While many feel that they are living in Groundhog Day, the days and weeks do continue to pass us by, bringing the 2020 Presidential election closer with still no clear path for securing the election process. Recognizing the risks, the National Institute of Standards and Technology (NIST) published a document of risk management for election security. NIST certainly isn’t the only government (or non-government) agency to offer such guidance because the issue of election security is complex and further complicated by more than old technology.
What are the risks? That’s not an easy question to answer because the kraken of election infrastructure has many tentacles. The enormity of the security gaps at the national, state and local levels is one reason why we are seeing headlines such as, “ODNI to offer election security briefings for both parties in run-up to November.” Certainly, the NIST document outlines multiple risks including that, “an electronic MITM attack could be conducted from anywhere in the world, at high volumes, and could compromise ballot confidentiality, ballot integrity, and/or stop ballot availability.” But as new technologies come to the forefront, they could create more security gaps. Yes, advanced technologies could augment the existing legacy systems or even enable online voting, but as the DHS Cybersecurity Services Catalog for Election Infrastructure points out, “Risks associated with the Information and Communication Technology (ICT) supply chain have grown dramatically with expanded outsourcing of technology and infrastructure. Failures in managing these risks have resulted in incidents, like data breaches, affecting millions of people.”
Even if there were confidence in the security of the election infrastructure at the national level, risks remain from jurisdictions across the United States. Looking at the entire ecosystem of national elections, it is nearly impossible to understand which suppliers within the supply chain are most vulnerable. All the while, the global pandemic seems to have fomented fear that the polis might not be able to physically vote at the polls in November. The result, according to the Cybersecurity 202, is that states are, “scrambling to revamp their voting procedures.” However, those efforts will only–at best–reduce the security gaps that threaten the 2020 election.
The reality is that data is data, regardless of who collects, shares or stores it. Much like other information–whether its intellectual property, health records or report cards– election data passes through multiple channels, introducing risk with each handoff. Election information is no more or less secure than information in general, though there are potentially greater risks if that information is accessed by malicious actors. That’s why state and local election officials need to not only carefully vet third-party vendors and contractors, but also have visibility into those entities.
Yes, supply chains risks are one of the greatest cybersecurity challenges. That’s why evidence of compromise matters. As new technologies and voting machines are deployed in the name of election security, it’s critical that security teams have downline visibility into the entirety of their ecosystem and understand which suppliers are the weak links in that chain.
Hijazi discusses Microsoft hack parallels with SolarWinds and how China and Russia likely execute their cyber campaigns.
See Prevailion CEO, Karim Hijazi, comment on how nation states use proxy groups to compromise organizations through weaker supply chain points.
See Prevailion CEO, Karim Hijazi, weigh in on a second solar winds hack and how elite hacker groups have likely already compromised many top companies around