Elections have evolved over the past decade, traditionally being supported primarily through elaborate processes and procedures. These relatively manual processes and procedures have historically provided a fundamentally trustworthy method to determine our state, local and national representatives. Eventually, technological advancements have surfaced that offset the inefficiencies and security challenges posed by traditional manual processes. Over time, the trustworthiness of these more automated advancements has also come under scrutiny due to technical limitations, vulnerabilities and the lack of compensating controls.
In the early pre-technology stages, election integrity was questioned due to topics such as “hanging chads”, which disrupted the election activities in the 2000 election between candidates Bush and Gore, requiring a recount in three districts and costing more than $4.3 million. By the 2006 election, much of the manual integrity issues were obsolete due to the inception of technology advancements and the use of various forms of voting enhancements. Even with these improvements, the integrity of the voting equipment used to automate many of the election processes and offset the risks imposed by manual means were again being questioned, and almost disrupted the 2006 Maryland Primary. During that election, a researcher from Johns Hopkins University named Avi Rubin uncovered vulnerabilities in the Diebold voting system, which placed the integrity of voting in jeopardy. Today, the topic of election integrity still persists with a new focus that includes nation state tampering, voting machine vulnerabilities, and overall process deficiencies.
In Part Two of our FireEye Success Story: Solutions and Strategies for Elections blog series, we take a look at the first stage in the election lifecycle and identify the types of actions state and local governments must take to prepare for primary and special elections – and to ensure the integrity of those elections.
In the first blog submission in our series, we introduced the three stages of the election lifecycle and identified the ways election providers must protect their assets and data within each stage in the process. As we indicated, the activities state and local boards of election must take represent a cyclical and ongoing process to ensure that the controls, processes and infrastructure are continuously assessed and updated to account for new and evolving threats as they emerge. One challenge we have observed is the inconsistencies in these activities throughout the country due to the disparate ways state and local entities are organized, managed and operated as they relate to elections. In some states, the state owns the agency, resources and processes related to elections. In others, these are operated at the local government levels, and resources, capabilities and processes are distributed and inconsistent. One common observation FireEye Mandiant has identified among most election boards is the lack of technical focus applied to cyber security.
As such, most Boards of Election remain focused on operational process efficiency rather than cyber risk mitigation. One reason for this pertains to the overall mission held by various Boards of Election, and the cyclical requirements for their use. Think about the complexities surrounding an organization whose primary role is to successfully provide a capability for voters to submit their selection for political candidates once every four years. Next, consider that those same tools, processes and resources will be utilized periodically over that four-year cycle in support of various visible activities for candidate selections throughout the year. Finally, consider that dedicated staffing for these types of cyclical organizations can rarely justify subject matter experts in areas such as information security. Unlike most networks and infrastructure, these networks get “spun up” when necessary, stored when not being used, and upgraded infrequently. Most personnel who support election activities are typically volunteer workers who are “spun up” as needed with little vetting of background, capabilities or intention. So, how are agencies expected to safeguard data from issues relating to confidentiality, integrity and availability in such a unique and dynamic environment?
In this first stage in the election lifecycle, organizations responsible for providing a platform and capabilities for voters to securely submit their selections for political candidates must focus efforts on ensuring that the data utilized for elections upholds the integrity of the election and voting process. A good first step is to ensure the integrity of the personnel assisting in the voting process. Proper vetting and pre-qualification should be performed for election support staff. Another important factor to consider is the integrity of the voter registration data. Improper vetting of registrants allows non-authorized submissions in the voting process.
Additionally, the architecture utilized to host voting systems requires segmentation of these systems to ensure the integrity of the data within. Architectural considerations should separate the requirements in the voting process data transfer systems, ballot systems, vote collection systems, and tallying systems. In addition, having a solution such as FireEye Endpoint Security that provides protection on all capable devices to include registration devices (e.g., tablets), workstations for business operations, and servers supporting transferring of files and other business functions surrounding the election will provide the visibility and integrity needed to support the election process. This architectural separation and infrastructure visibility will help ensure the integrity of the election processes, especially given the temporary and voluntary status of much of the supportive workforce.
Now that data confidentiality is assured, how will we ensure the integrity and availability of the data? The answer lies in the use of Intelligence. Using Intelligence to develop a comprehensive Threat Profile will allow a Board of Elections to better identify relevant threats, assets most likely to be targeted, various motivators, and specific tactics that may be used to exploit the processes, people and assets associated with election activities. Once a Threat Profile is established, specific criteria should be developed that can be leveraged for ongoing open source intelligence gathering relating to the threats, motivators, targeted assets, and techniques used throughout the election cycle. These criteria form the basis for the searches, which will be used to scour the internet, social media, and news articles for indications of potential exploit. By doing this, early indicators can be discovered, allowing for a proactive response and hopefully minimizing the potential for impact.
The next focus area for pre-election preparation activities that Mandiant recommends relates to what is referred to as Proactive Services. Proactive Services will ensure that the infrastructure is managed, maintained and operated in a secure and risk averse fashion. These services consist of activities such as ensuring that supply chain vulnerabilities are monitored so that voting devices are not vulnerable. Additionally, Red Teaming experts can be employed to determine which vulnerabilities and systems are exploitable by identifying security gaps using various tactics and techniques. These, along with simulated tabletop exercises, allow the elections stakeholders to assess the effectiveness of their operational processes for discovering, responding to and mitigating these exploits, and better prepare for events that may occur during an election. Finally, a Compromise Assessment can be performed to ensure that an unidentified breach has not already occurred, improving the voter’s confidence in the integrity of the infrastructure. By utilizing Proactive Services, Boards of Election can ensure that infrastructure is effectively secured from potential exploit. This will further reduce risk to an acceptable level while minimizing the impact and dwell time if compromise does occur.
Monitoring and Response
A final area of due diligence that should be considered at this early stage is the validation of an effective Incident Response capability. This will help ensure a timely response if necessary while validating visibility, both internally and externally, during an election. As a first step, Mandiant recommends that Election Boards ensure an effective ability to respond to emerging threats exists by assessing the capabilities of the people, technology and processes in place. If effective response is inadequate or cost prohibitive, establishing a retainer with a trusted service provider offers an alternative to maintaining this within. As such, appropriate response expectations can be developed early on to ensure that specialized response-focused resources are available to assist when the inevitable occurs.
Internal and external visibility is important to ensure that incidents and events are identified and assessed throughout the election process, and that visibility extends beyond the typical boundaries to include not only election systems and workers, but candidates and their families, external voters and non-voters. By developing appropriate search parameters early, the reputational visibility throughout the election will allow potential incidents to be recognized sooner. Another important aspect relating to election visibility involves community. In the late 90s, Information Sharing and Analysis Centers (ISACs) were developed as part of PDD 63 under the Clinton Administration to ensure sanitized and anonymized sharing of cyber related information, and to provide visibility of industry specific threat activity across our national infrastructure. As such, Mandiant recommends membership, participation and adoption of both the Multi-State ISAC and the Election ISAC. This will provide visibility of election specific events to allow for a quicker and more efficient response.
Election activities represent a unique challenge when considering the overall history, operational complexity, and unique mission. Recent adoption of technology in the election process has created some unique challenges relating to the perception of trust, safeguarding of data, and overall reputation of the institution. Recent incidents have called into question the integrity of the election process, the reliability of the infrastructure and devices used, and the overall validity of outcomes. As such, the actions and activities during the pre-election cycle offer a proactive opportunity for Boards of Election to offset the risks associated with these challenges. Proactive and preventative actions to identify threats and risks, understand avenues available for compromise, and the tactical implementation of proactive remedies will offset the resulting impact.