Facebook Tracking
June 4, 2020

Before the Election, States Need to Test their Cybersecurity Continuously

Category: Blog

We are now just a few short months away from the 2020 U.S. presidential election, and we know that the Russian government will try again to interfere in the election through disinformation campaigns and by manipulating electoral outcomes through cyberspace. Election systems in all 50 states were likely targeted in the 2016 election. Today the risks are higher. The United States faces a compound risk of national political and economic instability following the onset of the coronavirus and political unrest, and the Russian government knows that it has an opportunity to disrupt the U.S. democratic process with limited investment as it did in the past. 

The good news is many states and localities have invested in cybersecurity and counter-disinformation capabilities since 2016 -- including paper voting, incident management processes, and cybersecurity technologies to protect voter registration databases. Political campaigns have also invested, including through non-profit organizations that bring vendors to campaigns and political organizations. While most states and campaigns have spent to prepare for electoral interference, those that are behind will need to up their preparations immediately as the planning window for new initiatives is closing; adversaries are preparing now to conduct operations and it takes time for states and organizations to build effective security. For those that have already invested, now is the time to test and exercise for intrusion scenarios and disruptions. Resources are available to do both.

Historical Context

First, some context for where we are now. U.S. states, territories, and localities have responsibility for election security and each manages their electoral process differently. The federal government provides support to all of the states in the process, and since 2016 Congress has allocated funds to help. The Consolidated Appropriations Act of 2018 and the Consolidated Appropriations Act of 2020 distributed $380 million and $425 million respectively to the states. Funding could be used to replace paperless voting machines, conduct post-election audits, address cyber vulnerabilities in election systems, provide election officials with cybersecurity training, institute election system cybersecurity best practices, and make other improvements to the security of federal elections. Funding is insufficient for demand, however, and the federal government offers a number no-cost resources to help states secure their electoral processes. 

No Cost Federal Resources

The Department of Homeland Security (DHS) is the principal federal agency for helping the states with their election security. Under DHS, the Cybersecurity and Infrastructure Security Agency (CISA) offers a suite of services for everything from incident response to vulnerability testing to IT procurement. Electoral agencies can also join the Election Infrastructure and Information and Analysis Center (EI-ISAC) for free. The EI-ISAC gives agencies “access to an elections-focused cyber defense suite, including sector-specific threat intelligence products, incident response and remediation, threat and vulnerability monitoring, cybersecurity awareness and training products, and tools for implementing security best practices.” 

Private and non-profit organizations are also helping the states to prepare. After the 2016 election, the Harvard Kennedy School launched Defending Digital Democracy initiative, an organization staffed by former national security leaders, bipartisan campaign managers, and technology leaders from across the United States. Through table top exercises and online resources, Defending Digital Democracy has helped educate every secretary of state office across the United States to prepare for incidents and improve their capabilities. The team recently published The Elections Battle Staff Playbook, which gives election officials detailed guidance to build their own operations teams.

Sporadic and Limited Risk Assessments

For penetration testing and security assessments, the federal government offers services for free through to states and localities and private organizations. It is a significant improvement that the federal government has built up CISA to support states and localities in improving their cybersecurity in advance of the election. These resources are limited, however, as the agency needs to prioritize its resources to customers on the basis of national mission needs and other considerations. The new agency notes that it is taking proactive steps and creating new services, such as remote penetration testing, to assist stakeholders with security relevant issues -- but that problems of scale will remain, particularly under the coronavirus. 

The Benefit of Continuous Testing and Validation

Amongst its suite of no-cost services, CISA offers a one week penetration test. Yet a once annual red-team or penetration test conducted in June is insufficient to validate cybersecurity effectiveness in October. Systems fail constantly and silently. In 2019, the Verizon Data Breach Investigation report found that 82% of successful enterprise breaches should have been stopped by existing security controls but weren’t. Misconfiguration and operational execution happen all the time and sporadic, limited testing makes it impossible to set priorities and assure effectiveness as the election approaches. Governors cannot rely on a one-off penetration test that validates 3 of 800 assets.

In advance of the election, electoral agencies need to prepare and test their cybersecurity against known threats continuously. This practice makes security more tractable, manageable, and effective. That is why AttackIQ’s cybersecurity optimization platform tests security controls against MITRE ATT&CK tactics, techniques, and procedures. By continuously testing security controls against known threat behaviors (as frequently as they want), electoral organizations can assess their cybersecurity performance, identify security failures and gaps, and prioritize the improvements that matter most for risk management.  The net result will be an overall improvement in cybersecurity effectiveness of the electoral system.

About the Author

Senior Director for  Cybersecurity Strategy and  Policy

Jonathan Reiber is Senior Director for Cybersecurity Strategy and Policy at AttackIQ. In this position he focuses on strategic communications, thought leadership, and content development for the firm. During President Barack Obama’s administration he served as Chief Strategy Officer for Cyber Policy in the Office of the U.S. Secretary of Defense, where he was the principal author of the 2015 Department of Defense Cyber Strategy and led key initiatives across the cyber policy portfolio. His writing has appeared and been highlighted by Foreign Policy, LawfareThe Atlantic Monthly, DefenseOne, The San Jose Mercury News, and Literary Hub, among others. An affiliate at UC Berkeley's Center for Long-Term Cybersecurity, he is the author of two book-length Berkeley monographs, A Public, Private War, and Asian Cybersecurity Futures. He has held writing fellowships at Berkeley, the Smith Richardson Foundation, and the Thomas J. Watson Foundation, and served as an advisor to the U.S. Cybersecurity Solarium Commission. Prior to serving as CSO for Cyber Policy, he served as Special Assistant and Speechwriter to the United States’ Deputy Secretary of Defense, Dr. Ashton B. Carter, and previously as Special Assistant to the United States' Principal Deputy Under Secretary of Defense for Policy, Dr. James N. Miller. He is a graduate of Middlebury College and The Fletcher School of Law and Diplomacy. You can follow him on Twitter at @jonathanreiber