7 Ways the Government Can Secure 2020 Elections
Well I've said it before, and I'll say it again
You get nothing for nothing: expect it when
You're backseat driving, and your hands ain't on the wheel
— Judas Priest (Heading Out to the Highway)
So it seems like it’s time.
Past time really.
Yes, it’s time to really have a serious conversation about election security. I mean for real this time. Really. No seriously.
I wrote about this a bit a while ago here, and while some things have gotten better, some things have gotten worse. Case in point is this little ditty by Kim Zetter HERE. As a matter of fact, everywhere we turn there are new things to discover and new things to protect. Makes sense. It’s complicated.
First, we have the Senate intelligence community assessment that our elections are (and have been) more vulnerable that we initially thought. The Senate Intel committee determined that not only did Russia interfere in our elections, they were sniffing around our election systems, undetected, in all 50 states.
THIS is sounding an alarm.
This is a lot wider spread and way more pervasive than we’ve been led to believe. Our states and localities are under attack. All the time. And I don’t think we’ve had the sense or realization of how ill prepared they are. They don’t have the time, energy or resources to repel this attack as we head into the next presidential election cycle. And as sad as it may seem, there are even some states who refuse to recognize the threat exists (best case) or are unconcerned about it (worst case). These folks boggle the mind and I hope they come to their senses before it’s too late. But for the rest, we all have to do our part and help where we can.
Second, we had the congressional testimony of Special Counsel Robert S. Mueller and while this was lacking in political theater (which was never the point) it was another very clear indication that our elections are at risk. And it’s not just the Russians. They’re all coming for our democracy.
Journalists and the media tend to focus on the voting machines themselves which while this IS super important and I get it, is not the only thing requiring security attention. But it is a very sexy headline. Like attacking ATMs. And if you want to look at this aspect of election security I recommend a Twitter follow of none other than my friend Josh Franklin who has looked into this, and knows more about this than anyone I know.
But there is a much overlooked aspect to the voting system apparatus that is more centralized and much easier to address and it tends to look more like enterprise security — which is something we security humans spend a lot of time focusing on.
<disclaimer> none of this is easy. Security just isn’t. </disclaimer>
“We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard.”
— John F. Kennedy
Voter Systems Are Enterprise Systems
Voter “systems” are comprised of endpoints, users, data and applications. Sound familiar? While the US Senate Intel report is redaction heavy, there is enough data here to see a pattern. To see where attackers have been pen-testing and surprise surprise it’s the weakness of passwords/credentials. It’s access to data (both cloud and in state, local and federal agency networks). We’ve seen this movie before. In fact, we watch this movie every gosh darn (my PG self) day. There is also a fair amount of BYO technology concerns/use-cases. Local workers are temp workers. They use their own computers/phones/networks. So the voter “enterprise” has to contend with people they don’t manage, technology they don’t own and networks they don’t control. Again…. Sound familiar?
So What Do We Do?
Glad you asked.
To my state and municipality CISO/CSO and security friends:
We apply the same principled security best practices we’ve come to know and love in enterprise. You know the drill so repeat after me.
1) Passwords! We hate em but we gotta use em. Employ a 2FA solution. Employ a password manager. One day these will be gone. Today is not that day.
2) Phishing. We hate that too so be vigilant. Be wary. Do phishing drills, but don’t punish users who click links (I’ve been doing this for 20 years and sometimes I click links. It happens. The web is dark and full of links). But also, see #1.
3) Get transparent visibility. Technologies like Cisco’s Umbrella are awesome at this. It sits on your endpoints (via DNS), looks at the access and can block and tackle the bad stuff, and it doesn’t get in the way of the good stuff.
Full disclosure I’ve been running OpenDNS at home for years, for free and you can too HERE. Cisco’s Talos Security Intelligence and Research Group is good for this too. Beyond being just super great, helpful people, they’re wicked smart. And did I mention helpful? Learning what they know, watch what they watch and definitely subscribe to their Beers with Talos podcast HERE. Beer -AND- security? Where do I sign up?
Also, please read Matt Olney’s amazing blog on this topic HERE.
4) Encrypt all the things. At least the pipes. I mean seriously, it’s 2019. Just do it.
5) Make security part of your culture. Trainings, seminars, lunch and learns, Beer’s with Talos… etc. Get your organization excited to participate on your security journey. Make your users a part of this. Something that happens WITH them not just TO them.
6) Reach out for help. The security community is vibrant and super helpful. Reach out to your peers and find out what they’re doing. And if the answer is “nothing” — invite them to some security events.
7) Look into Zero Trust principles. You can start HERE with this trends report. Some of the above suggestions are part of the conversation in this report. Remember that Zero Trust is a lifestyle choice, not a product so go in with your eyes (and mind) open.
It’s a tired cliche but nevertheless a true statement… we are all in this together. And while yes, protecting voting machines is super important, and the House and Senate absolutely have the obligation to step up and deliver on their part of this challenge, there are pragmatic parts that we can do now. Today. Without a gargantuan investment.
We all have a role to participate in AND to help secure our democracy.