In a recent episode of Security Nation, Rapid7 welcomed Jack Cable, a junior at Stanford University and employee of the U.S. Cybersecutiy and Infrastructure Security Agency, to discuss the importance of ensuring election security beyond just voting machines. Read on as he shares how to fight disinformation and incorporate further security research into uncovering vulnerabilities in elections.
What does election security actually look like?
While vulnerability disclosure policies are typically standard across industries, that has not historically been the case with election systems. Jack has been working with some states and election companies to start their own vulnerability disclosure policies.
In the past, election vendors have been reluctant to play in the same space as everyone else in information and cybersecurity, but they may be turning the corner now. As election companies strive to do better and have more productive outcomes, they have begun to go beyond just voting machines to view security in a more holistic way, including voting tabulation and voter registration database management and vulnerability disclosure policies.
Vulnerabilities beyond voting machines
Jack explains that when it comes to elections, divisions don’t just exist between political platforms, but also between election companies, election officials, and security researchers. A lot of the time, when you see election security being reported on publicly, it focuses on voting machines. While it is obviously a concern if the voting machine is vulnerable, Jack says you do have to consider how widely deployed it is. What vendors seem to be missing is an accurate representation of risk. A vulnerability disclosure policy is an effective way to identify, disclose, and manage risk across a spectrum of election technology.
Stop, collaborate, and listen
Jack’s advice for election security organizations is to get comfortable interacting with external researchers, handling bugs, and fixing bugs. The next step is actually providing equipment to researchers, since they can discover more vulnerabilities than what could be found alone just working on a random machine. Documentation or other details can also be helpful in researching vulnerabilities. Rather than having vendors and researchers fight over vulnerabilities, the goal is to align, rather than divide, so we can rest easier knowing collaborative work is happening to secure these election systems.
What to do if you find a bug in a voting machine ahead of the election?
All of this does lead to the important question of what to do if you find a bug in an election system or voting machine ahead of the election. Should you post it on Twitter?
Jack warns that this may not be the best approach, particularly a month before the election. Election security as a whole is bigger than just machine bugs or vulnerabilities, and it’s important to keep people confident in the election and participating in the entire system.
As for the bug, Jack suggests disclosing it to the vendor and giving them at least 90 days before talking publicly about it (or at least until after the election). Election security has a major impact on public confidence, and anything that is disclosed and misrepresented could discourage people from participating in the election and believing in its results.
Any last words?
Vote—and above all else, maintain the confidence to vote and to be involved. Jack and others will be there ensuring the security systems are safe. As we wrapped up our discussion, Jack said the most important safeguard against adversaries is to keep confident in the election process by voting, encouraging other people to vote, and participating in the process, if you’re healthy enough to do so. And, if you find a bug, don’t post it to Twitter—just tell Jack, and he’ll deal with it for you.
Interested in listening to the full episode of Security Nation? Click here!