Concerns raised about voting infrastructure security in mid-term elections
In the wake of mounting concerns over the security of the nation’s voting infrastructure during the 2018 midterm elections – despite the Department of Homeland Security (DHS) having last year designated election-administration infrastructure as a critical infrastructure (CI) subsector which “expressly applies only to the election-administration dimension … malicious actors are unlikely to respect such limitations,” says a new non-public Congressional Research Service (CRS) briefing by Catherine A. Theohary, Specialist in National Security Policy, Cyber and Information Operations, and Eric A. Fischer, Senior Specialist in Science and Technology at CRS.
DHS’s 2017 designation of election administration as a CI made state and local offices and private-sector entities involved in running elections eligible for enhanced federal technical assistance and information sharing for both physical and cybersecurity.
“However,” the CRS briefing warned, “The increasing use of Internet connectivity in all three dimensions [election administration, campaign activities, and media coverage] is creating a convergence of security risks not only within the dimensions but across them,” such as, “Attacks on election infrastructure might involve registration databases, voting systems, reporting of results, or other components or processes. The goal might be to exfiltrate (surreptitiously obtain) information such as voter files, to disrupt the election process, or even to change vote counts and results.”
Each of these sorts of attacks could easily compromise electoral databases containing voters’ biometrics, as well as election and administration and contractors’ biometric Personally Identifiable Information (PII) who have access to databases containing their own biometrics, physical facility access, maintenance, storage, etc.
Indeed, the authors of the CRS briefing stated, “Attacks on political parties and campaigns might involve exfiltration of candidate information or communications,” such as stealing “data from the information networks of a political party [which] could offer a foreign adversary insights into the prospective operations, priorities, and vulnerabilities of an incoming government, should the party prevail at the polls.”
Individual voter PII – including potential biometric data –also could be “obtained through attacks on political party or government entities, or by other means, [that] could be used to target voters considered susceptible to such misinformation.”
The CRS briefing warned, “Some analysts contend that technical solutions and hardening of potential targets will fail to keep pace with the evolving tactics of such adversaries, and that criminal indictments fall short of the level of deterrence that is needed.”
DHS itself has determined server vulnerabilities should be expected to be exploited to allow unauthorized access to sensitive information. “An attack against a poorly configured server running a voter registration website may allow an adversary access to critical information and to the supporting voter registration database itself,” they warned.
On July 31st, Vice President Mike Pence called on the United States Senate to take action before the end of the year to enact legislation creating the Cybersecurity and Infrastructure Security Agency while addressing the DHS National Cybersecurity Summit in New York City
Since the 2016 elections, there have been eight hearings on election CI by both House and Senate committees and subcommittees, but no legislation has been passed, although more than 60 bills have been introduced in the 115th Congress which contain provisions related to election security.
But, CRS said, “most [of these bills] address concerns about the security of election administration, with others focusing on deterring foreign interference. A few have provisions on campaign security.”
The briefing emphasized that, “Addressing broader concerns about election interference and security would likely require a whole-of-life-cycle approach to election integrity; that would need to balance meeting legitimate security needs with maintaining protections for free expression and other requirements for proper functioning of the democratic process.”
In DHS’s National Protections and Programs Directorates June 26 Securing Voter Registration Data document for election administration officials and personnel, the department was unambiguously clear that, “Voter registration databases (VRDB) are rich targets and may be an attractive target for computer intrusions. This problem is not unique to individual states – it is shared across the nation.”
Further, in DHS’s recent Election Infrastructure Security Funding Consideration document for the Election Infrastructure Subsector (EIS) Government Coordinating Council (GCC), it “provides direction to the election community regarding possible considerations, both short and long term, for the use of the newly available election funding, as well as to provide support for procurement decisions regarding use of the funding. It places considerable emphasis on ID authentication and database access controls.
Election administration officials would do well to heed the DHS document, which notes, “Election officials are advised to consult with the US Election Assistance Commission (EAC) before making any purchase to ensure it is an appropriate expenditure of funds.”
Congress has made available to state and local election officials $380 million in funding for the improvement of federal elections, and is “intended to help states build on their existing funding and human capital investments by giving an additional infusion of funding for new resources and personnel to improve federal elections.”
Regarding security, in 2016, the US Computer Emergency Readiness Team (CERT), recommended the following:
• Multi-Factor Authentication: Authentication using two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). Upgrading voter registration systems, election night reporting systems, or other election office IT systems to multi-factor authentication can drastically limit the risks of phishing attacks.
• Email Authentication: Upgrading election office email systems to include SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) allow a sending domain to effectively “watermark” their emails, making unauthorized emails (e.g., spam, phishing email) easy to detect. When an email is received that doesn’t pass an agency’s posted SPF/DKIM rules, DMARC (Domain-based Message Authentication, Reporting & Conformance) tells a recipient what the domain owner would like done with the message. Setting a DMARC policy of “reject” provides the strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery. Additionally, DMARC reports provide a mechanism for an agency to be made aware of the source of an apparent forgery, information that they wouldn’t normally receive otherwise. Multiple recipients can be defined for the receipt of DMARC reports.
And, importantly, access control. CERT said, “Access control practices, such as role-based access control, will not prevent phishing attacks but may limit the potential impacts of stolen credentials. Using a third-party assessment or audit to identify vulnerabilities and proactively define effective access control policies and configurations for your system helps limit the impact of phishing campaigns.”
CERT reiterated that, “Phishing attacks can lead to credential theft (e.g., passwords) or may act as an entry point for threat actors to spread malware throughout an organization, steal voter information, or disrupt voting operations,” and that, “ injection flaws are broad web application attack technique that attempts to send commands to a browser, database, or other system, allowing for a regular user to control behavior. The most common example is Structured Query Language (SQL) injection, which subverts the relationship between a webpage and its supporting database, typically to obtain information contained inside the voter registration database. Another form is Command Injection, where an untrusted user is able to send commands to an operating systems supporting a web application or database.”
CERT also warned in 2016 that, “Cross-site scripting (XSS) vulnerabilities allow threat actors to insert and execute unauthorized code in web applications. Successful XSS attacks on voter registration websites can provide the attacker unauthorized access to voter information.”
Regarding state and local election CI officials, personnel, contractors and anyone else with voter PII, databases, and physical facility access, some authorities – including federal government officials who spoke only on background, suggested legislation or other legal means, such as MOUs, if possible, to make use of the FBI’s Next Generation Identification (NGI) Rap Back Service for vetting all these individuals involved all along the voting CI spectrum.
“I’ve not heard this proposed by anyone in Congress or DHS … or anywhere else, but to me it makes sense as another layer of security that addresses the individuals in the election infrastructure, rather than just focusing on securing the technology,” one congressional staffer told Biometric Update who works on these sort of cybersecurity matters.
The Rap Back service allows authorized agencies to receive notification of activity on individuals who hold positions of trust at the state, local, contractor or NGO level, or who are under criminal justice supervision or investigation, thus eliminating the need for repeated background checks on a person from the same applicant agency.
“Prior to the deployment of Rap Back, the national criminal history background check system provide[s] a one-time snapshot view of an individual’s criminal history status. With Rap Back, authorized agencies can receive on-going status notifications of any criminal history reported to the FBI after the initial processing and retention of criminal or civil transactions. By using fingerprint identification to identify persons arrested and prosecuted for crimes, Rap Back provides a nationwide notice to both criminal justice and noncriminal justice authorities regarding subsequent actions.”
“In an effort to harness new technologies, and to improve the application of ten-print and latent fingerprint searches, the FBI’s Criminal Justice Information Services (CJIS) Division developed and incrementally integrated a new system to replace the Integrated Automated Fingerprint Identification System (IAFIS). This new system, the Next Generation Identification, provides the criminal justice community with the world’s largest and most efficient electronic repository of biometric and criminal history information.”
The FBI said, “Biographic and biometric data within NGI [is] … shared with local, state, federal, tribal, foreign, international, and joint agencies as permitted by federal and state statutes, federal and state executive orders, or regulation or order by the Attorney General. Information is shared with authorized noncriminal justice agencies and other regulatory entities for employment suitability checks, permits, identity verification, and licensing in accordance with applicable laws, regulations and policies. NGI will maintain data provided only by authorized agencies, which are responsible for ensuring that accurate and complete biographic and biometric information is submitted in the first instance, in accordance with CJIS data quality standards and operating policies.”