Today, guest author Joshua M Franklin discusses new election infrastructure best practices from DHS. He is President & Co-Founder at OutStack Technologies, a public benefit corporation focused on campaign and election infrastructure cyberdefense.
A short while ago the Cybersecurity and Infrastructure Security Agency (CISA), a newly re-organized part of the Department of Homeland Security (DHS), released a document titled Best Practices for Securing Election Systems. Now these are just best practices, meaning they are not standards, government mandates, or the like. But often best practices published by the federal government become a stake in the ground. Words, sentences, and entire paragraphs are commonly lifted, reused, and remixed for agencies that do have regulatory authority. They are also used in a legal setting if an organization is not following them. A lawyer asking “why didn’t you follow the guidance DHS released?” is a question you don’t want to have to answer. Interestingly, the top-level title for these best practices are labeled as a “Security Tip.”
Since 2015, DHS has been flirting with best practices in elections. In previous epochs of electronic voting in the United States, government agencies were the principal purveyors of best practices and guidance. Think to the Federal Election Commission (FEC), Election Assistance Commission (EAC), and National Institute of Standards and Technology (NIST). Yet, they were not alone as many advocacy organizations and nonprofits released useful guidance as well (e.g. EPIC, Verified Voting). But in this new era of voting that started in 2015 when internet-facing election infrastructure was attacked, DHS’ CISA is quickly assuming a leadership role.
These best practices are vastly different from other types of election security guidance provided by the US Federal government. These best practices are not a standard per se. Examples of election standards include the EAC’s Voluntary Voting System Guidelines (VVSG) or NIST’s Standard for Election Data Interchange. They aren’t necessarily similar to the EAC’s Election Management Guidelines (EMGs) or NIST’s Best Practices for UOCAVA technology, either. For one thing, the new best practices are a bit…terse. Honestly, they are a bit short, which is odd since other DHS resources on election security were quite thorough. As an example the following two documents are quite comprehensive: Best Practices for Continuity of Operations (Handling Destructive Malware) and DHS Election Infrastructure Security Resource Guide.
The best practices we’re focused on here are essentially a web page containing 8 topics with security guidance and one more topic providing links to other documents. The 8 topics are provided below, with a short description from yours truly.
- Software and Patch Management — Security updates and patches for various types of computer systems.
- Log Management — What to log and what to look for when you actually have logs.
- Network Segmentation — Networks are made to facilitate communication, but some networks need to be private or only speak with authorized entities.
- Block Suspicious Activity — Stopping the flow of malware or other potentially harmful network communication over an enterprise network.
- Credential Management — Passwords and multi-factor authentication (MFA).
- Establish a baseline for Host and Network Activity — Servers, workstations, and firewalls can all be configured.
- Organization-Wide IT Guidance and Policies — The written rules for governing information technology within an enterprise can be complex.
- Notice and Consent Banners for Computer Systems — A small message can be provided to the user to inform them that they should not expect privacy on a computer system meant for work activities.
Most of these are excellent cybersecurity topics to focus on. They are multifaceted areas that subsume a variety of other distinct disciplines of cybersecurity. Other topics contain guidance that doesn’t really fit into the category they are contained within. For instance, it’s slightly odd to discuss web browser configurations within the Network Segmentation topic. Finally, some topics get extremely specific about an individual network protocol, such as server message block (SMB).
Now it’s difficult to ascertain the overall goals or reasons that CISA made this information available. The same goes for the scope of the systems the best practices are meant to cover. CISA states the goal is to "assist organizational documentation of election infrastructure cybersecurity posture and to identify key interdependencies". I'm not super sure what that means. Additionally, CISA states that these best practices are developed via “…lessons learned through engagements with SLTT governments, election stakeholders, and others.” That’s the way to do it and I commend CISA for that approach! Note that the acronym SLTT means State, Local, Territorial, and Tribal, and is the nom de plume that those working in the federal cybersecurity space use to refer to all shapes, sizes, and types of jurisdictions.
CISA mentions that these best practices are meant to be implementable with “little or no cost.” I’m not quite sure that this goal is achieved given some of the technology that is recommended. For instance, server side whitelisting may be implemented with a third-party product depending on your platform. A Security Information and Event Management (SIEM) is also mentioned, with collects and correlates computer logs to detect malicious activity. Another example is the usage of a Local Administrator Password Solution (LAPS). These are all serious tools to bring to the enterprise, but these technologies require resource intensive installation, maintenance, and service agreements. Oh! And oftentimes specialized knowledge is needed to keep them chugging along.
Is It Enough
Is it possible to pass on a question within your own blog post? The frank answer is that we need election-specific best practices and guidance for a variety of election infrastructure types. In my opinion we need a treatise on voter registration security that holistically discusses the technology, assess threats, and provides mitigations. In my imaginary fantasy land, it would be developed in consultation with SLTTs, academia, and the election integrity community. It would also be publicly vetted and frequently updated. Rinse and repeat for electronic pollbooks (ePBs). And election night reporting (ENR). And election management systems (EMS). I could add quite a few more “ands” to the end of this sentence.
There are also some strange topics missing from the best practices. Why not recommend a security framework like the NIST Cybersecurity Framework (CSF), ISO 27000, or the CIS Controls? If we’re already talking about governance, why not explore risk management? Vulnerability scanning is pretty darn important too. It’s possible that although this document is labeled “best practices,” which has a reasonably specific meaning, this entire document is meant to focus the efforts of election administrators on specific issues that need to be immediately addressed.
With all that said it’s hard to know what this document means for election administrators. Most of these topics are already part of a cybersecurity framework, which helps to focus cybersecurity efforts within an organization. I would treat this document as a way to prioritize efforts, especially some of the more specific recommendations such as updating Powershell and disabling SMB v1. Those should be fixed now. CISA likely has threat intelligence stating that these issues are actively be being exploited in the wild, but we can't know for sure.
It’s well past time for the United States to have a Federal agency dedicated to election cybersecurity. Although this document is not perfect, it’s part of DHS dipping their toes into the water. It’s a stop along the road to the overarching guidance that we need. I have a feeling we’ll be seeing a lot more of these types of documents before E-Day 2020. We need leadership from the US government on this important topic, and this is how it starts. Welcome to the new epoch of electronic voting in the US.