On the heels of the 2018 midterm elections and two years away from the 2020 presidential vote, VMware State & Local Government subject matter experts, Gary Christofferson and Herb Thompson, offer advice and best practices for securing elections systems and strengthening government IT security posture. This is part 1 of a 2-part series on U.S. voting infrastructure vulnerabilities and solutions.
Securing Elections Systems Part 1: Protecting Voting Systems through Basic Cyber Hygiene
By Gary Christofferson, Senior Manager, Solutions Engineering, SLED, VMware
In August, an 11-year-old hacked a replica of Florida’s voting system in just 10 minutes. As part of the annual hacking convention, DEF CON, participants at this year’s Voting Village were given cart blanche to hack commonly used U.S. voting machines and election infrastructure. Other notable hacks included a voting tabulator currently used in 23 states manipulated via a network attack. A second vulnerability, identified more than a decade ago, was found to be unpatched in the same system.
Why Basic Cyber Hygiene Matters
VMware has defined five basic cyber hygiene principles that are incredibly important for protecting data and systems. The concepts are not new but are key in moving to more effective security. They are rooted in well-established frameworks such as the NIST Cybersecurity Framework (CSF) and are technology-neutral. In the most devastating data breaches over the last few years, we believe effectively adhering to these principles would have made a meaningful difference.
The Core Principles of Cyber Hygiene
Most vulnerabilities occur at the most basic level. To that end, VMware proposes a set of core principles of cyber hygiene as a universal baseline for cyber defense across government IT infrastructure and data:
- Least Privilege – Access control is perhaps the most basic cybersecurity requirement that all states should implement to prevent unauthorized access to voter registration databases and sensitive voter information. Simply put, unless a user is explicitly granted access, he or she should not have access. If a least privilege environment has not been effectively implemented and users are provided with higher levels of access than they need, attackers can steal these credentials (user name and password) and gain broad access to systems.
- Micro-segmentation – The whole IT environment should be divided into smaller parts to simplify management, protect data, and contain incidents if one part gets compromised. If micro-segmentation has not been effectively implemented, attackers can break into one part of the network and easily move around to other parts, as in the case of the aforementioned voter tabulation machine.
- Encryption – For critical business processes, all data should be encrypted, while stored and transmitted. In the event of a data breach, stealing critical files should only result in obtaining unreadable data. If encryption has not been effectively implemented, attackers can exfiltrate data in readable form.
- Multi-factor Authentication – The identity of users and system components should be verified using multiple factors (not just simple passwords) and be commensurate with the risk of the requested access or function.
- Patching – Systems should be kept up to date and consistently maintained. Any critical system that is out of date is a meaningful security risk. If patching is not effectively implemented, attackers can exploit open holes in systems. For example, the WannaCry ransomware exploited a known software vulnerability for which a patch was available. Organizations that fell victim had failed to effectively patch.
As long as states continue to use electronic voting machines, the safety and security of this critical infrastructure will need to remain top priority. Any state—and any citizen—is vulnerable to attack if a state fails to put into practice the most basic cyber hygiene principles.
Gary Christofferson leads the Solution Engineering team for VMware’s government and education customers throughout the Western U.S. Gary has partnered with State and Local Government, Education and Federal customers for more than 25 years to improve their IT capabilities, including guidance and advocacy for securing systems and networks in a holistic manner. Early in his career, Gary delivered secure communications systems as a DoD contractor to the U.S. Air Force and for DoD, Civilian, and Intel programs.