Conversations around election cybersecurity have gone mainstream. Much of those discussions focus largely on voting machines and known security flaws that hackers can use to compromise the technology. But that’s only a fraction of the larger issue.
“To ensure the security and integrity of our elections, the focus must be on the IT infrastructure that supports and runs our democracy, rather than exclusively on voting machines themselves,” said Tod Beardsley, Research Director at Rapid7. It’s an issue that’s top of mind for Rapid7, which offers a suite of solutions, including 24/7 threat detection and incident response and penetration testing. The focus is to help teams secure their environments and build out their programs in alignment with industry standards.
Today, as a pandemic rages across the globe, government agencies are exploring alternatives to in-person voting to promote social distancing. Even still, cybersecurity must remain an integral part of the conversation.
Beardsley outlined key issues around election security that should be top of mind for agencies.
1. Lack of planning and execution today for whatever comes.
Election Day isn’t far off, and there’s still a fair amount of coordinating and planning that must take place. “We have over 8,000 voting districts in the U.S., and I am not confident that we are doing enough to secure the election, both in a cyber and a public health way, to meet this deadline,” Beardsley said.
What’s at stake is the same old second-order problems we’ve seen. Voter information websites and databases continue to operate on rickety, poorlymaintained software, especially in low-population districts, he said.
2. Experimental internet voting platforms.
Beardsley believes that internet voting will be possible, but 2020 is not the time to roll it out. The reason? The applications on the market today are grossly insecure and have some severe availability problems in production.
“Absentee balloting seems to be the best possible option, but this turns out to be, bizarrely, partisan,” he said. “To be clear: Vote by mail does ruin the tradition of a secret ballot for many people, but the trade-off seems to be worth it to ensure reasonable levels of participation.”
3. Low turnout means a greater return for attackers.
Attackers who seek to disrupt the vote will fare better when fewer legitimate voters show up.
“High turnout would tend to suppress the actions of a few attackers, no matter how successful the attacks are,” Beardsley said.
His team works with agencies to secure their environments by proactively monitoring their networks and devices or by implementing technologies and processes. The goal is to help agencies quickly respond when a breach occurs and assist them in a variety of ways.
Ultimately, agencies must be on guard and prepared to ensure the integrity of our nation’s elections.
This article is an excerpt from GovLoop’s recent report, “CIO Perspectives: A New Vision for the Government Workplace.” Download the full report here.