[BreachExchange] Election Officials Must Embrace IT Personnel to Thwart the Impending Hacker Onslaught

Audrey McNeil audrey at riskbasedsecurity.com
Thu Oct 5 19:24:25 EDT 2017


http://www.routefifty.com/tech-data/2017/10/election-
cybersecurity-it-personnel/141558/

State and local elections officials need to build relationships with their
government IT personnel and information security community in the wake of
Russian efforts to scan 21 state election systems for vulnerabilities last
cycle, cybersecurity experts said Wednesday at a U.S. Election Assistance
Commission roundtable.

The U.S. Department of Homeland Security officially notified the chief
election officials in those states on Sept. 22 that they had been targeted
by hackers, although news of the cyberattacks was leaked in June.

The National Association of Secretaries of State subsequently said that no
election systems were compromised.

“Up until the beginning of 2016, the elections environment seemed like a
pristine meadow with a bunch of rabbits hopping around, and I think what we
see now is some wolves in that meadow,” said Joe Lorenzo Hall, Center for
Democracy and Technology chief technologist on its Internet Architecture
project. “And there are some deep holes in that meadow—things that are out
to get you but also things you can stumble into that unfortunately cause
problems.”

Nation-states are increasingly targeting U.S. elections systems seeking
both intelligence and to undermine the credibility of the process, said Ben
Spear, Multi-State Information Sharing and Analysis Center senior
intelligence analyst, but more traditional cyber criminals are interested
in elections as well. That make information sharing critical.

But cybersecurity is often a zero sum game, where focusing on shoring up
elections systems forces cash-strapped jurisdictions, absent grants, to
pull funds from other areas.

Officials in the city and county of Denver, including CIO Scott Cardenas
and Elections Director Amber McReynolds have overseen a new partnership
intended to foment a culture of securing elections. Both entities committed
themselves to a framework and embraced a “freeze window,” where the city
freezes technology around the election system to allow for easier patching
and securing of assets.

“When it comes to hackers you have to think in terms of an ongoing arms
race, which is not very comforting to people in elections,” Lorenzo Hall
said.

Any IT that is used needs to be accounted for in threat modeling, he added.

Spear stressed the importance of maintaining logs, tracking features within
them for anomalies and collecting as much information as possible to be
stored for at least 90 days, though some cases he’s dealt with have gone
back more than a year.

“Don’t be so full of pride that you don’t want to bring anyone into your
house,” said Tom Connolly, New York State Board of Elections director of
operations, to fellow elections officials.

CDT uses white hat hackers, the good ones, to prepare for the worst black
hat hackers whenever possible.

Meanwhile, New York’s elections board has already embarked on a number of
outside partnerships. Google’s Project Shield balances loads when a large
number of users flood the board’s site to check returns, and if they
haven’t been updated a copy of the current tally is provided. More
importantly, Project Shield protects against distributed denial of service
attacks that could prevent users from accessing returns entirely—casting
doubt on the process.

The board also provided information on poll site locations to the Voting
Information Project so that there would be redundant data available should
a hacker crash their election system.

“It’s important to have those redundancies built into the process,”
Connolly said.

Government IT and elections officials should be thinking about the “attack
surface,” what infrastructure to protect in other words, and run through
scenarios such as what they would do in the event a ransomware attack shut
down their poll worker model or an undetectable change was made somewhere,
Lorenzo Hall said.

McReynolds worries about a scenario in which local election returns don’t
match state or national returns—a chaotic event. Groups like the Election
Verification Network provide cyber checklists that give all stakeholders an
idea of what to plan against.

“I’m a big supporter of the critical infrastructure designation,” she said,
referring to the Obama administration's January designation of election
systems—opposed by NASS as a broad federal overreach.

But McReynolds applauded it because it’s opened the door for partnerships
between governments and the infosec community.

“Find out who your local IT guy is,” Connolly said. “Become their new best
friend.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171005/dc9217bd/attachment.html>


More information about the BreachExchange mailing list