Welcome to DU!
The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards.
Join the community:
Create a free account
Support DU (and get rid of ads!):
Become a Star Member
Latest Breaking News
General Discussion
The DU Lounge
All Forums
Issue Forums
Culture Forums
Alliance Forums
Region Forums
Support Forums
Help & Search
Security Week: The Incentive to Disrupt Elections has Never Been Higher
https://www.securityweek.com/incentive-disrupt-elections-has-never-been-higher. . .
Attacks on the sanctity of the ballot box have already begun. Readers of this column will be familiar with some of the examples:
• In the 2016 election cycle, we know that Russian actors probed the voter registration systems of at least 20 states.
• We’ve seen denial of service and ransomware attacks targeting state and local election agencies.
• FireEye recently reported on Russian actors APT28 and Sandworm Team recently compromising multiple governments in Europe in advance of elections.
• The vulnerabilities in voting machines are myriad, have been well documented, and yet equipment makers continue to sell these outdated machines. FireEye Intelligence has observed voting machines for sale in underground criminal forums, for attackers to practice against.
• National parties and candidates’ organizations themselves have been targeted repeatedly.
• State-sponsored misinformation campaigns have dominated the headlines recently.
Fortunately, the U.S. government has taken some steps to address these issues. The 2018 Help America Vote Act (HAVA) allocated $380M, “to improve the administration of elections for Federal office, including to enhance election technology and to make election security improvements.” States are able to use allocations from this fund to purchase new voting equipment that provides a paper record of the voter’s intent, implement audit systems, upgrade computer systems, facilitate cyber security training for election officials, implement cyber security best practices, and fund other cyber security-related activities.
It’s a good start, but as of September 30, 2018, just $31.4M (8.3% of the total allocated) had been spent by the states. Of that total, $18M was on cyber security, and just under $11M was used for new voting machines. You might think that the states have been slow to make their requests, but all states and territories have indeed submitted their requests and received their grants. Some states have detailed plans for improving their cyber security—for example South Carolina intends to spend $525,000 to conduct comprehensive risk and vulnerability assessments of their voter registration systems, remediate findings, conduct a penetration test of their e-poll book, and implement network monitoring solutions. Rhode Island intends to spend $734,000 to implement database activity monitoring, asset management systems, and a Security Information and Event Management system (SIEM) for their voting environment—in addition to budgeting for the necessary people to manage these tools.
On the other hand, several states have requested no funding for cyber security, or only token amounts—e.g., funding a small vulnerability assessment, but no budget for remediation. It’s possible that these states had already allocated their own funds toward election security and don’t need the HAVA grant funding. However, I have yet to work with a state government that felt adequately funded for cyber security. I suspect one reason for the slow uptake is just a lack of answers: beyond the obligatory assessments and vulnerability scans, what should election agencies be doing to properly secure their environments, protect voter information, and the ensure integrity of the vote? These are complex and highly distributed systems, and it’s not an easy answer, but one that I hope to explore more in future columns.
It’s also my hope that we can properly fund more robust security for candidates’ organizations and national parties. Individual candidates are running campaigns on a shoestring budget, and a dollar spent to secure a database is one that isn’t used on a yard sign. It’s tough to prioritize security if funds aren’t specifically earmarked, but compromised campaigns can have global implications—as we saw when the Clinton campaign was hacked in 2016, perhaps tipping the outcome of the election.
Attacks on the sanctity of the ballot box have already begun. Readers of this column will be familiar with some of the examples:
• In the 2016 election cycle, we know that Russian actors probed the voter registration systems of at least 20 states.
• We’ve seen denial of service and ransomware attacks targeting state and local election agencies.
• FireEye recently reported on Russian actors APT28 and Sandworm Team recently compromising multiple governments in Europe in advance of elections.
• The vulnerabilities in voting machines are myriad, have been well documented, and yet equipment makers continue to sell these outdated machines. FireEye Intelligence has observed voting machines for sale in underground criminal forums, for attackers to practice against.
• National parties and candidates’ organizations themselves have been targeted repeatedly.
• State-sponsored misinformation campaigns have dominated the headlines recently.
Fortunately, the U.S. government has taken some steps to address these issues. The 2018 Help America Vote Act (HAVA) allocated $380M, “to improve the administration of elections for Federal office, including to enhance election technology and to make election security improvements.” States are able to use allocations from this fund to purchase new voting equipment that provides a paper record of the voter’s intent, implement audit systems, upgrade computer systems, facilitate cyber security training for election officials, implement cyber security best practices, and fund other cyber security-related activities.
It’s a good start, but as of September 30, 2018, just $31.4M (8.3% of the total allocated) had been spent by the states. Of that total, $18M was on cyber security, and just under $11M was used for new voting machines. You might think that the states have been slow to make their requests, but all states and territories have indeed submitted their requests and received their grants. Some states have detailed plans for improving their cyber security—for example South Carolina intends to spend $525,000 to conduct comprehensive risk and vulnerability assessments of their voter registration systems, remediate findings, conduct a penetration test of their e-poll book, and implement network monitoring solutions. Rhode Island intends to spend $734,000 to implement database activity monitoring, asset management systems, and a Security Information and Event Management system (SIEM) for their voting environment—in addition to budgeting for the necessary people to manage these tools.
On the other hand, several states have requested no funding for cyber security, or only token amounts—e.g., funding a small vulnerability assessment, but no budget for remediation. It’s possible that these states had already allocated their own funds toward election security and don’t need the HAVA grant funding. However, I have yet to work with a state government that felt adequately funded for cyber security. I suspect one reason for the slow uptake is just a lack of answers: beyond the obligatory assessments and vulnerability scans, what should election agencies be doing to properly secure their environments, protect voter information, and the ensure integrity of the vote? These are complex and highly distributed systems, and it’s not an easy answer, but one that I hope to explore more in future columns.
It’s also my hope that we can properly fund more robust security for candidates’ organizations and national parties. Individual candidates are running campaigns on a shoestring budget, and a dollar spent to secure a database is one that isn’t used on a yard sign. It’s tough to prioritize security if funds aren’t specifically earmarked, but compromised campaigns can have global implications—as we saw when the Clinton campaign was hacked in 2016, perhaps tipping the outcome of the election.
1 replies
= new reply since forum marked as read
= new reply since forum marked as read
