Challenges to Better Security in U.S. Elections: The Last Mile

Transcription

1 Challenges to Better Security in U.S. Elections: The Last Mile 2017 State Certification Testing National Conference Austin, TX June 19, Merle King, Kennesaw State University -Brian Hancock, US Elections Assistance Commission 6/19/2017 1

2 Introduction Election history is cumulative and repetitive no issue ever goes away 2000 Interpretation of voter intent and ballot design 2004 Emergence of DRES and concerns of vote tampering 2008 Voter ID 2012 Long lines 2016 Cybersecurity A quick web search of the strings cybersecurity + elections = over 12 million hits Pages, videos, blogs will be there in 2020 and beyond for rediscovery, recirculation, and interpretation by partisans, activists, and commercial interests. 6/19/2017 2

3 Challenges to Better Security in Elections Cybersecurity concerns will stalk future elections and campaigns and become part of the fact and fiction of election lore It will also become integral to election clean-up legislation and preparation State level Statute, rule revision Contracts Policies and procedures Local level Review policies and procedures for securing systems Double down on what they Know how to do Can afford to do Have time to do 6/19/2017 3

4 Challenges to Better Security in Elections Federal level Changing roles for Federal agencies like DHS and EAC Creating effective, uniform, and scalable policies at federal and state levels is not easy, but perhaps doable. Securing the last mile the domain of the local election official, may be our greatest challenge. This last mile leads from state systems to thousands of election offices scattered throughout the U.S. Security is not new to local election officials, but cybersecurity is. 6/19/2017 4

5 Challenges to Better Security in Elections LEOs are still transitioning from focus on paper-based and physical security practices to cyber-based Locks to login access Seals to encryption Paper logs to digital logs Manual audits to computerized audits Designing better cybersecurity policies for election offices begins by better understanding what makes the last mile distinctive Securing elections last mile will not be easy, cheap, or fast. 6/19/2017 5

6 The Last Mile 1. Election Administration is Distributed and Heterogeneous One federal certification authority/standards Two VSTLS Seven voting system vendors Fifty-five SVRS Hundreds of election system and service vendors Thousands of counties Ten thousand election jurisdictions Hundreds of thousands poll workers and volunteers Systems are not uniform Policies are not uniform Resources are not uniform Skill sets are not uniform 6/19/2017 6

7 The Last Mile 2. A Chain is as Strong as its Weakest Link Over 600K bridges in the U.S. If maintenance is only done where it is best afforded, then our highway infrastructure and functionality is compromised. Securing login and credential access in large, technologically sophisticated counties may not improve the overall security of our systems. Cybersecurity election vulnerabilities may be concentrated in medium to smaller counties Many elections determined by small number of votes 6/19/2017 7

8 The Last Mile 3. Follow the Law - and the Law Requires Accessibility Election officials are trained to follow vetted rules and procedures not improvise. Legal accessibility Rehabilitation Act, ADA, HAVA Political accessibility Access to polling locations, services, the ballot Last-minute introduction and implementation of cybersecurity procedures are problematic at best; impossible in many cases. Election technologies may be locked down months in advance of an election Training scope, topics, and recipients, is dictated by code, rule and practice 6/19/2017 8

9 The Last Mile 4. Static Testing in a Dynamic World Testing of voting and election systems make assumptions about the static nature of risks Long history of human-generated errors are anticipated and mitigated Tabulation Capturing voter intent L&A testing is formulaic Acceptance Testing will mirror strengths and weaknesses of certification testing 6/19/2017 9

10 The Last Mile 5. LEOS are IT Managers, But are They Cyber Warriors? LEOS are managing extensive technology portfolios but are dependent upon County IT resources Vendors State-level support Cyber Warrior An IT professional engaged in the infiltration or sabotage of IS, or the defense of IS against outside attack. Cyber Warriors typically have substantial academic preparation and persistent professional development activities Salaries in low $100K vs. low $30K for election officials The same workstation uses to validate and update SVRS records, doubles as an Amazon.com shopping portal and gallery of grandchildren photos on Facebook. 6/19/

11 The Last Mile 6. Legacy Systems are Secure Against Legacy Threats Voting Systems perform legacy functions vote capture and tabulation Innovation has not, and for the most part, cannot directly touch these core functions Cybersecurity is a goal with moving targets and moving methods to hit those targets. Testing methods must reflect the dynamic environment dictated by cyber threats Voting systems are resistant to the kinds of updates that define modern technology maintenance 6/19/

12 The Last Mile 7. There is No Downtime to Reconfigure Systems Elections are continuous, with overlapping start and stop points Many states have published election calendars but then augment with specials An election is typically 120-day event (90 days prior and 30 days post) There is no convenient downtime where systems can be pulled, updated, tested and returned to service 6/19/

13 The Last Mile 8. Election are Vendor Supported in Profound Ways The involvement of vendors in elections is deep and varied Manufacture systems hardware and software Provide support - prepare elections, L&A, conduct elections, print ballots, mail ballots Audits Support SVRS The LEO is often a manager of a portfolio of vendor contracts Vendors have built their service and QA models around the needs and resources of their customers not around more abstract goals of cybersecurity. Focus in on affordable, predictable service with attention to the needs of the LEO including confidentiality These vendors work at election speed May not have Cybersecurity DNA 6/19/

14 The Last Mile 9. Elections Move at Their Own Speed The election calendar is established by law They start as glaciers and end as raging rivers Once they begin, short of a court order, they will proceed Hardening a component, once an election begins, may not legally permissible or operationally feasible There is never a good time to address election issues you are either too early, or too late. 6/19/

15 The Last Mile 10. Elections Focus on Detection and Correction Controls Not Preventative Controls Preventative Controls methods of preventing anomalies from occurring can be expensive and require predictive knowledge. This is why your workstation malware 1) costs money, and 2) is updated frequently LEOs have traditionally relied upon paired detective and corrective controls things like broken seals. Identify that an anomaly has occurred, isolate the anomaly from the election, correct with after-event mitigation 6/19/

16 Implications for Testing 1. Election Administration is Distributed and Heterogeneous Testing is as well: Federal certification testing to VVSG. State testing to specific requirements. Local acceptance testing for RFP and jurisdictional specs. Pre & post election L&A. 6/19/

17 Implications for Testing 2. A Chain is as Strong as its Weakest Link Benefits of EAC program may be most profound in smaller counties. EAC certified systems give LEOs in the Last Mile a minimum floor and confidence that these systems have been carefully reviewed. Also provides confidence in some form of oversight and accountability for the vendor/manufacturer. Last Mile may be most useful focus of EAC work in Managing Election Technology, checklists, etc. 6/19/

18 Implications for Testing 3. Follow the Law - and the Law Requires Accessibility EAC has a long history of close cooperation with the accessibility community. Accessibility has been the greatest area of improvement in each and every iteration of the VVSG. We are striving to achieve this level of cooperation and trust in the security community 6/19/

19 Implications for Testing 4. Static Testing in a Dynamic World Remains to be seen how emerging cybersecurity threats will impact the EAC testing program. In order to counter constantly emerging (and, perhaps, unimagined) threats, our program needs to become even more flexible yet increase rigor to some degree. Prioritize testing Move towards increasing use of some form of penetration testing. We need to develop an even stronger partnership with State and local election officials. Use this conference as a springboard?? 6/19/

20 Implications for Testing 5. LEOS are IT Managers, but are They Cyber Warriors? There will always be limitations to what conformance testing will provide from a cybersecurity standpoint. Because most Leos are not cyber warriors, we will need a strong and reliable connection between the last mile, and those who are cyber warriors. EAC must cultivate Federal relationships and partnerships with the goals of voicing the opinions and needs of election officials up to DHS/FBI/NIST and keeping a line of communication on clear and actionable information open from those agencies down to the people who can use it. 6/19/

21 Implications for Testing 6. Legacy Systems are Secure Against Legacy Threats At some point, legacy systems will need to be replaced. The interval between new and obsolete systems will likely narrow even more in the coming years. Sufficient new funding is unlikely. The challenge then is how to make legacy systems future proof? Several possibilities: New functionally based standards with flexible and updatable requirements and test assertions. CDF and interoperability to provide additional new options in security and other areas. Other ideas? Future proofing may be difficult in the extreme, but replacing systems is, as well. 6/19/

22 Implications for Testing 7. There is No Downtime to Reconfigure Systems How do we balance the need for almost constant system modifications with the election calendar?? Faster modification testing process at both Federal and State level. Define/expand the use of de minimis review of engineering change orders (including software??). Provide for emergency certification process if you do not already have one. 6/19/

23 Implications for Testing 8. Election are Vendor Supported in Profound Ways Nowhere is this more true than in the last mile. Few if any current vendors have deep cybersecurity in their DNA. Treat all new vendors with care, but welcome new players who may have an incentive to break into the marketplace by providing excellent service at a reasonable cost. Best defense against being taken advantage of is knowledge: Research new companies. Call fellow election officials. Ask for their company Quality Manual. (Are they accredited to any international standards (ISO ?) 6/19/

24 Implications for Testing 9. Elections Move at Their Own Speed Which moves faster, the elections glacier or cyber-criminals? While there is never a great time to. Hard questions will be asked from multiple areas unless an attempt is made to address issues. Luckily, in many instances, procedural mitigations may be enough, at least temporarily, to continue moving along with the glacier in a responsible manner. 6/19/

25 Implications for Testing 10. Elections Focus on Detection and Correction Controls Not Preventative Controls Preventative controls should be included where possible, but traditional detection may be the best we can hope for in the near future. Let other professionals worry about what they (hopefully) do best: Let DHS provide information and resources where they can. Let the FBI catch the criminals. Keep running great elections. 6/19/

26 Future Efforts The highly distributed nature of elections and voting system deployment makes hacking voting systems difficult; It also does not prevent erosion of public confidence in systems and outcomes. The battle to secure systems is being fought on several levels: Technological working with vendors to build better, more secure, more auditable systems Operational working with states and counties to improve awareness and training of work force in order to establish a baseline of security Communication Sharing usable information in timely fashion to prepare election officials and communicate risks to public and to campaigns Social and psychological maintaining confidence in systems and processes will maintain confidence in outcomes. Transparency of process. Cyber defense Coordinated efforts between states, vendors and DHS to prevent and detect intrusion and have rapid incident response. 6/19/

27 Future Efforts Given our new reality is there a need to reevaluate the election system risk profile? NIST Cybersecurity Framework could provide outline for risk assessment and mitigation Allows IT operators to raise risks and possible mitigations to executive decision makers to make risk choices Concern from some states that it could be used as a leverage point for additional regulation from federal government Election officials are natural risk managers but may need assistance in determining new risk environment. State testing officials may be best positioned to identify and communicate new risk environment Human element still remains biggest risk in process. 6/19/

28 Conclusions and Next Steps Training of election officials at all levels especially locals Principles of IT Cybersecurity Improve the design, implementation and maintenance of election technologies with attention to security and cybersecurity Make risk based decisions based on new risk analysis of election systems Leverage vendor QA processes to better ensure security of their systems & incident response processes. Better coordination of local, state and federal efforts including improving the timeliness & distribution of intelligence to election officials Build securable systems that integrate procedures 6/19/

29 Questions and Comments? 6/20/