Since the 2016 election, numerous reports have cited concerns of vulnerabilities in the voting ecosystem, detailing attempts by nation states such as Russia to exploit election cybersecurity systems with pervasive cyberattacks. To assist in securing the critical infrastructure and preventing cyberattacks, Congress provided federal funding under the recent 2018 Consolidated Appropriations Act Election Reform Program, authorized by the 2002 Help America Vote Act (HAVA). This funding grants states additional resources to make improvements in election cybersecurity.
Failure to improve election cybersecurity will only perpetuate future cyberattacks, which will lower voter confidence in the democratic process and have a potential impact on voter turnout.
Now, more than ever, election security officials need to revisit the security of their election systems to leverage this newfound funding and better secure the human element that often causes cyberattacks. While the cyberattack surface of election systems is diverse due to the more than 8,000 jurisdictions in counties, states, and cities that maintain election infrastructure, there is one constant in the elections security system that can be leveraged—humans. With individuals and teams informing the entire voting process from casting votes, to tabulating results, to reporting outcomes and auditing, humans are a key part in managing and directing both digital and manual processes. If cyber teams can be better trained to understand how to stop cyberattacks from hackers using their own tools in emulated environments, the state of election cybersecurity will be greatly improved.
We’ve detailed three ways for election security officials to upskill their cybersecurity teams in spite of the variability in equipment and process.
Adopt a continuous learning approach to election cybersecurity
We’ve talked at length about the benefits of a continuous learning approach, and there’s a reason for it—if cyber teams cannot keep pace with evolving adversary techniques and tactics, they won’t know how to stop them from causing mass damage. Continuously learning new skills and more efficient ways to prevent cyberattacks will help everyone be better prepared.
Unfortunately, there have been documented instances of untrained personnel who have knowingly and unknowingly jeopardized the security of elections thus far. Notably, one of the first cryptic signs of cyberespionage came when a Democratic National Committee (DNC) help desk contractor ignored repeated calls from the FBI who were reporting a computer system hack conducted by a Russian group referred to as “the Dukes28.” The article notes the contractor “was no expert in cyberattacks,” and couldn’t differentiate the call from a prank call.
Fortunately, with the passing of the Election Reform Program, now is the time for election cybersecurity professionals to dedicate the resources necessary to address all aspects of cybersecurity that affect a strong cyber posture. This includes having the proper equipment and security protocols in place, employing a trained team who can identify and combat threats quickly, deployment of cyber resilience when attacks do occur, and much more.
Analyze previous attacks to understand adversary techniques
It is insufficient to solely analyze the specific cyberattacks from the past few years, but it is still important to see and understand the tactics and vulnerabilities exploited, particularly since voting machines are not upgraded often. Two cyberattack groups, Fancy Bear and Cozy Bear are worth investigating further since their methods have been analyzed in detail already. From fake personas to deliver stolen emails and documents to journalists, to the group’s use of malware and spear-phishing, adversaries were able to access an operational infrastructure, implant the agent and encrypt communication to silently exfiltrate data remotely.
Understanding adversary techniques like this can inform how cyber teams train for future cyberattacks. Election officials can begin to assess the skill level of their teams and all involved in the election process to get a sense of their capabilities and how they would approach a “Cozy Bear 2.0” for instance.
Participate in/host Table Top Exercises and Life Fire Exercises
Recently, Circadence used its Project Ares[Symbol] platform to help the City of Houston simulate a realistic cyberattack exercise to help public and private entities better prepare for an attack scenario. Emergency response simulated a cyberattack on transportation, energy, water, and government sectors while senior leaders worked directly with technical professionals to develop timely responses.
This type of collaborative approach should be undertaken in every voting jurisdiction. There will always be risks, but cities and counties are realizing that the key is getting ahead of the cyberattack and developing policies and procedures through realistic virtual environments to handle it. Running through these cyber exercises with multiple players helps leaders see apparent gaps in offensive and defensive techniques, while reaffirming the practices that must take place to secure any type of infrastructure.
As election security officials plan for new ways to leverage the HAVA Election Security Fund to improve processes, they will be pressed with justifying such expenditures while also demonstrating that said security measures have indeed improved. The above recommendations will make elections safer and likely contribute to the restoration of public confident in our democratic process. The more focus election security officials place on upskilling their cyber teams with 1) continuous learning approaches, 2) analyzing past cyberattack methods, and 3) participating in realistic training events, they more effectively they lessen human error as a dominant source of cyberattacks.
To learn more ways to prevent election cyberattacks download our whitepaper “Protecting Democracy from Election Hacking.”