(Tim Evanson/flickr)

A Zero-Trust Security Approach to Better Protect American Elections

Our democracy was founded on the principle of voting and its importance. What we know today as an American right granted on our 18th birthday was once only privileged to a select group. It was through immense reform that these rights were granted to more people. But the political landscape and media engagement dynamics of just the past 5 to 10 years has lit a fire under many Americans to reclaim their interest in the democratic process. Experts predict 156 million people could vote in 2020, up from 139 million in 2016 – and the voters will be more diverse than ever, according to some forecasts.

Yet, election integrity has never been more vulnerable.

While there are still discrepancies regarding who, what, why and how foreign interference occurred in the 2016 presidential election, it’s hard to ignore the headlines that paint such a picture. And already in 2020, voter registration technology and reporting systems prevented Iowa’s caucus from declaring a definite winner for several days (the New York Times even reported inconsistencies they found on Feb. 14, 2020).

In addition to voting infrastructure, social media was widely reported on and recognized as untrustworthy in the 2016 election. We can’t talk social media meddling without mentioning Cambridge Analytica, which allegedly took 50 million Americans’ personal information to deliver targeted political ads. Facebook, perhaps the leader in enabling misinformation to voters through microtargeting of often untruthful political ads, has reaffirmed its freewheeling policy ahead of the 2020 election. It said in January that it won’t ban political ads, won’t fact-check them, won’t take down confirmed inaccurate and misleading ads, and won’t limit how they can be targeted to specific groups of people, reports the Associated Press.

Why does this anger so many U.S. citizens? Is it because we’re afraid our information was stolen by a nation-state entity? Is it because we believe social media giants are tracking our every move? Not quite. The worries are rooted much deeper: We need to know that our vote is not only kept confidential, but that it actually counts. Due to the polarizing concerns around the 2016 election, the media bombardment about Russian interference, Cambridge Analytica and the recent Iowa caucus challenges, some Americans are questioning whether they trust the electoral process and the democratic system itself.

Inconsistencies Create Vulnerabilities

As we witnessed with the 2020 Iowa Democratic Caucus, disparate state voting systems bring up a very unique set of problems. A move away from paper and toward entirely app-based methods of collecting valuable votes is leaving states vulnerable to cyberattacks and contributing to the complexity of our election security problem. When an attacker only needs to find one weakness to compromise an entire system, complexity becomes the enemy of security. As a security professional, it’s disappointing to know that there are 13 states that don’t have a statutory requirement for voting machines to have a paper trail. We have a setup where different jurisdictions in America are approaching elections and election security differently (entirely paper-based, entirely application-based and many are somewhere in the middle). This complexity means an endless number of things to check and potential gaps to protect. If you’re a threat actor, such as a nation-state, hoping to skew the results of a national election, potentially all you would need to do is to target a select group of critical counties in a handful of swing states to flip the entire outcome.

The Argument for an Open Source Approach

We’ve seen what disparate voting systems across states can do to the integrity of an election, but many people wonder whether an open source approach could improve the security of elections. From a technical perspective, perhaps one of the easiest ways to improve the integrity of elections would be to standardize on and open source the software and cryptography associated with elections. When the software and cryptography are able to be validated by the whole world, security is likely to improve significantly.

But open sourcing the software, cryptography and process components of the entire system still does not allow the election itself to be validated, it simply reduces risk. If we wanted to allow the election itself to be validated, to build trust in the process itself, perhaps the easiest way would be to move to a “one person, one vote” model and to remove confidentiality from the system – i.e., to open source the votes themselves.

While open sourcing the voting is likely politically impossible in the near term, and likely immensely unpopular, it would allow people to verify their own vote was recorded correctly and to run their own computations on voter counts at a town, county, state or federal level.

In security, we often repeat the mantra “trust but verify.” Currently, though, when it comes to elections, it’s all about trust.

While this approach may not be politically viable anytime soon, this type of process would serve as a way to guarantee viability of the election process – we could verify the system and verify any vote at any time.

Election security is a clear case where it’s in the best interest of all parties involved for the private and public sectors to collaborate. The current public sector procurement process could be dramatically improved if there were simply more vendors in the pool. But because the requirement to work with government agencies can be tedious, especially for smaller vendors, the vendors with the latest technologies are often left out of the selection process. This can be a detriment to public-sector agencies.

Fortunately, there are improvements being made. Organizations like the United States Air Force have been very vocal about promoting DevSecOps and open-source technologies. Programs like InfraGard have been evolving over the years and have become critical to improving national security. This partnership between the FBI and the private sector is opening up seamless public-private collaboration with government agencies. It promotes timely exchange of information and mutual learning opportunities relevant to the protection of things that secure our nation. This is not outsourcing development and security to a third party. This is working alongside government agencies to design and implement an effective security model for elections.

Public-private partnership programs are critical to securing our elections and our democracy. Ideally, over time, these programs will further allow our federal, state and local governments to work with experts from different industries to align on a system that protects applications within the voting system itself.

Protecting Voter Data

What organizations have learned over the past decade is that the high-profile data breaches would not have been prevented solely by improving their perimeter security defenses. The data breaches we see repeated time and again in the news cycle tend to relate to application security vulnerabilities (both known and unknown), phishing attacks and configuration errors. Organizations have learned that they cannot simply rely solely on firewalls and other forms of network-based perimeter security. Organizations need to prioritize protection of their data and applications. This gives rise to frameworks such as zero-trust security due to the elimination of the perimeter. This is the direction the industry ought to take and it is good to see organizations moving in this direction. On the application security side of things, we can also implement extensive application security testing solutions — such as static application security testing (SAST), dynamic application security testing (DAST), and software composition analysis (SCA) — throughout the software development lifecycle. Investing in an application security program and integrating application security into the software development lifecycle (SDLC) would reduce the chance that exploitable vulnerabilities are exploited in production applications.

Ensuring votes are counted accurately and honestly is the only way to protect the democratic process of the 2020 election and elections in the coming years. While protecting data is important, defending democracy supersedes that. If for some reason the 2020 election results are widely questioned, the cultural impact of not being able to trust this year’s election results will have long-lasting effects. This has already happened in Iowa with Democratic Party officials discussing changes to future caucuses. Collaboration between government agencies and the private sector will allow our country to develop a more secure voting process. And taking a zero-trust security approach will ensure better protection of Americans’ voices.

(Visited 183 times, 1 visits today)

Anthony Bettini is the Chief Technology Officer for WhiteHat Security. Previously, Anthony ran Tenable Research where he joined via Tenable’s acquisition of FlawCheck – a leading Container Security startup where Anthony was the Founder and CEO. Before FlawCheck and Tenable, Anthony was the Founder and CEO of Appthority, a leading Mobile Security startup and winner of the “Most Innovative Company of the Year” award at the RSA Conference. Anthony led Appthority to successful acquisition by Symantec in 2018. Here at WhiteHat, Anthony leads product management and development, engineering and threat research.

Leave a Reply

Latest from Cybersecurity

Like HSToday?  Want to Keep the News, Commentary, and Practitioner Insights Coming? The COVID emergency has hit us hard and as a non-profit 501(c)(6) we are ineligible for any relief.

Please support us with a donation of $5 so we don't need to lay anyone off!

Thank you in advance for your consideration!

DONATE NOW
Go to Top
X
X