Builders and Breakers: Partnering for Secure Elections

caseyjohnellis -

Moderator: Scott Algeier, IT-ISAC
Panelists: Casey Ellis, Bugcrowd, Chloé Messdaghi, HiddenLayer, Jennifer Morrell, The Elections Group

In September 2023, the IT-ISAC Elections Industry SIG launched a first-of-its kind pilot program in which election technology providers gave security researchers access to modern voting technology under the principles of Coordinated Vulnerability Disclosure. This panel discussion with members of the independent Advisory Board that governed the pilot will explore lessons learned and next steps.

SUMMARY

At RSA Conference, Scott Algeier led a panel featuring Casey Ellis, Chloe Messdaghi, and Jennifer Morrell discussing coordinated vulnerability disclosure programs for election security.

IDEAS

  • Collaborative events can transform mistrust between researchers and election tech providers into meaningful trust rapidly.
  • Security researchers volunteering their expertise significantly improves the overall resilience of critical democratic election infrastructure.
  • Election equipment tested was prototype hardware and software, avoiding vulnerability impacts on current live election systems.
  • Educating security researchers about election infrastructure dramatically improved their understanding and effectiveness during vulnerability testing events.
  • Bug bounty platforms like Bugcrowd function as dating sites matching vulnerabilities to skilled hackers for fixing purposes.
  • The event included competitors collaborating openly, highlighting the possibility of cooperative improvement in cybersecurity across industries.
  • Many vulnerabilities discovered were low-risk, reinforcing the high security standards already in place for voting equipment tested.
  • Researchers explored insider threat scenarios by requesting administrative access, pushing beyond usual compensating controls considered sufficient.
  • Voting equipment security research has been ongoing for decades, yet formal collaborative events are relatively recent in their establishment.
  • DEF CON's Voting Village inspired deeper collaboration between hackers and election technology providers by demonstrating successful models.
  • Election Assistance Commission (EAC) certification requirements delay implementing quick vulnerability patches, requiring thoughtful policy reconsideration for efficiency.
  • The highly sensitive and politically charged nature of election cybersecurity requires careful communication strategies to avoid misinformation and exploitation.
  • Election security should ideally be a continuously addressed concern rather than periodically becoming prioritized only when elections approach.
  • Election security involves not just hardware and software, but also how election offices deploy and manage systems in practice.
  • Hardware vulnerabilities typically require physical access, limiting their scalability as threats compared to remotely exploitable software vulnerabilities.
  • The election industry presents unique challenges for vulnerability disclosure due to its continuous election cycles and strict recertification processes.
  • Vulnerability disclosure transparency helps mitigate misinformation by clearly communicating issues and their actual risks versus imagined dangers.
  • Expanding coordinated vulnerability disclosure programs globally is essential, given that 70% of countries will hold elections within a year.
  • Ensuring security researchers are compensated fairly is vital for sustaining ongoing productive cybersecurity research engagements in elections.
  • Chalkboard and paper ballot methods are not necessarily more secure or accurate, as human error in repetitive tasks is substantial.
  • Normalizing vulnerability disclosures reduces stigma and misunderstanding, promoting healthier cybersecurity practices across industries, including sensitive ones.
  • Election cybersecurity is inherently political, making neutrality challenging but essential for unbiased, credible security research and disclosure practices.
  • Vulnerabilities do not automatically imply exploitation; operational controls and audits play critical roles in election security resilience strategies.
  • Vulnerabilities found in election equipment were fewer than anticipated, indicating significant progress in the security efforts of technology manufacturers.
  • Engaging a broader array of stakeholders such as media, legislators, and national agencies is key for socializing election security improvements widely.

INSIGHTS

  • Trust building between election technology providers and security researchers significantly enhances election cybersecurity and democratic resilience.
  • Effective cybersecurity for election infrastructure demands both strong technical solutions and transparent, collaborative communication strategies.
  • Continuous rather than episodic cybersecurity efforts are necessary for sustained improvements in election security and public confidence.
  • Coordinated vulnerability disclosure programs require thoughtful policy adjustments to overcome certification delays that hinder timely vulnerability remediation.
  • Compensating controls and operational resilience measures are as critical as technical fixes for managing election system cybersecurity effectively.
  • Transparency in vulnerability disclosures mitigates misinformation threats by clearly communicating real risks and the security measures undertaken.
  • Involving diverse stakeholders, including competitors, policymakers, and media, amplifies trust and broadens support for election cybersecurity initiatives.
  • Election cybersecurity efforts must balance rigorous vulnerability testing with practical operational constraints such as constant election cycles and certifications.
  • Globally standardized cybersecurity practices for election infrastructure are essential, given widespread upcoming elections and interconnected democratic vulnerabilities.
  • Recognizing and fairly compensating security researchers' contributions is fundamental to sustaining their critical role in safeguarding election systems.

QUOTES

  • "Security research on election systems is happening whether we invite it or not." – Casey Ellis
  • "Kumbayas exist...on an issue that has a lot of tension." – Chloe Messdaghi
  • "Humans also are really bad actually at tedious repetitive tasks and doing math." – Jennifer Morrell
  • "Vulnerability doesn't mean exploitation." – Jennifer Morrell
  • "The hacker community...is just universally misunderstood." – Casey Ellis
  • "The democratic process has two challenges...computers have vulnerabilities...and it has a trust issue." – Casey Ellis
  • "It's incredibly important, it's to first build trust." – Chloe Messdaghi
  • "We didn't start that or create this process...security research on election systems has been going on for decades." – Casey Ellis
  • "We actually maybe have something we can learn from them." – Jennifer Morrell
  • "This was probably the hardest thing I had to try to hack into." – Anonymous security researcher
  • "Security research that's going on...I'm gonna publish this in the interest of public safety." – Casey Ellis
  • "By the end of one day they expanded that scope significantly." – Chloe Messdaghi
  • "Election security as a subject always boils up...then it goes quiet for two years." – Casey Ellis
  • "Is it better to know about a vulnerability...or is it better to not know?" – Scott Algeier
  • "If there's problems here, they're gonna trickle downstream to my home country." – Casey Ellis
  • "Working with that phenomena and actually deciding to partner with it...that's to me really what we're trying to do here." – Casey Ellis
  • "We did something really important for democracy." – Chloe Messdaghi
  • "Our role in that is ultimately as translator." – Casey Ellis
  • "Election officials...I think they're doing a bang-up job." – Jennifer Morrell
  • "You could literally watch the creation of trust...play out over those three days." – Casey Ellis

HABITS

  • Prioritizing trust-building when working across potentially adversarial groups to achieve shared cybersecurity goals rapidly.
  • Carefully selecting participants to ensure productive, respectful dialogue in sensitive cybersecurity discussions and collaborative events.
  • Using "101" style educational sessions to quickly onboard participants and align their understanding before collaborative activities.
  • Expanding research scope progressively as trust and confidence build between stakeholders during cybersecurity events or engagements.
  • Encouraging transparency by clearly communicating vulnerability findings and risks to prevent misinformation and enhance public trust.
  • Hosting open dialogue sessions to continuously improve cybersecurity practices and engagement among diverse stakeholders and competitors.
  • Using thoughtful, gentle persistence to overcome initial resistance to cybersecurity collaboration and disclosure efforts over time.
  • Encouraging election professionals and cybersecurity experts to volunteer or work at polling places to build public trust.
  • Regularly revisiting and updating operational controls and audits to ensure their continued effectiveness in mitigating cybersecurity risks.
  • Incorporating threat modeling exercises using security researchers' adversarial perspectives to proactively identify potential cybersecurity weaknesses.
  • Clearly communicating the difference between vulnerabilities and exploitation to prevent unnecessary panic and misinformation among stakeholders.
  • Collaborating with diverse stakeholders, including media, legislators, and national agencies, to widely socialize cybersecurity efforts and improvements.
  • Prioritizing continuous, rather than episodic, cybersecurity efforts to sustainably improve systems and public confidence over time.
  • Ensuring fair compensation for cybersecurity researchers to sustain their engagement and productivity in critical cybersecurity efforts.
  • Advocating for policy adjustments to streamline certification processes, enabling quicker implementation of cybersecurity improvements and vulnerability fixes.

FACTS

  • Voting equipment tested was prototype hardware/software, not yet deployed in any live elections nationwide.
  • Coordinated vulnerability disclosure programs in election infrastructure took five years to establish formally and collaboratively.
  • Most vulnerabilities discovered during testing were categorized as low-risk, demonstrating significant security resilience in tested equipment.
  • The Election Assistance Commission (EAC) sets certification standards, which many states require before voting equipment deployment.
  • Human error in repetitive tasks, such as manual ballot counting, significantly impacts election accuracy and reliability.
  • Election security research has been ongoing for decades, despite formal coordinated programs being relatively recent developments.
  • DEF CON's Voting Village inspired closer cybersecurity collaboration between researchers and election technology providers.
  • Approximately 70% of the world will hold elections within the next year, making global election cybersecurity critical.
  • Operational and compensating controls in election systems significantly mitigate potential exploitation of discovered vulnerabilities.
  • Election cybersecurity is inherently political, complicating neutral and unbiased vulnerability disclosure and research processes.

REFERENCES

  • DEF CON Voting Village
  • Biohacking Village at DEF CON
  • Disclose.io
  • Bugcrowd
  • HackerOne
  • IT-ISAC Elections Industry SIG
  • Election Assistance Commission (EAC)

ONE-SENTENCE TAKEAWAY

Collaborative vulnerability disclosure builds essential trust, significantly improving cybersecurity resilience in critical democratic election infrastructure globally.

RECOMMENDATIONS

  • Educate security researchers thoroughly about election infrastructure to improve effectiveness during cybersecurity vulnerability testing events.
  • Expand cybersecurity vulnerability disclosure programs globally, given widespread upcoming elections and interconnected democratic cybersecurity threats worldwide.