Public trust in the integrity of our elections has been critically shaken. U.S. adversaries are using a range of mechanisms to breed distrust in the American political system that range from tactics technical in nature to those of a more social caliber. Voter data system vulnerabilities include everything from malware and system updates, DDoS tactics and “Zombie” voters to public perception campaigns, bulk disenfranchisement and cyberattacks to steal personally identifiable information (PII).
In August of 2018 The Purple Tornado received a research award by the DHS Science and Technology Directorate to explore the realm of Voter Data Security following the January 2017 designation of US election systems as critical infrastructure. Following eight months of research and interviews with elections, voter data, and security subject matter experts, we published the following report which explores the process through which voter data is collected, stored and utilized by government and third party actors, identified critical vulnerabilities in these systems, and outlined five focus areas to increase election security.
An Agenda for Resilience
While there are no fast, cheap or easy solutions to these vulnerabilities our report suggests the key to building resilient systems that maintain their integrity under a wide range of attacks lies in adopting more flexible infrastructure. We offer five areas of focus, which will increase the resilience of U.S. election systems:
- Increase Election Confidence: Embrace Risk-Limiting Audits (RLAs) to increase voter’s confidence in the election outcome, and educate politicians and voters alike on how RLAs support election transparency.
- Utilize Database Security Best Practices: Invest in database security improvements by using standard data models, secure hardware and universal admin access management procedures to reduce the technical database attack surface.
- Increase Election Usability: Voters do not have many opportunities to interact with voting materials prior to an election and as a result make mistakes due to their lack of familiarity with the ballot or voting machine. There may be benefits to simulating election activities prior to election day, such as testing the election systems as well as user-testing ballots.
- Increase Training: Invest in training security professionals with specific expertise in elections. Increase the use of table-top exercises for general security awareness.
- Encourage Interdependence with Shared Infrastructure: Promote data sharing and cooperative penetration-testing. Utilize shared infrastructure especially for voter registration and registration updates. Encourage a security culture of productive competition using allocated funding for system improvements.
According to the report, ‘Russian Efforts Against Election Infrastructure,’ released by the Senate Select Committee on Intelligence, the Russian government directed extensive activity against U.S. election infrastructure. This is the same infrastructure where our personal election data is stored, thus representing a massive and potentially catastrophic vulnerability still open to foreign attacks.
With the 2020 election bearing down on us all and election security measures at top of mind, this sober analysis of this field is especially valuable to set the narrative on a constructive path and build the consensus needed to ensure the security of our voter data, and the integrity of future elections.