said.
McReynolds worries about a scenario in which local election returns don’t match state or national returns—a chaotic event. Groups like the Election Verification Network provide cyber checklists that give all stakeholders an idea of what to plan against.
“I’m a big supporter of the critical infrastructure designation,” she said, referring to the Obama administration's January designation of election systems—opposed by NASS as a broad federal overreach.
But McReynolds applauded it because it’s opened the door for partnerships between governments and the infosec community.
“Find out who your local IT guy is,” Connolly said. “Become their new best friend.”
Dave Nyczepir is a News Editor at Government Executive’s Route Fifty and is based in Washington, D.C.