Connecting state and local government leaders
Elections officials and vendors are moving forward with plans to roll out vulnerability disclosure programs to help detect problems before the presidential election.
Hackers and security researchers have long worked with technology companies to discover and fix security vulnerabilities. Now, Ohio will become the first state to set up a vulnerability disclosure policy to help the Secretary of State’s office find and fix election-related problems before people head to the polls.
Ohio Secretary of State Frank LaRose announced a policy this month that covers websites related to the election and voter registration.
“Make no mistake, our nation’s enemies will be looking to disrupt our elections, and our websites and databases are among their top targets,” LaRose said in a statement. “By putting this policy in place, we’ll be able to work with cybersecurity researchers to find our vulnerabilities before the bad guys do.”
Under the policy, researchers who find weaknesses in the state’s websites are asked to report them through a specific email address and not to publicly disclose their findings for 120 days—giving the state time to fix any issues. Researchers will be notified of the fix and given the ability to test and verify that the remediation has been successful.
The policy does not cover voting equipment like machines and electronic pollbooks.
Much of the recent public discussion about the upcoming presidential elections has centered on increasing mail or early voting options so that people can avoid crowded polling places amid the coronavirus pandemic. Concerns about the ability of the U.S. Postal Service to actually deliver all of the ballots people could mail this fall have also surfaced.
But since U.S. intelligence officials confirmed the extent of Russian interference in the 2016 elections, ensuring that the election is not tainted by foreign actors has also remained a constant concern for election officials.
“We recognize the conversation has shifted in some respects, but our members are taking very seriously the cyber threats,” said Scott Algeier, executive director of the Information Technology-Information Sharing and Analysis Center (IT-ISAC), a non-profit that serves as a clearinghouse for information on cyberthreats to critical infrastructure.
Coordinated vulnerability disclosure programs are important in the elections industry because they “build trust between researchers and the technology providers and the state officials,” Algeier said.
Efforts have been underway for several years to encourage disclosure programs in the elections space.
The Cybersecurity and Infrastructure Security Agency (CISA) last month released a guide for election administrators that walks them through the process of establishing a vulnerability reporting program.
“Cybersecurity researchers can be great and responsible partners in this effort and we are creating this guide as a way to help state and local election officials understand the support they can offer and how to work with them in our collective, whole of nation effort to protect our elections,” said CISA Director Christopher Krebs.
Krebs called Ohio’s disclosure policy “major progress in bringing together researchers and election officials to secure our election systems.”
A group of IT-ISAC members who work in the elections industry have also explored the concept of creating a vulnerability disclosure program related to election equipment. In a white paper released Wednesday, the group said its members, including elections equipment vendors, are currently finalizing their own individual corporate vulnerability disclosure policies.
One vendor, Election Systems and Software, released its own policy last month.
Andrea Noble is a staff correspondent with Route Fifty.