Experts highlight progress, challenges for election security
Infosec professionals at RSA Conference 2024 discuss digital and physical security challenges for election cycles across the globe in a post-COVID-19 landscape.
SAN FRANCISCO -- This year marks a presidential election in the United States, but at least 64 nations -- and roughly half of the Earth's population -- will have a national election of some kind, putting security concerns at center stage.
While the 2020 election season was considered a busy and successful year for security efforts despite rampant misinformation and disinformation, as well as disruption efforts from foreign nation-states, 2024 will carry its own challenges on both a sheer scale basis and in the context of high-stakes geopolitical events occurring across the globe.
At RSA Conference 2024, CISA Executive Director Brandon Wales told TechTarget Editorial that when CISA first got involved in election security in January 2017, election infrastructure was declared a critical infrastructure sector. And based on the work done to secure midterm and general elections since then, he said, every cycle is uniquely different.
"From the CISA perspective, we try to meet our election stakeholders where they are," Wales said. "And that includes what they need and to address the challenge that they're having in the moment."
He explained that cybersecurity became a much larger priority beginning in 2017 as Russia began to interfere in U.S. state elections. And in 2020, voting technology and processes changed to account for the ongoing global pandemic. Beyond 2020, Wales said, CISA has seen increased interest from stakeholders in both securing mail-in ballots and defending against physical threats.
"In just over the past year, we have done several hundred physical security assessments of election offices and polling locations. We've done training -- physical security training, active shooter training, de-escalation training -- for election officials around the country that have dealt with cyber and physical incidents," he said. "And those are all at the request of the election officials, and we will continue to adapt and make sure our support to them is based upon their needs."
CISA has already taken steps to bolster election security for 2024. Its #Protect2024 campaign was established to offer help to election officials and election infrastructure stakeholders against cybersecurity, operational security and physical security risks. In addition, CISA, the FBI and the Office of the Director of National Intelligence published a guide last month titled "Securing Election Infrastructure Against the Tactics of Foreign Malign Influence Operations" that provides more concrete technical advice.
Wales said that both at RSA Conference and outside of it, CISA met with international partners to discuss election security and share information about how each nation is approaching election security. "We learn from things that are happening over there from a threat perspective, and how those countries dealt with those threats and risks."
He called it an "interesting time."
"Election security continues to be a very high priority for this agency," Wales said. "And we will be there to support election officials through the conclusion and certification of this year's election."
Builders and breakers
Also at RSA Conference, security professionals discussed election security and partnerships between the research and voting vendor communities during a Wednesday session.
The panel, titled "Builders and Breakers: Partnering for Secure Elections," was hosted by Scott Algeier, executive director of the not-for-profit Information Technology-Information Sharing and Analysis Center (IT-ISAC). Panelists included Casey Ellis, Bugcrowd's founder and chief strategy officer; Chloé Messdaghi, HiddenLayer's head of threat intelligence; and Jennifer Morrell, CEO and co-founder of The Elections Group.
The panel was effectively a postmortem of an IT-ISAC pilot program, dubbed the Election Security Research Forum, from September in which election technology providers gave security researchers access to modern voting technology in order to find vulnerabilities under coordinated vulnerability disclosure (CVD) guidelines. Ellis, Messdaghi and Morrell are members of the independent advisory board that governed the pilot.
According to the final event summary, participants were given a day and a half to tinker with voting machines from vendors participating in the event. After vulnerabilities were found, the researchers worked with voting technology vendors under coordinated timelines to fix and disclose relevant flaws. The final report highlighted the need to update and modernize several policies, such as the testing and certification of election technology.
"Amidst heightened distrust in elections, it is even more important to normalize the process of CVD, building positive working relationships between researchers and election technology providers, and demonstrating this collaboration to the public," the report read. "Over the course of the three-day event, it was clear that there was significant trust built between the participating researchers and the voting technology providers. Transparency in elections breeds trust -- it is our hope that this event can serve as the starting point for more collaboration to come to safeguard our most valuable democratic processes."
Morrell said that given the tensions that can exist between researchers and vendors, as well as the sensitive nature of election technology, the event "took a lot of courage" on the participants' parts.
"It was about not letting 'perfect' get in the way of starting something and doing something good," she said. "Just like everything we do around elections, there's no one silver bullet for protecting and securing elections. There are many, many, many layers and many, many controls in place to ensure that our elections are secure and they are resilient. And this, to me, it's just one more piece of that puzzle as we move toward a better place for elections and democracy."
Ellis pointed out that election security research is happening "whether we want it or not" and that working with and partnering with researchers goes a long way to develop the story of transparency and confidence in the election cycle. Moreover, he affirmed the fact that this is an election year for much of the world -- not just the United States.
"It's not just a U.S. issue. It's one of the reasons I got involved as an Aussie," Ellis said. "If there are problems here that are diagnosable downstream to my own country, even though we're not necessarily using the same infrastructure, it's about making sure that the democratic process itself stays intact. And I think that's a really important issue."
Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.
