A cyber security threat assessment of our national election infrastructure would identify three broad components as requiring protection against nation-state meddling: On-line political messaging (targeted by Twitter bots), campaign support systems (targeted by traditional hacks such as phishing), and voting infrastructure (targeted by hackers removing ROM chips from Diebold machines). These are the components.
A cyber security architectural assessment would then identify three corresponding programs to protect these components: National digital risk monitoring (which large companies use to protect their brand), national cyber defense for campaigns (which should mirror Secret Service detail for viable candidates), and decentralized voting operations (which must continue to prevent cascading threats).
Let’s start with national digital risk monitoring: Large companies now either employ expert staff or hire vendors to monitor their brand, domains, and resources for real-time evidence of misuse on the Internet. Special investigative tools are used to pore through social media, on-line services, and email on a 24/7/365 basis. The overarching goal is to identify cases such as some jerk spoofing your domain to post garbage onto sites like indeed.com.
Behind the scenes of such services are trained cyber experts who interpret collected information, identify unacceptable postings or social media usage, and then work with the principals to mitigate the incident. Our nation needs just such a team of experts, perhaps in a virtual SOC, to do this for our national election systems on an impartial, bipartisan basis. They can cooperate with social media owners to locate and mark obvious junk postings from bots.
An additional benefit is that the Turing tests and content filters used by social media companies such as Twitter would benefit from this national digital risk monitoring. Even the best machine learning tools enjoy some level of human assistance, so their bot detection algorithms would be improved by the security analytics performed by our national digital risk monitoring team. (Just writing about this makes me want to work there.)
Let’s move on to campaign support systems: Everyone knows that the size of political party staff swells before elections and then deflates afterward. The result is a pseudo-professional IT and network set-up that results in less-than-optimal security support for campaigns. We all cringed at Mr. Podesta’s handling of emails, and we all cringed further at the poor incident response processes in place at the DNC. It was a disgrace.
What is needed now can be derived from something we already have: That is, when a candidate is approved for Secret Service detail, their campaign’s entire IT and network operation should be forklifted into a protected enclave run by experts with NSA heritage. Campaign iPhones should be smashed, existing systems burned, and office space boarded up. Each campaign’s IT systems should be rebuilt in a SCIF-like system operated by experts.
This is not a tough thing to do, by the way. For example, the IC figured out long ago how to do cloud computing; they just do it in a classified playground. The idea that our national campaigns would become temporary tenants in a super-high assurance, intensely-monitored computing environment is no more jarring than starting your first day as an employee at Ft. Meade. You get new stuff and you learn new procedures. You adjust. It’s no big deal.
Now, some might say that massive insider leaks would come from such a network. Well, here is how a professional CISO would respond: The best way to prevent leaks, any CISO would tell you, is to follow a code of conduct that involves never typing anything stupid or mean or ridiculous ever. Every CISO on the planet – and I mean every CISO on the planet – tells their executives (and I quote): “Never put anything in email that you wouldn’t want to see on the front page of the New York Times.”
Finally, let’s consider voting infrastructure: As a computer security expert, I can vouch for the fact that machines from companies like Diebold can be hacked. Avi Rubin from Johns Hopkins University, for example, could probably show you a hacking demo of an ES&S or Sequoia that would make your toes curl. So, if we expect to connect all of these insecure devices into one, large national electronic voting network, then good luck with the security of that monster.
Instead, we must reaffirm the distributed power of local, regional election systems. Sure, we can debate whether home voting is better than election places, or whether better identification is required for our citizens. But these are non-cascading problems. Issues in one neighborhood, for example, cannot electronically spill over into another neighborhood, or city, or state. Distributed local voting is a good idea from a cyber security perspective.
In case you remain unconvinced, I had the wonderful pleasure to interview both Whit Diffie and Ron Rivest – the Henry Ford and Thomas Edison of cryptography – on what they thought of using, for our elections, the high assurance PKI-based protocols and systems that they invented. Both men answered unequivocally that we would be better off using paper. Now, I think you will agree that if these guys don’t trust national networks for voting, then we shouldn’t either.
A professional cyber security operations manager would certainly ask what sort of budget would be required for these three programs. In the context of what we’ve spent as a nation dealing with the aftermath of reported attacks during our last election, these three initiatives would be super-inexpensive bargains, probably totaling about 200 million dollars per year. That’s about half of what we spend on Big Bird. We should set aside the money and do this now.
By the way, the true litmus test is how our adversaries would respond to such a three-pronged program of national election cyber defense. I expect that they would shrug and say that anything can be hacked, and they would brag that they can breach any network, including one run by NSA-types. But let’s face it: When the cameras are turned off, and our adversaries retire to their private quarters to contemplate what we are doing, they would be pissed.
And that is precisely what we should hope for as we plan a system of cyber defenses for our future national election infrastructure.