06 November 2018

Securing Democracy in an Age of Digital Vulnerability


Today, millions of Americans will cast their votes in support of candidates who they hope will represent them and lead their cities, their counties, and their states for the next political term. Today, because of democracy, the people will speak and be heard, power that has been held will be given up freely, and opposing parties will exchange their positions peacefully.

But we also live in an age of digital vulnerability, so we wonder, given the hacks of the US presidential election, the Brexit vote, and the French national elections in 2016, if we can trust the system that underpins our democracy. Are we making progress toward better election security, or are these events doomed to repeat themselves? Trust is based on risk, and to improve trust in our election systems, we have to reduce the risks that threaten to take them down.

“My big concern, quite frankly, is losing confidence in the integrity of our votes. Once one vote is compromised, I think it puts our entire electoral system into jeopardy,” Synack CEO and Co-Founder Jay Kaplan told PBS reporters ahead of the midterm elections.

Reducing risk begins with knowing where you stand and what you’re up against.

A few weeks ago, NBC news reported that the DHS intelligence assessment indicated a “growing volume of cyber activity targeting election infrastructure in 2018.” Chris Krebs, Undersecretary for the DHS NPPD, explained: “It’s not an uptick in activity; what we’re getting right now is an increase in reporting to DHS about what was happening anyway.” We think he’s right, and we think this is a giant leap forward for making elections more secure.

“States are having a really difficult time figuring out what their vulnerabilities are. Scanning helps, but scanning is just not enough. What states really need is intelligence and insight into their attack surface.” -Jay Kaplan

Reducing risk is made possible by teamwork between the public and the private sector.

This June, we announced our Secure the Election initiative which offers free crowdsourced security testing to states on their voter registration systems. Synack’s solution deploys a crowd of top hackers that find and help fix vulnerabilities and give states valuable human intelligence on their digital assets. States can use this hacker-powered intelligence to better determine and mitigate their cyber risk.

This October, Synack brought together Cloudflare and Microsoft (companies who have offered free election security services and products) with TheBridge, the Aspen Institute, and DHS to talk about what it will take to secure future elections and protect the American Way of Life. All of these organizations stand under a shared belief that protecting democracy and improving cyber readiness takes collaboration between the private and the public sector.

“We have a shared responsibility, and everyone has a role in this fight.” -Chris Krebs, NPPD DHS

Reducing Risk is Easier with a Crowd.

What states really need is scale…and unleashing a human crowd of security experts could be just what it takes to successfully stay a step or two ahead of the adversaries.

We asked our crowd of security experts to share their perspectives on the security of US election systems. Here’s what they said:

  • The electronic pollbooks and voting machines would seem to them to be the most vulnerable parts of the voting lifecycle. They thought that the most likely vulnerabilities in these parts of the lifecycle would be credential thefts, password brute forces, and maybe a few command injection attacks.
  • When asked about concrete actions states could take to button up their elections, they advised using easily verifiable systems, taking out as much complexity as possible (ie: fewer integration points and fewer types of machines), and utilizing hackers with diverse skillsets to test the systems. Why hackers? “They can simulate a real attacker trying to get in.”

Synack CTO Mark Kuhr agreed. “If we actually apply a crowd of hackers to this [election security] problem, we’re going to be able to make this asymmetric threat more symmetric,” he said on the Midterm Election Special Podcast produced by Spoke Media and Carbonite on Monday.

According to the Edelman Trust Barometer, individuals’ trust in American institutions has declined from 2017 to 2018, while technical experts gained 3 points of credibility over the same time period. We think technical experts can bring real, credible insight on things like election security and help make American institutions more secure and more trustworthy.