Ms. Voting Matters offers a summation of internal leadership discussion, led by Eddie Perez, our Global Director of Technology Development on the imperative topic of evolving election technology security based on the issues of testing and certification. This is a longer article, but we think worth the read.
The Expanding Scope of Election Security – Voter Registration and Network-Connected Systems
On an almost daily basis, there is mounting evidence that the scope of “election security” is wider than might appear at first blush. While much attention has been paid to “voting machines” and “voting systems” that capture and tabulate votes, there is growing awareness that other types of election-related software infrastructure are even more vulnerable than (usually) air-gapped voting systems, by virtue of being network-connected: specifically, voter registration (VR) systems and Election Night Reporting (ENR) systems (which display results over the web, but which do not tabulate votes) have been found to be especially vulnerable.
NOTE: To be clear, even air-gapped machinery is vulnerable when one considers the insidious nature of physical delivery vectors such as USB sticks (think: STUXNET). Nonetheless, network connectivity for systems serving other aspects of election administration (and not ballot casting or counting) can pose a serious risk, and those systems using such capabilities require considerable (and regular) pen-testing.
The recently-released Mueller Report determined that the Russian GRU infiltrated the Illinois State Board of Elections web site in June/July 2016 and reviewed approximately 80,000 voter registration records; the report also indicates that the Federal Bureau of Investigation (FBI) believes that Russia penetrated the IT network of “at least one Florida County.” And finally, in March, the Department of Homeland Security (DHS) and the FBI issued a Joint Intelligence Bulletin (JIB) to state and local authorities which confirmed that that the Russian reconnaissance and hacking efforts in advance of the 2016 election went well beyond the 21 states confirmed in previous reports. According to the bulletin, "The FBI and DHS assess that Russian government cyber actors probably conducted research and reconnaissance against all US states’ election networks leading up to the 2016 Presidential elections [emphasis added]." Needless to say, whether such attacks are actually successful or not in compromising the integrity of voter registration records, even the possibility that one’s eligibility to vote could be thwarted by a corrupt actor can undermine public faith in the legitimacy of election outcomes.
Early Federal Steps Toward A Broader View on Cybersecurity
In light of cyber-attacks like these, as the nation bolsters its cybersecurity defenses, new standards and security procedures will be necessary for a variety of network-connected election systems, including voter registration, election night reporting, and e-poll book systems, as these currently fall outside the scope of the federal certification program for voting systems (i.e. the U.S. Election Assistance Commission’s testing for compliance with the Voluntary Voting System Guidelines).
Thankfully, the importance of expanding the nation’s cybersecurity focus beyond voting systems has reached the halls of Congress. For example, Senator Ron Wyden’s (D-OR) ‘‘Protecting American Votes and Elections Act of 2019’’ (PAVE) is a strong, comprehensive, and pragmatic election security bill currently being drafted in Congress. Notably, in addition to requiring durable paper ballots and risk-limiting audits for federal elections, the PAVE Act recognizes the changing landscape by envisioning a new cybersecurity testing role for DHS -- and its requirements encompass not only voting systems, but also Voter Registration systems, Election Night Reporting, and Digital (electronic) Poll Books.
As the PAVE Bill illustrates, recognizing the wider scope of the cyber-threat landscape is undoubtedly a critical first step, and is laudable. After that first step, however, things start to get complicated, quickly. Why? Because deciding “what” we need to protect is almost certainly easier than figuring out “how” to devise federal institutions and programs that can perform effective testing and certification of technologies that have not previously been addressed under current federal certification programs.
OSET Institute Advice: Sweat the Details, Because Process is All-Important
In light of these recent efforts to “do more” and “protect more,” the OSET Institute’s message to legislators is a modest one:
Proceed cautiously, and do not assume that simply “parceling things out” between DHS and the EAC will be easy or straightforward.
If there’s one thing that we’ve learned since the Help America Vote Act (HAVA) was enacted in 2002, thereby creating the Elections Assistance Commission (EAC), it’s this: creating federal standards (for any kind of technology) is only the first step; the unique institutional implementation of testing and certification programs is at least as impactful -- if not more impactful -- that the standards themselves. Again, “how” can be more consequential than “what.” The devil is in the details.
For the same reasons, any efforts to expand federal testing and certification programs should also be considered evolutionary – in other words, different technologies and different requirements will likely require programs very different from the ones we are familiar with today. While it is perhaps natural for legislators to think, “give this task to the EAC,” or “give this task to DHS,” and then simply assume that new needs can be assimilated to current procedures, the OSET Institute recommends that new programs be devised thoughtfully and methodically, with fresh eyes.
Today’s EAC program and EAC resources are almost certainly not adequate or appropriate for cybersecurity testing of network-connected systems like VR systems, ENR systems, and electronic poll books. These technologies have an operating environment that is very different from voting systems, with different technical requirements, and the EAC has relatively limited experience with them. Conversely, while DHS has core competencies and resources devoted to cybersecurity for high-assurance systems (in a way that the EAC and current EAC-accredited VSTLs do not), DHS’s institutional capacities and domain knowledge associated specifically with elections are currently more modest, by virtue of becoming significantly active in this sector only recently (i.e. since 2016). We note that the EAC’s recent acquisitions of professionals with election administration experience and talents bodes well for this to evolve.
For all of these reasons, the OSET Institute believes that an approach that simply amends HAVA, preserving many of the testing and program assumptions applicable to voting systems, and “adding on” new requirements for the EAC and DHS to address cybersecurity vulnerabilities in new types of election-related technologies are likely to exacerbate shortcomings in the current program.
In addition, adding a new layer of complexity and potential friction to current practices will pose new challenges for voting system manufacturers and election officials alike, as they will be required to traverse two sets of potentially overlapping, redundant, or conflicting requirements. The election technology marketplace has already been distorted by the cost and complexity of one federal election technology certification program; simply adding more on top of it (or in competition with it) could make those unintended consequences even worse.
Despite the fact that current EAC and DHS programs provide no easy roadmap for the expansion of cybersecurity standards for VR systems and other network-connected elections-related software, the Help America Vote Act (HAVA) can still be a useful model for the kinds of programmatic questions that legislators should focus on to develop new testing and certification programs in the future. Specifically, it is instructive that all of HAVA’s Title II – a long 32-page section of the Act, with 4 Sub-Titles, constituting approximately half of HAVA’s total pages – is devoted solely to fundamental topics about the EAC’s creation, organization, duties, and procedures. This section of HAVA can be a useful model for thinking through the institutional and programmatic aspects of how best to allocate testing and certification responsibilities in the future. Among the important questions HAVA’s Title II addresses are:
How is the testing and certification body established?
What is its membership, and who is qualified to be a member?
What are its duties?
What are its powers?
Who is responsible for providing technical guidelines and relevant functional requirements?
What is the process by which requirements are adopted?
What is the process by which requirements can be modified?
What types of laboratories or third parties are qualified to perform testing and certification?
How are third-party testing labs accredited?
To be clear: the OSET Institute believes that the changing cyberthreat landscape requires new testing and certification programs that answer the kinds of questions above. And we strongly caution that the answer to these questions is not simply, “What HAVA said,” or “What the EAC said.”
Creating standards for VR systems, Digital Poll Books, and ENR systems, and devising new cybersecurity requirements not just for these but also for Voting Systems, is new territory. Accordingly, it requires new and different institutional responses, which should be crafted thoughtfully and methodically.
Recommendations For Going Forward
The national security imperative to bolster cybersecurity for an expanding scope of election-related infrastructure represents a pivotal point in ensuring high-confidence elections in a rapidly-changing global environment.
In order for election administrators to meet future challenges, legislators, the EAC, DHS and other stakeholders must continue to evolve and critically re-assess existing federal certification processes. A major objective is ensuring that high-quality voting technology can be certified at a faster pace, by testing authorities with increasingly specialized qualifications, at reasonable costs that are affordable for large and small jurisdictions alike.
In a recent blog post by Eddie Perez our Global Director of Technology Development, he expresses the Institute’s belief that continued agility and adaptability in protecting election infrastructure depends on a 3-part focus:
A more flexible definition of “voting system”;
Component-level certification; and
Support for more rapid changes to election technology, at a pace faster than the last two decades have seen.
One point about that 3rd element: The Institute’s position from the beginning has been that election technology is a backwater of government I.T., and innovation for a variety of market dynamics reasons has not been its strong suit. However, post 2016 there can be no doubt any longer that election technology must adapt, evolve, and innovate far more rapidly in order to keep pace with what essentially is a digital arms race. For the most part, where network (or cloud) enabled services are involved the focus may be more on the configuration and deployment elements, but regardless, protecting election administration technology infrastructure requires the ability for the testing and certification aspects to become more agile and responsive to a shortening cycle time for innovations.
Accordingly, the combination of new allowances for component-level EAC certification, in conjunction with DHS oversight of cybersecurity testing (entirely separate from testing for VVSG-compliance) could be a good first step in the right direction.
Compared to the daunting task of creating end-to-end security for an entire system of systems in 2019 or 2020, focusing on cybersecurity requirements for individual components is a far more tractable problem that can be worked on much more quickly, with faster results.
Furthermore, the Institute believes that component-level cybersecurity testing will be most effective if paid for by DHS, unlike the current EAC testing program, which can create conflicts of interest because voting system vendors pay the fees of the VSTLs that perform compliance testing.
Consider this: Rather than relying on EAC-accredited VSTLs, which do not have a core competency in high-assurance cybersecurity, DHS could, for example, rely on laboratories accredited by the National Information Assurance Partnership (NIAP), which is a partnership between the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). In the U.S., NIAP is responsible for implementing the internationally-recognized Common Criteria Recognition Arrangement (CCRA), which is a framework by which government, military and other users can specify their security functional and assurance requirements through the use of protection profiles. Vendors can then implement and/or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. This combination of component-level certification and alternative laboratories accredited through NIAP is just one example of how federal certification programs for election-related technologies could evolve.
Whatever form testing and certification programs might take going forward, this much is clear: they need to be planned carefully, and it should not simply be assumed that HAVA, the EAC, or past practices will provide guideposts to the road that lies ahead.
In any event, the tough work of evolving and adapting is just getting started.