It has been reported that just weeks ahead of the US midterm elections, security experts are warning that America’s voting systems are still vulnerable to being hacked. Attackers could manipulate the outcome of November’s votes which will establish the support that President Trump has in Congress for the rest of his term, according to those warnings.
Tim Mackey, Senior Technical Evangelist at Synopsys:
“The 2018 DEFCON Voting Village report highlights a clear disconnect between the security of the devices delivered by vendors and security expectations we as citizens have on our voting systems. Basic best practice training we deliver to employees about setting strong passwords for accounts and IT department processes for updating software flaws in a timely manner are clearly not being followed by those designing and administering voting machines. Part of the problem lays within the process of certifying voting apparatus. In the case of the M650 identified as actively in use within the state of California, it would’ve been certified to the California Voting Systems Standards (October 2014). While the cyber-threat landscape has evolved significantly since CVSS was approved, it is clear given the age of the components used within M650 that it was designed to meet the minimum bar within the standard. Given the costs associated with certification, it’s also very likely that once any device is certified it may have a longer than expected lifespan without update – and an increasingly insecure lifespan.
It is of course easy to identify issues within critical systems like our voting infrastructure, but far harder to address them. Within industry various standards exist for the certification of security surrounding everything from credit card data to health care records. These standards have requirements for periodic reassessments and foster a climate of continuous improvement. Breaches of security within companies are routinely reported in the media and, following a breach, responsible organisations take steps to mitigate any risks or changes in threats which were identified. This process of continuous improvement needs to apply to electronic election systems used in all democratic nations. In the US, were an agency like the Department of Homeland Security or National Security Agency to be tasked with performing an annual penetration test of all voting systems, and publish the results of those assessments; the voting public would retain confidence in the process while technology providers could improve their systems armed with expert security guidance. An annual assessment would have the added benefit of depoliticizing the effort.”
Ross Rustici, Senior Director of Threat Intelligence at Cybereason:
- Make route communication between local, state and federal agencies. This will insure that when a crisis happens, all sides are coordinating effectively and conveying the same message across all levels of government.
- The ability to get ahead of the consequences is the key to stopping this type of attack. Joint task forces between state and federal resources are the only way to achieve this. But to be successful, a traditional police approach of assess, collect evidence, arrest cannot be taken. Disruptive operations is really important.
- When disinformation is being spread, the narrative needs to be controlled early. Not countering the fake social media posts as soon as they appear is a big disadvantage for the defenders. Local and state governments need staff monitoring social media and sending out messages to counter any false information that’s posted.
- There is a fundamental difference in capability between a human saboteur and a cyber one. The speed at which cyber actors can layer real world effects easily overwhelm local responders if they aren’t prepared for it.
- Election meddling is greater than the direct effects and it is often the indirect means that have the ability to do the most harm. The second and third order effects leave greater room for doubt.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.