An elections security progress report: Black Hat edition

David Strom 12 Aug 2020

Exploring the latest findings on election security and interference around the world

Twelve Tuesdays from today, the US national elections will take place, and infosec professionals are doing their best to adapt to changing circumstances brought on by both the pandemic and the tense cyber-politics surrounding them.

More states are expanding mail-in voting and planning the necessary infrastructure to distribute and process paper ballots. State elections officials are also deploying better security measures, banding together to form the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). Membership in the information sharing and analysis center has grown considerably since the 2018 election(see timeline chart below).

Credit: Christopher Krebs, CISA

As you might expect, the election was a core topic at the virtual Black Hat and DEFCON voting village conferences held in early August. It has become a core feature of “hacker summer camp” to share the latest in election security from the perspective of the professionals doing the work. We will weave in some of the presentations and unpack some of the research behind Congresswoman Jackie Speier’s statement that “What Russia did in 2016 was an act of cyber warfare and shows why a paper trail is essential.” Speier, who represents much of Silicon Valley, gave a keynote at the event. 

But before we dig into this year’s findings on election interference around the world, let’s review what is going on with election security since we last covered the topic during the March primaries. There have been numerous events in the past week that have brought new context to the intersection of technology and our elections. First and foremost is this story in the New York Times which describes the conflicts in the current administration between the President and the intelligence agencies over Russian influence. Then, over the weekend, we saw during the Belarus election a deliberate attempt to turn off connectivity during their national elections. 

Better security tools deployed for 2020

But before we talk about Russia’s role, it is worth highlighting the ongoing efforts to boost IT security at the local and state elections boards. The best place to see their progress is with what has become available with the EI-ISAC. This is a mammoth undertaking, especially since many of the common IT security tools haven’t been used before by the election boards. Two consultants that have been active in the group gave one of the Black Hat presentations called “Building a Vulnerability Disclosure Program that Works for Election Vendors and Hackers.” The presenters were Chris Wlaschin, the CISO at voting machine vendor Election Systems & Software, and Mark Kuhr, the CTO and co-founder of pen-testing firm Synack. The latter firm offers this service to election staff for free as part of its efforts. Colorado elections officials have been one of the first states to harden their systems using the Synack tools.

The two vendors are also testing a new digital pollbook version (which is used to authenticate voters at the local polling places) and have also developed mechanisms for security researchers to timely share vulnerability disclosures with state election officials, such as a Citrix NetScaler bug that was discovered earlier this year. “We owe it to the general public to be more proactive and do a better job,” says Kuhr.

In addition to this are endpoint detection and response tools, helped along by a $2.2M pilot program from Homeland Security that will deploy them across most of the state elections offices. However, fewer than 100 (out of thousands) of local election offices will be deployed by November.

And even the US State Department is putting some skin into the game. They have created a bug bounty purse of up to $10M for any information leading to the identification of any person who works with or for a foreign government for the purpose of interfering with US elections through illegal cyber activities. This includes attacks against US election officials, US election infrastructure, voting machines, but also candidates and their staff.

Election interference

That brings up the allegations of Russian election interference, which also was covered during several Black Hat sessions. During his talk on “Stress-Testing Democracy”, Matt Blaze, a professor of Computer Science and Law at Georgetown University, spoke about some of the recent history of election interference. He started out by saying that “public confidence in the election outcomes depends partly on public confidence in the mechanisms used in these elections. Before 2016, we never really considered foreign state adversaries being involved in our elections, where they wanted to cast doubt on the outcome’s legitimacy or otherwise disrupt the vote.”  

Blaze’s talk lays out a historical perspective of voting technology failures, including the 2000 presidential election and the “hanging chad” problems with counting the Florida ballots. As the New York Times mentioned in a June story, “While Russian hackers stopped short of manipulating voter data in 2016, American officials determined the effort was likely a dry run for future interference”.

If you’re interested in really understanding the role the Russians played in election interference, there is yet another Black Hat talk entitled “Hacking the Vote”, which was given by Nate Beach-Westmoreland at Booz Allen Hamilton. He was one of the contributors to this March report that analyzed the Russian GRU (military intelligence) activities. His talk covered how they disrupted the elections of 2014 in Ukraine, 2015 in Bulgaria, 2016 in both Montenegro and US, and 2017 in France. These included spreading false election results, using DDOS attacks on various political and news websites. He shows that Russian interference in US elections isn’t new, and dates back to when the KGB tried to discredit Henry Jackson’s 1976 presidential bid by manufacturing damaging documents.

Beach-Westmoreland suggests how different GRU tactics could be brought to bear in future instances of election interference and recommends that election officials look at the role they play in delivering their services and ways that the Russians could disrupt these. “It is much easier to confirm something that people already suspect than to introduce new narratives. Election interference isn’t just about changing outcomes,” he says.

Another Black Hat speaker concurs with this position. In her talk, “Hacking Public Opinion”, Renee DiResta of Stanford Internet Observatory lays out specifics about how the Russians operated.

Credit: Renee DiResta

“State actors created fake journalist accounts and misled the public with fake media properties. The Russians try to exploit our existing social fissures,” as she calls them, to divide viewers to more strongly held points of view on both the right and the left, which she calls narrative laundering. “Their goal was to undermine confidence in legitimate elections.”

We need more paper ballots

One of those quoted in the aforementioned New York Times piece was Christopher Krebs, who leads the Homeland Security department’s Cybersecurity and Infrastructure Security Agency and who also spoke at Black Hat on election security. He reviews the 2016 situation, where the Russians targeted all 50 states but didn’t electronically alter any of the recorded votes. “In 2016 we didn’t understand the elections systems that were installed,” he mentioned during his talk. “But now we are in far better shape, with more vibrant elections’ security and better visibility into the various security measures.”

Jody Westby is the CEO of Global Cyber Risk and disputes that claim in her DEFCON talk. She said that electronic voting machines that were in use in 2005 are still going to be used in the 2020 election, and have known vulnerabilities that still haven’t been fixed 15 years later.

Ironically, one of the best strategies is to work towards eliminating all-electronic (or direct recording) voting machines and shift towards hybrid machines that create a paper record, as Congresswoman Speier suggested during her talk. New Jersey is one state which has mostly electronic machines and is moving towards more mail-in balloting as a way around the issue. “The goal is being able to conduct meaningful post-election audits, and you need a paper record for that.” Krebs claims that by November, more than 90% of votes will be cast with paper backups, which is up from 80% of the votes cast in 2016. “There is reason for optimism with this trend,” says Blaze.

Also worth mentioning is the current situation in Belarus, in which commission members have been filmed climbing out of polling station windows with bags full of votes for the opposition candidate and thus rigging the system. This again emphasizes the need for a combination of digital and paper ballots, which would support both accuracy and security in voting.

But since the pandemic, the in-person vote (on paper or not) has changed significantly, and now absentee/mail-in ballots are an issue. Every state has a voting policy of one of three variations:

  • Some states (Oregon, Montana, Hawaii, Colorado, Utah, Washington and Nevada) mail out ballots to every registered voter. They can be returned by mail, or in person.
  • Some states have a practice called no excuse absentee voting, meaning that any voter can request an absentee ballot and vote that way. In my home state of Missouri, seniors are allowed to vote this way.
  • In the remainder of states, a voter will have to obtain a notarized application where you have to state that you aren’t going to be physically present for the November vote.

We expect this to be a hot topic of political debate before and possibly after election day. 

Where to go from here

Here are a few takeaways from the conference speakers that IT folks should take to heart. First, DiResta mentions that the Russian hackers show how the threat of harming business reputations could be even greater than elections, using their same techniques and methods. “But it can be hard to figure out who within the corporation should have the responsibility for your brand.” She recommends companies deploy more red teams and be proactive in figuring out what kinds of data manipulation is possible by potential adversaries. 

Blaze reviews the advances in mail-in ballots and asks “Is absentee/mail-in voting scalable in an emergency? It is more a question of logistics and deploying resources. It is a very labor-intensive process, with multiple checks and balances, and even more so for exception handling of the ballots.” He issues a call to arms for the computer community and says that help is going to be needed by local election officials. 

Finally, Westby in her DEFCON talk suggests that voting machine vendors (there are now three major ones that have most of the market share) need to be more cooperative with infosec researchers and more transparent with the public on vulnerabilities. She also would like to see the National Institutes of Science and Technology to establish cyber elections standards and certify them for all parties. 

Related articles

--> -->