Want to protect elections? Get friendly hackers to help.
That’s what nonprofit organization IT-ISAC, the Information Technology-Information Sharing Analysis Center, did on September 18–20, assembling a group of ethical hackers and security experts for its first Election Security Research Forum to determine readiness against existing and future threats to elections security.
As the US has invested in digitized elections, the potential for cyber threats has increased. In February, security experts convened at the National Association of Secretaries of State to address potential foreign threats to US election systems. Wisconsin Elections Commission Administrator and National Association of State Election Directors President Meagan Wolfe said that just because it hasn’t happened yet doesn’t mean there’s no potential for malicious actors to threaten the integrity of the systems.
“People don’t remember that this is a real and imminent threat,” Wolfe said, “and so getting those local jurisdictions, their governing bodies, to really buy into this concept and to support sustainable solutions for local election jurisdictions continues to be a real challenge, as well.”
Risk management. The Election Security Research Forum, a project of IT-ISAC’s Elections Industry Special Interest Group, or El-SIG, took five years to plan and is intended to address that potential threat and get ahead of any danger that could be posed by malicious actors. Manufacturers gave researchers access to election technology that has yet to be deployed in the field to test it for weaknesses using CISA’s Coordinated Vulnerability Disclosure Process. The process involves detecting, patching, and then notifying the public of vulnerabilities.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Bugcrowd CTO and founder Casey Ellis told Infosecurity Magazine that vendors working with researchers on election security is noteworthy and indicative of how the industry now understands risk.
“The reality is that security research happens whether the vendors invite it or not,” Ellis said, “so this shift in relationship and approach takes advantage of the existing dynamics of the Internet in order to make the democratic process more resilient and more trustworthy.”
Still, it took time to get vendors in the room with researchers, given the sensitive nature of their work and the security concerns around unveiling new technology, even to trusted sources.
“There is risk,” Hart InterCivic director of government affairs Sam Derheimer told CNN. “But there is more risk in doing nothing.”
Zoom out: At the federal, state, and local levels, CISA is working with officials to address election security, and to assess threat actors’ relative dangers. The agency provides publications and guidance on which bad actors to monitor and how to manage threats.