Voting is the crux of what we refer to as an American Democracy. Since the 2016 elections in the United States, numerous reports have cited concerns of vulnerabilities in the voting ecosystem, detailing attempts of foreign interference by organizations such as the Russian government to exploit election results with pervasive cyber attacks.
To assist in securing critical infrastructure and preventing cyber attacks, Congress provided federal funding under the recent 2018 Consolidated Appropriations Act Election Reform Program, authorized by the 2002 Help America Vote Act (HAVA) . This funding grants states additional resources to make improvements in election cybersecurity. Failure to negate election interference will only perpetuate future cyber attacks, which will lower voter confidence in the democratic process and impact on voter turnout.
Now more than ever, election security officials need to revisit their voting systems to leverage this newfound funding and better secure the human element that often causes cyberattacks. While the cyber attack surface of election systems is extensive due to the more than 8,000 jurisdictions in counties, states, and cities that maintain election infrastructure, there is one constant in the elections security system that can be leveraged—humans. With individuals and teams informing the entire voting process from voter registration to casting votes to reporting outcomes and auditing, humans are a key part in managing and directing both digital and manual processes.
If election security professionals can be better trained to understand how to stop cyber attacks using their own tools in emulated environments, the state of election cybersecurity will be greatly improved.
We’ve detailed three ways for election security officials to upskill their cybersecurity teams in spite of the variability in equipment and process.
Adopt a Continuous Learning Approach to Election Cybersecurity
In previous Circadence blogs, we’ve shared the benefits of a continuous learning approach , and there’s a reason for it—if cyber teams cannot keep pace with evolving adversary techniques and tactics, they won’t know how to stop them from causing mass damage. Learning basic cyber skills as well as how adversaries are using social engineering to influence election campaigns will help state, local and government election officials be better prepared to identify and respond to cyber attacks on voting systems.
Unfortunately, there have been documented instances of untrained personnel who have knowingly and unknowingly jeopardized the security of elections thus far. Notably, one of the first cryptic signs of cyberespionage came when a Democratic National Committee (DNC) help desk contractor ignored repeated calls from the FBI who were reporting a cyber threat from a computer system hack conducted by a Russian group referred to as “the Dukes28.” The article notes the contractor “was no expert in cyber attacks,” and couldn’t differentiate the call from a prank call.
Fortunately, with the passing of the Election Reform Program, now is the time for election cybersecurity professionals to dedicate the resources necessary to address all aspects of cybersecurity that affect a strong cyber posture. This includes:
- having the proper equipment and security protocols in place
- employing a trained team who can identify and combat threats quickly
- deployment of cyber resilience when attacks do occur, and much more.
Analyze Previous Attacks to Understand Adversary Techniques
It is insufficient to solely analyze the specific cyber attacks from the past few years, but it is still important to see and understand the tactics and vulnerabilities exploited, particularly since electronic voting machines are not upgraded often. Two cyber attack groups, Fancy Bear and Cozy Bear are worth investigating further since their methods have been analyzed in detail already. From using fake personas to deliver stolen emails and documents to journalists, to the use of malware and spear-phishing, adversaries were able to access an operational infrastructure, implant the agent and encrypt communication to silently exfiltrate data remotely.
Understanding adversary techniques like this can inform how cyber teams train for future cyber attacks. Election officials can begin to assess the skill level of their teams and all involved in the election process to get a sense of their capabilities and how they would approach a “Cozy Bear 2.0” for instance.
Participate In or Host Tabletop and Live Fire Exercises
Recently, Circadence used its Project Ares platform to help the City of Houston simulate a realistic cyber attack exercise to help public and private entities better prepare for an attack scenario. Emergency response simulated a cyber attack on transportation, energy, water, and government sectors while senior leaders worked directly with technical professionals to develop timely responses. This type of collaborative approach could be undertaken in every voting jurisdiction to test election systems.
There will always be risks, but cities and counties are realizing that the key is getting ahead of the cyber attack and to develop effective cyber readiness policies and procedures, realistic virtual training environments can help. Running through these cyber exercises with multiple players helps leaders see apparent gaps in offensive and defensive techniques while reaffirming the practices that must take place to secure any type of infrastructure.
As election security officials plan for new ways to leverage the HAVA Election Security Fund to improve processes, they will be pressed with justifying expenditures while also demonstrating that said security measures have indeed improved. The above recommendations will make elections safer and likely contribute to the restoration of public confidence in our democratic process.
The more focus election security officials place on upskilling their cyber teams with 1) continuous learning approaches, 2) analyzing past cyber attack methods, and 3) participating in realistic training events, the more effectively they reduce human error as a dominant source of cyber attacks.