16 July 2018

Crowdsourced Security, Secretaries of State, and a Little Bourbon


Synack at the National Association of Secretaries of State (NASS) conferencePhiladelphia is a city known for being the first capital of the United States. It’s where Thomas Jefferson, James Madison, George Washington, and our founding fathers convened the Continental Congress and signed the Constitution in 1787. Without Philly, we would not be the symbol of democracy and freedom we are today.

It’s only fitting that Philadelphia would be a host to the National Association of Secretaries of State (NASS) conference, where Secretaries of State come together to exchange best practices. The Loews Hotel, which was originally home to the Philadelphia Savings Fund Society (the first savings bank in the United States) played host along with their five star restaurant, Bank & Bourbon, which was a bit hit with secretaries and staff alike. NASS is an association that represents all Secretaries of State, from Vermont to California.

Synack was invited to attend along with Microsoft, Amazon, and other technology vendors to meet with Secretaries of State as part of our pro bono initiative, Secure the Election. While at the conference, we spoke with a number of Secretaries of State about the best way forward for American election security. This is an age-old issue with a history of election fraud and security issues detailed in a book by Joseph P. Harris, PhD, in 1934. We attended some thought- provoking sessions, including a lunch address from Department of Homeland Security Secretary Nielsen and a session entitled “Election Cybersecurity Shared Practices.” For us, Homeland Security Secretary Nielsen’s words rang true: “Don’t underestimate our adversaries. They learn and get better day to day. “

Generalized elections systems architectureSource: “A Handbook for Elections Infrastructure Security” (CIS)

The lunch address by DHS Secretary Nielsen provided a unifying response to election security by emphasizing that “successful or unsuccessful attempts to hack into elections are an attack on American democracy.” If Americans can’t trust the outcome of elections then what can we trust? Secretary Nielsen also pointed out that “election security is a vital national security issue.” Since DHS dubbed election infrastructure as critical infrastructure and part of the Government Facilities sector last year, Department of Homeland Security has provided strong support in part through a $400 million funding bill that aims to help states update their security and keep American elections secure.

Another panel provided a state perspective on best practices for keeping voters and elections secure. Secretary Kim Wyman from Washington State provided valuable insight on how to use the National Guard’s cybersecurity forces and security training for state employees to keep security up to date. Colorado and Vermont have also been a pioneers on election security having introduced two-factor authentication among other state level initiatives. In Vermont, two-factor is used by local election officials, who could be a weak link from a security perspective. Sue Friedberg, who heads up the Cybersecurity & Data Protection Group, a cybersecurity arm at Buchanan Ingersoll & Rooney PC, added that, “People who built systems aren’t the best to evaluate them. The IT department are not the best ones to find the vulnerabilities.” We couldn’t agree more. In the words of our Co-Founder and CEO, Jay Kaplan: “Having developers test their own systems is like grading your own test.” Getting a third party, adversarial perspective is critical to getting a realistic assessment of your security risk.

Finally, one of the most talked about initiatives in election security came from the Center for Internet Security (CIS), a non-profit, which published an Election Security Handbook to help guide the States in best practices for securing their elections earlier this year. Among the key lessons learned from their handbook was the importance of risk assessments: “Unfortunately, many election officials do not have the expertise or resources to conduct an adequate risk assessment. The ability to efficiently and effectively execute a risk assessment is further reduced by the difficulty in objectively assessing evolving threats, as well as the complexity of the elections processes and systems.”

Synack was honored to be invited to NASS and looks forward to continuing to educate, engage, and support states’ election security initiatives through crowdsourced security. We take the following lessons from our conversations with secretaries of state at NASS:

  1. Election security is a bipartisan issue that states are facing – it’s not a federal, partisan issue. The adversary wins if they damage voter confidence in the American democratic process creating confusion and what Secretary Nielsen characterized as “mischaracterized, misunderstood, and false information.” Re-instilling this confidence among voters requires a united effort at all levels of government and between the public and private sectors.
  2. We need better ways to assess election security risk and the secretaries are open to new approaches that provide efficiency, control, and ROI. We need to think more like an adversary to get ahead of the adversaries. Crowdsourced security with the right controls in place is a potential solution. It helps states address their security vulnerabilities and assists with the remediation process to help solve the problem through 72-hour patch verification.
  3. A proactive, offensive approach to finding vulnerabilities is critical to assessing security risk. If you don’t look for vulnerabilities, you won’t find them. Historically, we have not incentivized a rigorous hunt for vulnerabilities in our election systems. For example, The Election Assistance Commission has a national voting system certification program to independently verify that a voting system meets security requirements, among other things. However, testing for this certification is optional. States can set their own standards for voting systems. The only requirement is that voting systems meet Section 301(a) of the Help America Vote Act, which is focused on voter functionality (i.e. a voter can view his/her vote on the system, can verify, etc.). We need to raise the bar of our security testing. And although in the past, less than 7% of states are able to conduct third party penetration testing annually (2016 Deloitte-NASCIO Cybersecurity Study), Russia’s 2016 attacks on the election have actually helped us focus in on the issue – now states like Delaware and Missouri are committing to more rigorous, hacker-powered penetration testing.