Measures to improve voting security need to start long before election day itself
By Craig Hinkley, Chief Executive Officer, WhiteHat Security, a wholly-owned, independent subsidiary of NTT Ltd.
U.S. election security shouldn’t be a controversial issue. But it is. Although there are legitimate quarrels over partisan election districting and attempts at voter suppression, the integrity of the balloting process itself, with only minor exceptions, has been upheld in election after the election at virtually every level of government.
Two developments have thrown that record of integrity off the track. One direction comes from the White House’s accusations that an election that relies heavily on paper mail-in ballots is corrupt. The other course involves the growing use of electronic technologies such as voter registration files, voting machines, ballot counters, and election reporting systems – all of which, at least in theory, are potentially vulnerable to hacking.
Ransomware extortion, denial of service attacks, and personal data abuse from voter registration records are all possibilities, so voters are understandably concerned.
Members of Congress – all of whom are elected through that same process – have their concerns. As a result, during 2018 and 2019, the federal government allocated $805M to states to upgrade election security. Almost all of it – 90 percent – went to new voting machines and other cybersecurity projects for the elections[1]. Predictably, though, many observers felt that there still wasn’t enough money to safeguard registration databases, tabulate votes, conduct post-election audits, and secure better voting machines – all of which are key to election integrity.
Brain hacking
Of course, there is merit to some of these complaints; the processes and technologies involved in voting must be adequately funded and made as tamper-resistant as possible. Yet it is also essential to keep in mind that hacking the balloting system is only one path to corrupting an election.
Another, which has also received considerable attention, comes from hacking the voters themselves – presenting them with misinformation, propaganda, half-truths, and outright lies that taint their thought processes and influence their voting behavior.
As recently as September 1, The New York Times reported that the FBI had given Facebook a warning: the Russian group which interfered in the 2016 presidential election was at it again, this time using a network of fake accounts and a website set up to look like a left-wing news site. Yet that Russian group is only one of many organizations, each with its own agenda, using deception to influence the election[2]
At the end of the day, once all the campaigning and crusading and propagandizing has concluded, the electoral system’s final test comes down to the balloting process itself. Did the winning candidates receive the votes they claimed? Were individual voters systematically disenfranchised?
Nuts and bolts
The voting procedures and equipment that Americans use are so decentralized that no single solution will work everywhere to satisfy the system’s many critics. There are 50 states, more than 3,000 counties, and 8,800 election districts in the United States. Most of them bring their own unique histories involving polling place procedures, staffing, and balloting equipment to the voting process.
Such staggering levels of fragmentation are scary and almost certainly contain an assortment of security risks. Yet a 2018 bill introduced in the U.S. Senate to strengthen the voting process, called the Protecting American Votes and Elections Act failed to receive bipartisan support[3].
In 2017, the Department of Homeland Security (DHS) designated the nation’s election infrastructure as a critical subsector. It was reported to be working with the federal Election Assistance Commission, offering technical services including cybersecurity hygiene scans, vulnerability assessments, and incident response assistance upon request. But the DHS’s resources are simply not enough to support a robust national effort.
A valuable approach to the issue includes clarifying the responsibilities of all those involved, reconciling any conflicting perspectives, establishing clear cybersecurity policies; providing education to voters, candidates, and election officials, implementing technology that provides visibility into the system, and putting an incident response plan in place.
Also, hire a regional security consultant to oversee the process. Have them create a customized election security model, patterned after those used in other critical infrastructures.
Implementing application testing protocols such as SAST, DAST, and SCA to ensure the voting machine software works right might make sense. And remaining vigilant about the risks of using third-party companies for development or security is always a good idea.
An all-in effort to upgrade our security needs to happen since no single voting district can do it all by themselves. Establishing a rock-solid plan now is critical to the future of our elections. Trusted partnerships and industry cooperation will drive us forward in the digital world safely. Protecting the credibility of America’s election systems is essential.
About the Author
Craig Hinkley – Chief Executive Officer
Craig Hinkley joined WhiteHat Security as CEO in early 2015, bringing more than 20 years of executive leadership in the technology sector to this role. Craig is driving a customer-centric focus throughout the company and has broadened WhiteHat’s global brand and visibility beyond the application security space and security buyer, to the world of the development organization and a DevSecOps approach to application development.
Prior to joining WhiteHat Security, Craig served as vice president and general manager of the LogLogic business unit for TIBCO Software. In that role, he was responsible for global field sales and operations, client technical services, engineering, research and development, product design, and product management. Before TIBCO, he served as the general manager at Hewlett-Packard for the HP Networking Business in the Americas. Earlier in his career, Craig held positions at Cisco Systems Inc. and Bank of America. He earned a bachelor’s degree in Information Technology from the Swinburne University of Technology in Australia.
Craig can be reached on Twitter at @CraigHinkley and at our company website https://www.whitehatsec.com/.
[1] https://www.darkreading.com/risk/electoin-security-2020-how-we-should-allocate-$425m-in-funding-/a/d-id/1336885
[2] https://www.straitstimes.com/world/united-states/pro-russia-actors-pushing-more-fake-news-as-us-election-nears
[3] https://www.darkreading.com/vulnerabilities—threats/8-steps-toward-safer-elections/d/d-id/1332400
