W H I T E P A P E R

Election System Security Under Scrutiny

Before Declaring Victory Determine How to Prioritize, Validate, and Measure the Actions Taken

to Remediate Threats and Vulnerabilities

Table of ContentsExecutive Overview 1

The Increased Risk of Cyber Threats 2

Understanding the Election System Ecosystem 2

The Ever-Increasing Attack Surface 3

Security Moving Forward 4

Choosing the Right Technology Partner 5

RiskSense for Election Systems 5

Summary 6

WHITE PAPER • Election System Security Under Scrutiny

WHITE PAPER • Election System Security Under Scrutiny

Executive Overview

To combat the increased risk of threats to our nation’s essential voting systems, the United States Congress recently allocated $380 million to help safeguard voting systems from cyberattacks.

States are trying to determine the right balance between securing systems that are vulnerable to hacking, and those that are most vital to a secure and trustworthy election. It’s true that internet-connected systems, such as online voter registration tools and election night reporting systems, have a greater attack surface potential. However, it’s not until an end-to-end election system assessment is done that the true priority of vulnerabilities can be determined.

This white paper will show you how to assess the security of your entire election ecosystem, including management, infrastructure, voter registration systems, poll books, vote tabulation, publishing systems, and more. We’ll take you through establishing vulnerability priorities to validating and measuring the effectiveness of remediations. Each voting district, county, borough, and state is unique and so are the ways they serve and protect the voting process. Personalized findings that outline the most likely attack scenarios, and the severity of exposure they could encounter, are one of the most effective steps state and local governments can do to safeguard these systems.

As a technologically advanced country, this will be a journey. The threat landscape continues to change, and so do the components from connected devices (IoT), databases, applications, and networks, which are used to fulfill our foundational right to vote. The scrutiny of any election system is meant to uncover issues and provide remediation priorities so governing bodies can take decisive actions to protect against cyber exposure. As more options are adopted to help address the needs of the voting public it’s critical to assess the expanding attack surface that comes with these changes before they are used as vectors to taint our national democratic faith in these systems.

WHITE PAPER • Election System Security Under Scrutiny Page 1

1 https://www.businessinsider.com/homeland-security-designates-election-infrastructure-as-critical-2017-1

From the article – “Homeland Security designates election infrastructure as ‘critical’ despite backlash from states”1 :

Citing increasingly sophisticated cyber bad actors and an election infrastructure that’s “vital to our national interests,” Homeland Security Secretary Jeh Johnson announced Friday that he’s designating U.S. election systems critical infrastructure, a move that provides more federal help for state and local governments to keep their election systems safe from tampering.

“Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law,” Johnson said in a statement.”

WHITE PAPER • Election System Security Under Scrutiny Page 2

The Increased Risk of Cyber Threats

What does that mean for voting jurisdictions? Most states and counties are still relying on complex, decentralized, and aging election infrastructure. With limited resources and varying levels of cybersecurity expertise there is a struggle to stay ahead of the increasing threat of cyberattacks. The reality is that most government entities don’t have sufficient experience or funding to adequately assess the potential exposure and ways these systems might be compromised. Congress has allocated additional funds to help with this problem. Now is the time to consider a comprehensive approach to reducing cyber risk to these critical systems.

The cyber threat is real and now pronounced with this congressional action. Those who may want to compromise

the outcome of our voting process now have proof that it is susceptible to vulnerabilities, if they haven’t already found exploits. Vulnerabilities in industries like financial services and healthcare accessing and capturing sensitive data is an ongoing concern. “Russian government-linked hackers probed election systems in at least 21 states in advance of the 2016 election, according to U.S. intelligence officials, but there’s no evidence they were able to change any votes.”² It’s clear that there is risk and that probed election systems are vulnerable. However, activity against these election systems will be timed specifically to around the voting cycle, making it even harder to learn from experience to help prioritize remediation actions, as it’s not a day-to-day concern. This increases the need to scrutinize and assess the end-to-end system before any major election cycle.

First Party – Internal Risk Nearly every election jurisdiction has its own IT infrastructure that is managed internally, where the IT team has full control of all systems. To evaluate cyber risk, organizations need the ability to accurately identify the internal attack surface and prioritize and calculate risks.

Second Party – Vendor Risk The second category of risk comes from the environments the election agency shares with the many vendors that support them before, during, and after the election process. This ecosystem includes a wide variety of voter registration system vendors, posting vendors, poll book vendors, and more. All these systems are outside the control of the voting office, greatly widening the agency’s attack surface.

Third Party – External Risk The third attack surface is external risk. This category consists of hostile third parties that wish to compromise the voting systems and negatively affect election outcomes.

2 https://www.nextgov.com/cybersecurity/2018/06/heres-how-380-million-election-security-funding-being-spent/148953/

Our nation’s voting systems are vulnerable to cyberattack. Whether the risk comes from internal system and application vulnerabilities, vendor infrastructure weaknesses, or hostile third parties, all national, state, and local election organizations are under increasing pressure to secure their voting systems to ensure the integrity of our country’s election infrastructure and outcomes.

It is essential for election organizations to clearly understand all their internal, vendor, and external attack surfaces. Addressing how an attacker would get into the voting network, potentially through the organization’s own internal systems and network, their partners’ applications and networks, or by a third-party intruder is critical to factor into your assessment. While security controls may be in place many vulnerabilities appear related to how these systems and processes interconnect and transport data.

Election jurisdiction cyber risk can be categorized into three general areas:

Understanding the Election System Ecosystem

VENDORS

WHITE PAPER • Election System Security Under Scrutiny Page 2 WHITE PAPER • Election System Security Under Scrutiny Page 3

3 http://www.ncsl.org/research/elections-and-campaigns/same-day-registration.aspx

While there are various election ecosystems, some straightforward and others more complicated, it is essential to thoroughly assess all three categories of risk. A comprehensive assessment across the networks, systems, devices, web applications, and databases must be accounted for and considered.

While traditionally the focus has been on network vulnerabilities, it’s no longer sufficient. Vulnerabilities of concern within the election voting systems are not just about network compromise but need to focus on data access, manipulation, and denial of service.

The ultimate goal for any election organization is to minimize the attack surface to reduce the likelihood of exposure to both internal and external risks. This will require expertise across the most likely attach methodologies for all the components and parties involved that are part of the voting system.

The Ever-Increasing Attack Surface

Figure 1. Election System Architecture. Source: Center for Internet Security (CIS) Handbook for Election System Security version 1.0 Feb 2018

As changes continue to accommodate ease of voting and ability to serve residents better, election officials are adopting modifications that expand the attack surface for their election voting systems.

A ‘sneaker-net’ system, having no connection between the election components, where officials manually move data from one system to another, may be safer but cannot keep up with the demands for quick insight into election night results. The move toward air-gaps and having indirect connections with physical media and removable media is better, but it’s hard to keep the ‘gaps’ entirely isolated and secure. This is a technique used with critical infrastructure like power plants and nuclear facilities, but

any cross-over from operational networks to the informational or business networks makes them vulnerable too. Connected voting ecosystems is necessary to support these trends:

Same day voter-registration – Fifteen states plus the District of Columbia make same day registration available on Election Day; this is sometimes called Election Day Registration (EDR).³

Security Moving ForwardWhile many states have requested funds from the Election Assistance Commission (EAC) as part of the 2018 HAVA Election Security Fund what they are spending it on is up to the election officials within that state.

WHITE PAPER • Election System Security Under Scrutiny Page 4

Many voting agencies have already invested significant funds in scanning their election system applications, network, and databases. Partnering with the Department of Homeland Security (DHS) and the Common Appropriations Structure (CAS), external scanning, pen testing, and internal assessments to states has been available for the last few years.

Through the Multi-State Information Sharing & Analysis Center (MS-ISAC), network security monitoring services have also been adopted. Referred to as Albert, this service is only available to the U.S. state, local, tribal, and territorial government entities. 36 of 50 states have installed Albert within their election infrastructure, according to a Department of Homeland Security official. The 14 states that do not have a sensor installed have either opted for

another solution, are planning to do so shortly or have refused the offer because of concerns about federal government overreach.5

Recently, 44 states, the District of Columbia, and numerous counties participated in a simulation that tested the ability of state and federal officials to work together to stop data breaches, disinformation and other voting-related security issues.6

For those in security and concerned about our election systems, these activities are all steps in the right direction. However, election officials are still hampered in their ability to protect the systems that are under their responsibility and have shared the following concerns:

Supporting troops overseas – West Virginians serving overseas will be the first in the country to cast federal election ballots using a smartphone app, a move designed to make voting in November’s election easier for troops living abroad.4

All these systems significantly expand the election architecture attack surface, increasing the difficulty in understanding overall cyber risk and prioritizing what needs to be done to prevent an attack.

Figure 2. The Election System Attack Surface

4 https://money.cnn.com/2018/08/06/technology/mobile-voting-west-virginia-voatz/index.html

6 https://www.reuters.com/article/us-usa-election-cyber-access/u-s-states-demand-better-access-to-secrets-about-election-cyber-threats-idUSKBN1L12JS

5 https://www.reuters.com/article/us-usa-election-cyber/more-u-s-states-deploy-technology-to-track-election-hacking-attempts-idUSKBN1L11VD

WHITE PAPER • Election System Security Under Scrutiny Page 4 WHITE PAPER • Election System Security Under Scrutiny Page 5

u They don’t have a single view to all the collected scan and penetration testing data from the various vendors they use

u The active network monitoring is an inexpensive service, but if hackers have already probed their election system networks it does little to prevent a compromise

u While breach simulation exercises are beneficial, many election officials lack the security clearance, so they cannot obtain specific government collected threat intelligence that could be critical to their voting environments

u They are not IT experts but still need a way to communicate within their governments and to their voting public how they are protecting the entire election voting systems

Choosing the Right Technology PartnerElection officials continually address the ‘next-best’ step to serve their voting population. Cybersecurity needs across the election voting systems require this same approach. What is the ‘next-best’ action that can be done for security? Like shifting politics, this critical infrastructure needs near real-time insight to the threats and vulnerabilities before, during, and after each election cycle.

RiskSense for Election Systems

RiskSense has pioneered a proactive approach to cyber risk management. RiskSense can use existing vulnerability scans and assessments and unify this data from across network, applications, databases, and IoT (Internet of Things) voting components. All these existing data feeds (whether it’s done through DHS, internal staff, or third-parties) are enumerated and given remediation priorities based on the context in which they could expose risk to the overall system. Context is derived by the criticality of the system component and referencing RiskSense AI-assisted pen testing, uncover vulnerabilities with a high-risk factor for exploitability.

RiskSense goes beyond verifying utilization of government approved components, network, and software implemented with best security practices. The solution elevates the most imminent cyber risks and helps organizations identify and prioritize personalized remediation steps to reduce cyber risk exposure. Our executive cyber profile report, much like a credit score, standardizes the way governments can easily communicate the security posture of their election voting systems. Below is an overview for non-IT focused entities that reflects the state of the end-to-end system.

Using this platform RiskSense security analysts provide focused assessment services, delivering findings as they are uncovered. IT teams can take immediate action, significantly reducing cyber risk exposure windows.

Vulnerability Discovery – Analysts initiate passive reconnais-sance, without triggering alerts on an organization’s security defenses. Vulnerability discovery is conducted using an extensive library of tools including common, off-the-shelf, open source, and RiskSense-developed tools from our industry-leading security analysts. Our analysts verify the identification of misconfigurations and vulnerabilities and take the extra step to eliminate false positives using both automated and manual efforts.

Attack Validation for Networks – Known attack techniques are time-consuming to reproduce. RiskSense has the only AI-assisted penetration testing service that expedites this process. Our discipline for attack surface testing led to the creation and sharing of open-source code to the security community that rapidly replicates sophisticated post-exploitation techniques. Using these tools allows RiskSense to focus on the sophisticated attack vectors that may be present within the election voting system.

Attack Validation for Web Applications – RiskSense delivers an in-depth understanding of how an attack can change data inside of a web application. Using a proprietary framework to discover multiple attack vectors, testing includes passing of data inputs to user, network, and application programmable interfaces (API). Our security analysts uncover areas in the web application infrastructure and code that are critical for the security and protection of the election voting system.

WHITE PAPER • Election System Security Under Scrutiny Page 6

SummaryWe’re all aware of the pervasive media attention around election systems and security. However, most election organizations simply don’t have enough security experts that can provide the scrutiny of these systems and prioritize the next-best actions to reduce cyber exposure. As election officials look at their options and begin to address changes within their election voting systems, a more proactive approach is recommended. While the federal government is beginning to help with funds and monitoring programs, one of the best steps to take is setting priorities for remediating existing vulnerabilities and potential for exploitable compromise.

Governments and election officials should not hesitate to demand:

u A single view across all of their voting system components and their scan and assessment data, accommodating network, web applications, databases, and connected devices

u Easy to view priorities with remediation recommendation details for best next steps to secure their systems

u Automatic correlation with up to date threat intelligence with access to the highest quality across traditional- and specialty-focused intelligence sources

u Cyber risk profile reports that are easy to understand and help to validate vulnerabilities and risk assessments

Attack Validation for IoT Systems – Going beyond the penetration testing on IoT devices, or connected voting components, RiskSense thoroughly reviews the code, environments, and processes used from end-to-end. Our security experts have the

deepest knowledge and experience with IoT and voting systems. They assess these systems and the interconnected networks, vendor management, programmable interfaces, and protocols that are used.

Figure 3. The RiskSense Methodology

WHITE PAPER • Election System Security Under Scrutiny Page 6 WHITE PAPER • Election System Security Under Scrutiny Page 7

About RiskSenseRiskSense is disrupting the cyber risk market with a Software-as-a-Service based platform that uses domain expertise and data in ways that are beyond human cognition to correlate yourvulnerability data with threat intelligence and business impact to measure risk, provide early warning of weaponization, predictattacks and prioritize remediation. We are empowering our customers to reduce vulnerability fatigue, improve efficiency and quantify risk based on diagnostic and operational data.

The RiskSense platform embodies the expertise and intimateknowledge gained from real world experience in defending critical networks from the world’s most dangerous cyber adversaries.

As part of a team that collaborated with the U.S. Department of Defense and U.S. Intelligence Community, RiskSense foundersdeveloped Computational Analysis of Cyber Terrorism againstthe U.S. (CACTUS), Support Vectors Intrusion Detection, Behavior Risk Analysis of Vicious Executables (BRAVE), and the Strike Team Program. By leveraging RiskSense cyber risk management solutions, organizations can significantly shorten time-to-remediation, increase operational efficiency, strengthen their security programs, improve cyber hygiene, heighten response readiness, reduce costs, and ultimately minimize cyber risks. For more information, please visit www.risksense.com or follow us on Twitter at @RiskSense.

Contact Us Today to Learn More About RiskSenseRiskSense, Inc. | +1 844.234.RISK | +1 505.217.9422 | info@RiskSense.com© 2018 RiskSense, Inc. All rights reserved. RiskSense and the RiskSense logo are registered trademarks of RiskSense, Inc. WhitePaper_ElectionSystem_8282018

READ OUR BLOGSCHEDULE A DEMOCONTACT US

Before Declaring Victory Determine How to Prioritize, Validate, and Measure the Actions Taken to Remediate Threats and Vulnerabilities