Securing the vote by protecting “unsecurable” and outdated voting machines
Time is running out to secure America’s election systems. Before we know it, it will be Tuesday, November 6th, election day, and we will be headed to the polls to cast votes for the 435 U.S. House, 35 U.S. Senate, 36 gubernatorial elections and many more state and local offices. While there is increased public awareness about the threats to and weaknesses of our election system, we are still a long way from securing these systems and ensuring their security and our confidence in them.
Election systems are unique, purpose-built information technology (IT) networks designed to maintain a list of eligible voters and collect and tabulate votes; however, no matter how unique election systems may be, at their core, they share the same basic characteristics and vulnerabilities of all IT systems. Each component of an election system—the voter registration database, the vote tabulation system, and the voting machines—can be secured with many of the same techniques and tools that are used to secure financial institutions, medical facilities, and power plants.
While much of the focus publicly is on replacing vulnerable voting machines, replacement alone may not be sufficient enough to secure the machines without following common design standards and widely recognized security practices; but, before we discuss what must be done next, let’s consider the relevant past on this issue.
After the deadlocked 2000 presidential election focused national attention on obscure details of election administration, Congress passed the Help America Vote Act (HAVA). HAVA provides states with funding for modern voting equipment, requirements on election administration, and a new independent agency to administer grants and assist state and local agencies by issuing guidelines and providing support. Today, despite this progress, nearly every voting machine in the United States may be susceptible to some form of compromise and even election systems that have a paper trail may not be completely secure.1 In fact, the Department of Homeland Security recently notified 21 states that Russia attempted to hack their election systems before the 2016 election.2 In March 2018, the Federal Government provided funding to upgrade election systems in an attempt to improve election systems security.
Today, even organizations with the best monitoring, vulnerability and cybersecurity tools do not have visibility or are not managing a high percentage of devices on their networks. In fact, according to analyst firm IDC, customers can discover 24 percent more previously unknown devices on their networks upon installing the Forescout platform.3 A leading firewall vendor recently found that 90 percent of organizations they protect have experienced cyberattacks where intruders tried to exploit vulnerabilities that were three years old or older.4 These asset inventory blind spots and device compliance failures can be fixed with basic cyber hygiene practices.
Securing the seemingly ‘unsecurable’ devices on a network is a challenge, but it is not impossible. The first step is to improve basic cyber hygiene of those systems and then, where time or resources prevent replacing old, unsecured voting machines, innovative technologies that can secure previously unsecurable devices should be deployed. In circumstances where resources are constrained, and timelines are tight, the Forescout platform can help to build a secure perimeter around unsecured systems and continuously monitor device activity across connected networks. Forescout can help mitigate risks associated with unsecurable devices by identifying devices as they connect to the network and protecting those connections throughout their lifecycle.
Increased cyber hygiene and securing unsecured devices with Forescout should be implemented as part of a broader framework such as the National Institute of Science and Technology Risk Management Framework (https://csrc.nist.gov/Projects/Risk-Management/Risk-Management-Framework-(RMF)-Overview) or the Center for Internet Security Critical Security Controls (formerly the SANS Top 20 security controls) (https://www.cisecurity.org/controls/).
To learn more about Forescout’s approach to tackling this challenge, click here.
1 https://freedom-to-tinker.com/2016/09/20/which-voting-machines-can-be-hacked-through-the-internet/ Professor Michael Shamos: “Every manipulation of elections that’s been proven has involved the manipulation of paper.”
2 Mulvihill, Geoff and Pearson, Jake (2017, September 23). Federal Government Notifies 21 States of Election Hacking. Associated Press, https://www.apnews.com/cb8a753a9b0948589cc372a3c037a567
3 Robert Ayoub and Matthew Marden (December 2016). IDC White Paper. The Business Value of Pervasive Device and Network Visibility and Control with Forescout
4 Fortinet Q2 2017 Global Threat Landscape Report (https://www.fortinet.com/fortiguard/threat-intelligence/threat-landscape.html)