Applying the NIST CSF to U.S. election security

· 10 MIN READ · BRUCE POTTER · SEP 24, 2019 · TAGS: Framework / Managed security / NIST / Planning / Vulnerability

If you’ve worked in security for any length of time, chances are good that you’ve heard of the NIST Cyber Security Framework (CSF). It’s a useful tool for helping orgs increase their overall resilience and response to cyber threats. I’ve personally used the CSF to guide cybersecurity activities in orgs of all sizes, ranging from startups and local governments to Fortune 500 companies. Even well-known tech brands like Amazon and Microsoft use the CSF to understand where they are and where they want to be with respect to cyber risk.

Given the utility of the CSF, I’d argue that it’s not only useful for corporations — it’s helpful for guiding security activities around processes like our national elections. As we march toward November 2020, there’s continued dialogue around how to secure our democracy. That’s because our election systems have been under attack by various adversaries ever since the United States was formed. Over the last few years, though, these attacks have come into sharp focus but the collective response to those attacks hasn’t.

Is election security an area where the CSF could lend some clarity to the “as is” and “to be” of the U.S. election infrastructure?

I vote yes. (Pun fully intended.)

The 3 challenges for state and local election operations

Most of the mechanics of our elections process — like setting up ballot boxes or electronic voting machines, staffing the polls and recording and reporting votes — is managed at the state and local government level. So for the purpose of this CSF exercise, I’ll focus on assessing state and local election operations at a high level.

The three biggest challenges that these orgs face when it comes to election security are:

  • Lack of standardization: Applying the CSF to election security isn’t easy for many reasons — one of the biggest being the fact that there’s no single organization that’s in charge of U.S. elections. Unlike performing a CSF assessment on a bank or a car company, the election system isn’t a monolithic organization with one executive team and one board of directors. Our election systems are governed (and funded) by various U.S., state and local laws and operated by thousands of local agencies and organizations around the country. This diversity in oversight means that any specific finding or recommendation made by any of those entities would need to be implemented by those thousands of organizations — all with varying degrees of cybersecurity knowledge and budgets. No small task.
  • Voting infrastructure: The next challenge is the infrastructure itself. Localities run elections differently — there is no “one size fits all” approach that’s taken by every single city, county and town throughout our country. Some use paper ballots at the voting booth, some go electronic only and some use both. Some have voter registration rolls stored on modern, cloud-based systems while others still use mainframes. Some have money for technology and security improvements but many don’t. Think about running a penetration test on hundreds of different systems that have a common function but no common architecture. How would you develop recommendations after that exercise?
  • Training for election volunteers: Lastly, many state and local governments provide training for the volunteers who show up to help you cast your vote — but just like the overall elections system, there’s no standardization here. That means the election security training happening in your town might be vastly different than the depth of training happening a few towns over.

Is this a hard problem? Yep. Is it unsolvable? Nope.

Let’s walk down the path of the CSF and see how it could apply to an important part of the election supply chain: state and local governments.

U.S. Elections – Identify

Looking at the NIST CSF, the first functional area is Identify. In Identify you’ve got categories that deal with taking inventory of hardware and software systems, cybersecurity governance, cyber risk management and supply chain risks. Unsurprisingly, all these categories apply to securing election systems (I’m hoping to quickly sway those who think election security begins at the election booth — it doesn’t).

Hardware and software inventories are historically complicated even for the big, seemingly tech-savvy enterprises. It’s the first CSF control and arguably one of the hardest to do right, because understanding what you own and what you’re running is a herculean task in organizations larger than a few dozen people.

When you think of the scale of modern election systems, you might think the same is true in that case. But one thing local election boards do very well is hardware inventory. Understanding what voting systems they have and where they physically are at any given moment has been a core part of election security for as long as we’ve been doing secret ballots. So while there may not be a unified hardware inventory method, there’s still a concrete inventory that’s well controlled. For those playing along with our NIST self-scoring tool (yeah, we have one of those and it’s really easy to use — grab your own copy of the NIST CSF scoring tool here) that’s probably a 3 on the verge of a 4.

Software is a different animal. Election voter rolls are run on all kinds of different systems and likely the software that runs those systems is not well inventoried (at least in many cases). Also, electronic voting systems are often a black box, so while the vendor that built the system may know what’s running on those machines, the local elections boards probably doesn’t. Thanks to researchers at organizations like the DEF CON Voting Village, the public now has a better inventory of what’s on our voting machines. But even if the public has greater visibility into what’s on the machines, that doesn’t translate into election boards taking better inventory of the software on their systems. Let’s score this area a 2.

Another category in Identify is vendor and supply chain management. As a friend of mine says, government contracting is the land of LCTA — “lowest cost, technically acceptable.” This applies to everything from traffic light controllers to law enforcement communication networks to voting machines.

It’ll come as no surprise that when you go the LCTA route, security may not be something that’s a priority (if it’s a consideration at all). While voting machines and voter roll systems are well regulated from a procurement perspective, there are wildly varying levels of due diligence done on the supply chain from a cyber risk perspective. Look at the state of Georgia, for example — officials purchased a voting system with known security vulnerabilities because the procurement was too far down the road and there were no perceived viable alternatives. In a conventional enterprise, these sorts of vulnerabilities would have stopped the procurement process cold. But in the relatively small world of government election systems, the transaction happened without a blink of an eye. I’m going to rate that a 2, but trending towards a 1.

U.S. Elections – Protect

Next up in the NIST CSF is the Protect functional area. This part deals explicitly with security controls that are designed to protect an organization from a successful attack by an adversary. Encryption and data protection, identity and access management, training and awareness and how you operate the system are all part of Protect. Again, the level of sophistication of these categories varies depending on your locality.

Let’s talk about elections and encryption. The biggest forcing function for encryption with elections is the voter rolls and associated personal data. Upcoming laws like the California Consumer Privacy Act (CCPA) will likely force officials to create a regulatory framework that requires encryption for voter rolls. And depending on how broad the definitions are in laws like the CCPA, officials might need to encrypt the vote itself as well since it’s arguably one of the most personal pieces of information someone gives away. Encrypting it makes perfect sense. We don’t have concrete evidence of how much data is or is not encrypted currently in modern voting systems, so for now we’ll have to label this as “unknown” in our NIST self-scoring tool.

Lastly, Protect deals with conventional IT security controls such as change management, vulnerability management and auditing. The quality (or lack thereof) at the local level impacts the assurance of voter registration rolls as well as vote tallying and results communication processes. At the state and local level, these controls are managed by a patchwork of local officials, contractors and vendors. While orgs such as the National Association of State Legislatures have guidelines on how to secure these systems, these guidelines are voluntary and compliance varies from state to state. Looking at these controls, we could score them a solid 2 with a few states trending toward a 3.

U.S. Elections – Detect

The Detect functional area of the NIST CSF is the sweet spot when it comes to cybersecurity operations. This is where the bad guys are caught doing bad things. Getting a good score in Detect typically means that an org has good security signals being generated by various security tech. From there, analytical technology and humans working in a security operations center are responsible for identifying malicious activity and notifying the appropriate parties.

The question here is what state and local governments have to do when it comes to:

  • Security technology installed on endpoints and networks
  • Security signal generated by these technologies
  • Aggregation and analysis capabilities
  • SOC analysts and escalation paths

The distinction between what’s required for the overall voting ecosystem (that includes voter registration systems and vote reporting systems) versus what’s required to secure just the voting machines is striking. While voter registration and vote reporting systems are essentially enterprise systems that can have commodity security technology installed for detection purposes, electronic voting systems are basically embedded systems. They have specialized hardware and software that requires vendor interaction and specialized processes to update. Plus, voting systems are offline for most of their lives and are generally not connected to a network even when they’re in use. Getting real-time telemetry off of them with software that most other security and analytic systems can understand is highly unlikely (and may put the system in more danger versus less). So for many of the Detect subcategories, scores will be pulled down due to the nature of offline voting systems in general.

Some of the slack has been picked up by organizations like CYBERCOM. During the 2018 midterm elections (and to some extent in the 2016 elections as well) CYBERCOM monitored it’s SIGINT assets as well as worked with various public and private sector entities to monitor election night activities for bad actors. This point-in-time monitoring is useful for detecting threat actors that may be attempting to interfere with the voting itself, but doesn’t necessarily address attacks against other parts of the ecosystem. So for subcategories like Detect – Continuous Monitoring 1: “The network is monitored to detect potential cybersecurity events,” most states would score a 2.

U.S. Elections – Respond

The Response Functional Area is a part of the NIST CSF many of us hope to never get to. If you’re responding to an incident, then a bad thing already happened and you’ve got to deal with it. The reality for any enterprise is that you’ll eventually have to respond to security incidents. For election systems, we know from public reports that they’ve been under attack for years. And some of these attacks have been successful, unfortunately. We should expect future elections to have similar issues.

The good news is that because of past events, we see lots more coordination between various stakeholders than we’ve ever seen before. The federal civil and military agencies are actively communicating with state and local authorities. So for RS.CO-3 (“Information is shared consistent with response plan”) and RS.CO-4 (“Coordination with stakeholders occurs consistent with response plan”), scores are probably at least a solid 3 with some localities trending toward a 4.

But how good is each plan itself (RS.RP-1)? That likely varies dramatically based on how far down into the process you are. While states have response plans at a strategic level, once you get to the local precincts, IR processes for local cyberattacks start to disappear. The saving grace is that mechanically poll workers are looking for anything out of the ordinary and run their local precincts according to a common set of procedures. So while there’s no plan per se at that level, there are compensating controls that somewhat act as a plan. Score? I’ll give them a 2, trending towards 3.

And how well do we understand the impact (RS.AN-2)? That’s been a matter of national debate for the last several years. Regardless of the facts around specific incidents, it’s almost impossible for outsiders to find truth due to ideological and partisan differences. The current mechanisms for discovering and communicating the impact of cyber incidents is unfortunately woefully inadequate, resulting in a score of 1.

U.S. Elections – Recover

Finally, we get to the shortest Functional Area of the CSF: Recover. Once all is said and done, how well do you get back to normal operations? How well do you handle the public relations aspect to deal with the event that occurred? And are you able to refine your recovery activities based on what you learned from the last incident?

Much like Respond, past events help drive improvements in this functional area. States have practices on recovery operations now and are able to (in some cases) restore services in a timely and accurate way. There are plenty of situations in which data is still lost — it takes diligence and attention to get recovery operations to be smooth and easy to execute. Score on recovery planning? I’ll give this area a 2.

Public relations is a large part of recovery (RC.CO-1 and 2). Again, like Response, recovery public relations relating to the election system isn’t like public relations for a normal enterprise. The country is polarized and simply saying “Everything is back to normal!” may not be enough to satisfy most voters. Transparency is required and that isn’t a strong trait of current election recovery operations. We’ll get there … but for now, we’re still at a 2.

Next steps

This was a quick, back-of-the-napkin attempt to apply the CSF to U.S. elections. Certainly we’d benefit from a detailed analysis — using the CSF as the driving framework — of election systems in all 50 states. Shining a bright light on what’s working and what needs help in our election systems would assist in driving funding decisions at all levels of our democracy. With that kind of common assessment, the public could make apples-to-apples comparisons between different systems and architectures in different states. We’d be able to monitor change over time and measure the progress being made by those responsible for the integrity of our elections. And over time, the public would put more trust in our election system.

Who would do this and where would the funding come from? That’s a question that a blog post can’t answer. However, I hope that what this post does provide is evidence that the NIST CSF offers value in systems of all shapes and sizes, including the national election systems.

Security for the broader election supply chain

That said, remember that local agencies and organizations that are leading these election operations are only part of the election security supply chain. Many people’s perceptions of the election process go something like this: They go vote at their local polling place, the magic happens and results show up on their nightly news a couple hours later.

But the system is much larger than that — elections are about far more than the voting machine. Consider voter registration efforts and election rolls, the campaigns and special interest groups that disseminate information about candidates and issues and the reporting and validation of the results. If you consider all those distinct parts of the supply chain, there are plenty of opportunities for attack and the adversary can be lurking almost anywhere, whether that’s at a polling place or behind a Twitter account.

While state and local orgs play a role in a larger effort to protect our national elections, a NIST CSF-style assessment for all 50 states would be a fantastic step forward in making our future elections more secure.