“While recognizing the challenges and commitments is great, it does not change the reality. Many states are still as of now waiting to have their election resources screened.”
With the upcoming 2018 national elections on the horizon, state and local governments are beginning to take a more serious look at their voting infrastructure. Unfortunately, while federal agencies have organized programs to assist state-level authorities to secure their systems, the implementation of these programs seems to be running less than smoothly.
Recently, US media reported that states rushing to take advantage of a Department of Homeland Security (DHS) security screening are being put on a nine-month waiting list. If the process isn’t hastened, this will mean many states will not be put through the screening until weeks before the elections scheduled for November of next year. If significant vulnerabilities are discovered, it is doubtful whether state authorities will be able to clean house in time to conduct their elections securely.
A bit of context to help appreciate where the country stands:
One of the services DHS offers to states is their Risk and Vulnerability Assessment (RVA), the mother of all system penetration tests. It is important to appreciate how valuable this service is. It is the norm in the private industry to pay cybersecurity companies exorbitant sums to conduct such tests. The RVA has been around since 2015 as part of a broader National Cybersecurity Assessment and Technical Services (NCATS) program. NCATS also tests general “cyber hygiene” and is offered to private companies within the critical infrastructure industry, in addition to governmental bodies.
The RVA puts companies through the full array of exploitation tests. Government analysts scan the target’s operating systems, databases, and online applications for known vulnerabilities, and then test to see if any of the weaknesses found can be used to successfully compromise the target’s systems.
It never crossed the minds of most in the community that social media platforms such as Facebook and Twitter would be utilized to undermine the American democratic process.
Program participants also receive scans for rogue wireless devices attached to their networks—an important asset as the Internet of Things (IoT) grows and the body of off-site workers in the government and private sector grows. Employees are tested as well for their security competence. Analysts launch “social engineering” attempts like phishing scams to determine how workers respond to these targeted attacks.
The demand for these government-administered tests has spiked in the past several months. Awareness of the very real threat of hackers targeting voting infrastructure began to spread after the 2016 presidential election. Washington is in a way now playing catch-up to address vulnerabilities to the election grid following these realizations.
In an extremely revealing recent interview with Politico, former deputy director of CIA Michael Morell explained how the Russian meddling in the last presidential election was a US “intelligence failure.” Morell attributed this to a “lack of imagination” stemming from the drastic post-9/11 shift of the intelligence community, focusing on countering jihadist and other terrorism-related threats. Funding and manpower was shifted away from other threats. It never crossed the minds of most in the community that social media platforms such as Facebook and Twitter would be utilized to undermine the American democratic process.
Morell’s statements echoed those of Attorney General Jeff Sessions during a Senate Judiciary Committee hearing in October. During the course of the questioning, Sessions told Congress plainly that “we’re not […] doing enough” to block hackers from meddling in the 2018 elections, and that the threat to election infrastructure is “so complex” that many federal institutions are “not able to fully grasp the technical dangers that are out there.”
To the administration’s credit, it has recognized the problem. At least in words, it has committed to taking action to bolster targets susceptible to cyber attacks by foreign actors like Russia. The president himself strongly emphasized the need to eliminate the risk to cyber infrastructure in a national security document recently published by the White House.
As the work of DHS progresses, time will likely tell just how exposed American electoral systems are and the gaps that need to be filled.
While recognizing the challenges and commitments is great, it does not change the reality. Many states are still as of now waiting to have their election resources screened. As evidence of hackers probing state election infrastructure has been piling up for over a year, these screenings are not merely a safety precaution, they are a necessity.
“The reason there’s a waitlist is because a lot of states want it done because they do it at no cost,” explained Marian Schneider, a former election official for the state of Pennsylvania. “To have that backlog is a problem, but it’s a good thing states are wanting the service.” The question is, how long will states wait in line for a federal freebie before taking action into their own hands?
If DHS turns up serious vulnerabilities in any upcoming assessments, it could push states to administer their own tests privately rather than bide their time. The discovery of serious risks to electoral grids may even prompt the federal government to quickly organize more resources to implement screenings.
As the work of DHS progresses, time will likely tell just how exposed American electoral systems are and the gaps that need to be filled.