Before the Election, States Need to Test their Cybersecurity Continuously

We are now just a few short months away from the 2020 U.S. presidential election, and we know that the Russian government will try again to interfere in the election through disinformation campaigns and by manipulating electoral outcomes through cyberspace. Election systems in all 50 states were likely targeted in the… Read More

We are now just a few short months away from the 2020 U.S. presidential election, and we know that the Russian government will try again to interfere in the election through disinformation campaigns and by manipulating electoral outcomes through cyberspace. Election systems in all 50 states were likely targeted in the 2016 election. Today the risks are higher. The United States faces a compound risk of national political and economic instability following the onset of the coronavirus and political unrest, and the Russian government knows that it has an opportunity to disrupt the U.S. democratic process with limited investment as it did in the past.

The good news is many states and localities have invested in cybersecurity and counter-disinformation capabilities since 2016 — including paper voting, incident management processes, and cybersecurity technologies to protect voter registration databases. Political campaigns have also invested, including through non-profit organizations that bring vendors to campaigns and political organizations. While most states and campaigns have spent to prepare for electoral interference, those that are behind will need to up their preparations immediately as the planning window for new initiatives is closing; adversaries are preparing now to conduct operations and it takes time for states and organizations to build effective security. For those that have already invested, now is the time to test and exercise for intrusion scenarios and disruptions. Resources are available to do both.

Historical Context

First, some context for where we are now. U.S. states, territories, and localities have responsibility for election security and each manages their electoral process differently. The federal government provides support to all of the states in the process, and since 2016 Congress has allocated funds to help. The Consolidated Appropriations Act of 2018 and the Consolidated Appropriations Act of 2020 distributed $380 million and $425 million respectively to the states. Funding could be used to replace paperless voting machines, conduct post-election audits, address cyber vulnerabilities in election systems, provide election officials with cybersecurity training, institute election system cybersecurity best practices, and make other improvements to the security of federal elections. Funding is insufficient for demand, however, and the federal government offers a number no-cost resources to help states secure their electoral processes.

No Cost Federal Resources

The Department of Homeland Security (DHS) is the principal federal agency for helping the states with their election security. Under DHS, the Cybersecurity and Infrastructure Security Agency (CISA) offers a suite of services for everything from incident response to vulnerability testing to IT procurement. Electoral agencies can also join the Election Infrastructure and Information and Analysis Center (EI-ISAC) for free. The EI-ISAC gives agencies “access to an elections-focused cyber defense suite, including sector-specific threat intelligence products, incident response and remediation, threat and vulnerability monitoring, cybersecurity awareness and training products, and tools for implementing security best practices.”

Private and non-profit organizations are also helping the states to prepare. After the 2016 election, the Harvard Kennedy School launched Defending Digital Democracy initiative, an organization staffed by former national security leaders, bipartisan campaign managers, and technology leaders from across the United States. Through table top exercises and online resources, Defending Digital Democracy has helped educate every secretary of state office across the United States to prepare for incidents and improve their capabilities. The team recently published The Elections Battle Staff Playbook, which gives election officials detailed guidance to build their own operations teams.

Sporadic and Limited Risk Assessments

For penetration testing and security assessments, the federal government offers services for free through to states and localities and private organizations. It is a significant improvement that the federal government has built up CISA to support states and localities in improving their cybersecurity in advance of the election. These resources are limited, however, as the agency needs to prioritize its resources to customers on the basis of national mission needs and other considerations. The new agency notes that it is taking proactive steps and creating new services, such as remote penetration testing, to assist stakeholders with security relevant issues — but that problems of scale will remain, particularly under the coronavirus.

The Benefit of Continuous Testing and Validation

Amongst its suite of no-cost services, CISA offers a one week penetration test. Yet a once annual red-team or penetration test conducted in June is insufficient to validate cybersecurity effectiveness in October. Systems fail constantly and silently. In 2019, the Verizon Data Breach Investigation report found that 82% of successful enterprise breaches should have been stopped by existing security controls but weren’t. Misconfiguration and operational execution happen all the time and sporadic, limited testing makes it impossible to set priorities and assure effectiveness as the election approaches. Governors cannot rely on a one-off penetration test that validates 3 of 800 assets.

In advance of the election, electoral agencies need to prepare and test their cybersecurity against known threats continuously. This practice makes security more tractable, manageable, and effective. That is why AttackIQ’s cybersecurity optimization platform tests security controls against MITRE ATT&CK tactics, techniques, and procedures. By continuously testing security controls against known threat behaviors (as frequently as they want), electoral organizations can assess their cybersecurity performance, identify security failures and gaps, and prioritize the improvements that matter most for risk management.  The net result will be an overall improvement in cybersecurity effectiveness of the electoral system.