DHS works to strengthen election security on heels of bipartisan legislation
What one congressional observer called, “a day late and a dollar short,” the bipartisan Prevent Election Hacking Act of 2018 (HR 6188) was recently introduced and referred to the House Committee on House Administration. If passed, it would “direct the Secretary of [the Department of] Homeland Security [DHS] to establish a program to improve election system cybersecurity by facilitating and encouraging assessments by independent technical experts to identify and report election cybersecurity vulnerabilities, and for other purposes.”
An industry cybersecurity official said on background to Biometric Update that, “HR 6188’s potentially ground breaking — sorry, overstated deliberately — concept of outsourcing cybersecurity execution to the private sector is something worth looking into.”
Introduced by Rep. Quigley, Mike (D-IL) and John Katko (R-NY), the bill is designed, the legislators said, “to help combat the threat of election hacking. The legislation will create a competition, commonly known as a bug bounty program,” called ‘Hack the Election Program’ in the legislation] that rewards cyber experts that are able to identify vulnerabilities in our election infrastructure.”
Quigley earlier garnered $380 million in new grants to help states secure election systems from hacking, and cosponsored the Protecting the American Process for Election Results (PAPER) Act to authorize additional grant funding to harden election systems’ cybersecurity.
During DefCon last year, it took hackers less than a day to find and exploit vulnerabilities in five different voting machines.
In a joint statement, the two legislators said, “By allowing the Department of Homeland Security to establish a recurring ‘Hack the Election’ competition, we can give independent cyber experts the opportunity to assist participating state and local election officials, who often times lack the necessary cybersecurity training and guidance to prevent hacking attempts, uncover both new and existing threats to their systems,” including biometric insider threats to voting database systems, individual machines, physical access to voting sites and storage facilities, etc.
“With these vulnerabilities detected by outside experts, DHS can focus its resources on providing election officials with the technical assistance needed to bolster their cybersecurity defenses, Quigley and Katko said.
They noted that, “Voting machines and election databases across the country remain woefully outdated and highly susceptible to outside interference. In fact, an estimated 41 states still use voting machines that have not been replaced in over a decade and thirteen states continue to use machines that fail to produce the paper ballots or records necessary to perform audits.”
Biometric Update had earlier reported that while other nations are rapidly incorporating biometrics into their voting technologies, the US Congress and states – and local jurisdictions – haven’t seemed to be all that concerned about utilizing biometrics to verify the identities of individuals voting in America, despite the concerns over election machine cyber-tampering that’s continued to be hotly debated since the 2016 elections.
Days later, Sen. Amy Klobuchar (D-MN) introduced the Helping State and Local Governments Prevent Cyber Attacks (HACK) Act (S1510), which was referred to the Committee on Rules and Administration. The bill would “amend the National Voter Registration Act of 1993 to provide for online voter registration and other changes, and to amend the Help America Vote Act of 2002 to improve voting, to require the Election Assistance Commission to study and report on best practices for election cybersecurity and election audits, and to make grants to states to implement those best practices recommended by the commission.”
In January 2017, DHS designated the election infrastructure used in federal elections as a US critical infrastructure (CI).
According to a recent Congressional Research Service (CRS) paper, however “The [CI] designation sparked some initial concerns by state and local election officials about federal encroachment of their prerogatives, but progress has been made in overcoming those concerns and providing assistance to election jurisdictions.
Under federal law, CI refers to systems and assets for which “incapacity or destruction … would have a debilitating impact on security, national economic security, national public health or safety, or any combination” of them.
CRS said, “Most CI entities are not government-owned or -operated. Presidential Policy Directive 21 (PPD 21) identified 16 CI sectors, with some including subsectors. Sectors vary in scope and in degree of regulation. For example, the financial services sector is highly regulated, whereas the information technology sector is not. Election infrastructure has been designated as a subsector (EIS) of government facilities. That sector includes two previously established subsectors: education facilities, national monuments and icons.
The Homeland Security Act of 2002 (PL 107-296) gave DHS responsibility for several functions aimed at promoting the security and resilience of CI with respect to both physical and cyber-based hazards, either human or natural in origin. Among those functions are providing assessments, guidance, and coordination of federal efforts.
“Our foreign adversaries don’t have to hack into every single board of election to undermine our democratic process; it just takes a couple to achieve their goal of eroding public trust in our electoral system,” Quigley said.” Unfortunately, many state and local election boards don’t even know when they’ve been hacked — either because they don’t know what to look for or don’t have the technology needed to help spot an intrusion. That is why we must continue to better understand the vulnerabilities that exist so we can implement infrastructure upgrades that address them head on. This important bill will enlist the unique knowledge of cybersecurity experts to safeguard the foundation of our democracy — the right to free and fair elections.”
Katko added, “As we saw in the last election cycle, our adversaries are committed to interfering in our nation’s democratic process. This is a grave threat to our country and our nation’s security. Our voting systems remain vulnerable to hacking, and we must do more to protect against cyber aggression. This is an issue we must work across the aisle to address, and I’m proud to take the lead with my colleague Rep. Quigley. The bipartisan measure we’ve introduced today will help ensure our nation’s foremost experts on cybersecurity have the tools that they need to identify and combat malicious cyberattacks against our democracy.”
Katko and Quigley’s bill defines “election cybersecurity vulnerability” as any security vulnerability defined in section 102 of the Cybersecurity Information Sharing Act of 2015 that affects an election system.
Under their proposed legislation, the Hack the Election Program would be comprised entirely of voluntary state and local election officials and election service providers, but would also require the DHS secretary to, “shall solicit input from, and encourage participation by, state and local election officials.”
The DHS secretary would be required to:
• Establish a recurring competition for independent technical experts to assess election systems for the purpose of identifying and reporting election cybersecurity vulnerabilities;
• Establish an expeditious process by which independent technical experts can qualify to participate in the competition;
• Establish a schedule of awards (monetary or non-monetary) for reports of previously unidentified election cybersecurity vulnerabilities discovered by independent technical experts during the competition;
• Establish a process for state and local election officials and election service providers to voluntarily participate in the program by designating specific election systems, periods of time, and circumstances for assessment by independent technical experts; and,
• Promptly notify state and local election officials and election service providers about relevant election cybersecurity vulnerabilities discovered through the competition, and provide technical assistance in remedying the vulnerabilities.
Under Klobuchar’s bill, the Help America Vote Act of 2002 would be amended “to improve voting, to require the Election Assistance Commission [EAC] to study and report on best practices for election cybersecurity and election audits, and to make grants to states to implement those best practices recommended by the commission.”
The commission, in consultation with the National Institute of Standards and Technology, Secretary of the Department of Homeland Security, Election Assistance Commission Standards Board, Election Assistance Commission Board of Advisors, Election Assistance Commission Technical Guidelines Development Committee, National Association of Secretaries of State, National Association of State Election Directors, National Association of Election Officials, International Association of Government Officials, and other stakeholders the EAC determines necessary, shall conduct a study on each of the following: Best practices for cybersecurity of federal elections, and best practices for election audits.
In addition, EAC would be required to consider “the opinion of intelligence officials that foreign states are likely to attempt to interfere in future federal elections; election administration profiles based on the cybersecurity framework of the National Institute of Standards and Technology be examined; all components of the critical election infrastructure; the implications of the aging of voting equipment on cybersecurity; any existing federal funding sources that may be used to assist state and local governments to improve election cybersecurity; and, any related issues EAC identifies as necessary to complete a comprehensive study of best practices for cybersecurity of federal elections
States would be given authority to federal grants to improve, upgrade, or acquire new technological equipment related to election administration, which may include:
• Voting machines;
• Election management systems;
• Electronic poll books;
• Online voter registration systems;
• Participation in the Electronic Registration Information Center;
• Accessible voting equipment; and
• Other technological upgrades identified by the commission in their studies on best practices for cybersecurity and election audits.
Florida Democratic Sen. Bill Nelson and Republican Marco Rubio wrote a July 2 letter to the state’s 67 county election supervisors about potential threats, and urged them to take advantage of “a wide range of services to state and local officials that will support your efforts to make your systems secure. DHS will follow your lead and meet your needs with a tailored set of options.”
“We encourage you in the strongest terms to take advantage of those resources, and to let us know about your experience with DHS and FBI,” they stated, adding, DHS “depends on states and localities self-reporting suspicious activity, and that activity is often difficult to find, “it is possible that additional activity occurred and has not yet been uncovered.”
This past week, DHS held a conference call with the National Association of Secretaries of State and National Association of State Election Directors – the nation’s lead election security officials – featuring a briefing by Facebook on the company’s actions “to remove inauthentic behavior by malicious actors who seek to undermine our democratic institutions. DHS officials and Facebook’s security team spoke with election officials to provide an update on recent actions taken by Facebook, including tactics used by adversaries. This briefing provided elections officials a broader understanding of the threat environment as they develop plans to bolster the resilience of election systems. This call is also a clear example of how the federal government is partnering with social media companies and state and local officials to share information and collaborate on combatting threats to elections.”
“Strengthening collaboration between social media companies and federal, state, and local governments is critical to preventing foreign interference in our democratic processes, including elections. Today’s briefing is an excellent example of this growing partnership across industry and government,” said Christopher C. Krebs, DHS Under Secretary for the National Protection and Programs Directorate. “While recent operations identified by Facebook were not directly targeting elections or political campaigns, it is important for election officials to have an understanding of the techniques and tactics malign actors use, as well as countermeasures used to defeat those operations. This broader understanding will help elections officials develop response and communications plans to bolster resilience of our nation’s election systems.”
“We appreciate the efforts made by DHS to provide a more comprehensive picture of the lengths foreign adversaries will go to attack our democratic process. Learning about Facebook’s response to continued influence operations was extremely valuable for Secretaries of State and other state election officials. Election cybersecurity is a team sport. As we prepare for the 2018 midterm elections this increased information sharing and partnership between states, the federal government and the private sector will be critical to our success defending our elections from foreign threats,” said Jim Condos, president of the National Association of Secretaries of State and Vermont Secretary of State.
In June, the New York State Board of Elections—in concert with DHS in partnership with the Division of Homeland Security and Emergency Services (DHSES), State Police, and State Intelligence Center—wrapped up the first-of-its-kind series of tabletop exercises focused on protecting the integrity of New York’s electoral systems against cyber-attacks.
The series of regional tabletop exercises—which covered all of New York’s county election jurisdictions—focused on cybersecurity preparedness and response to threats to election systems, including biometrics.
“These exercises show the seriousness with which federal, state and local officials take the threat to election infrastructure, and the level of cooperation taking place to address it,” said Bob Kolasky, Acting Deputy Under Secretary of DHS’s National Protections and Programs Directorate. “State and local officials in New York have taken a number of steps to improve the security of their elections, and [DHS] stands ready to support their efforts through exercises, information sharing, and by providing our technical cyber analysis and expertise. We look forward to continuing to work together to ensure the security and integrity of future elections in New York.”
“Secure elections begin with having systems that can withstand cyber attacks. For over a decade, the EAC’s Testing & Certification program has worked with the election community, the National Institute of Standards and Technology and the Technical Guidelines Development Committee to define specifications and requirements voting systems can be tested against to ensure they meet the required standards,” former EAC Commissioner Matthew Masterson said last year.
“The most recent iteration of these standards, the Voluntary Voting System Guidelines (VVSG 2.0) (PDF), were adopted on September 12, 2017” and “designed to spur innovations that will give voters the best experience possible while ensuring improved accessibility, security, accuracy, and auditability of voting systems. Expected to be released in 2018, these new testing guidelines will become the most flexible and comprehensive standards against which voting systems can be commercially tested in the United States,” he said.
However, despite the increasing attention being given to cybersecurity, a year ago the National Election Defense Coalition and coalition partners sent an open letter to Congress stating, “While there has been encouraging progress to improve election security in recent years, too many polling stations across the nation are still equipped with electronic machines that do not produce voter-verified paper ballots. Many jurisdictions are also inadequately prepared to deal with rising cybersecurity risks.
In the letter, the groups said, “We are writing to you as members of the computer science and cybersecurity communities, together with statisticians and election auditing experts, to convey our concern about these and other vulnerabilities in our voting system and to urge you to take the following simple, straightforward, and cost-effective actions to set meaningful standards to protect American elections. We represent both major political parties, independents, and a range of academic institutions and private sector organizations, but we are united in our belief that the United States, the world’s oldest representative democracy, needs prompt action to ensure prudent elections security standards.”
Rather than focus on all the spectrum of cybersecurity, they called for:
• Establishing voter-verified paper ballots as the official record of voter intent;
• Phasing out the use of voting technologies such as paperless Direct Recording Electronic voting machines that do not provide a voter-verified paper ballot;
• Safeguarding against internet-related security vulnerabilities and assure the ability to detect attacks;
• Creating firewalls (software barriers) between internet and all voter registration, vote-tabulating machines, ballot delivery, and election management systems;
• Require layered backup systems to ensure that intrusions and corruption of the databases can be detected and corrected;
• Review and document compliance with the recommendations and checklists prepared by DHS for security, penetration testing, network scanning, and detection and management of potential cyber-attacks;
• Review and track FBI security alerts;
• Ensure voting systems and information technology that supports voting systems have the latest security patches, and that those patches have been provided from trusted sources on trusted media. Limit physical access and regularly audit sensitive and critical election systems; and,
• Discouraging voters from voting online in any form—via web, email or fax—even in states where it is legal. Inform voters that electronically submitted ballots can be modified, copied, rerouted or simply deleted during transmission.