Election Security Takes a Whole State

Show Notes: https://justinfimlaid.com/the-election-security-deception

Sponsor: https://www.nuharborsecurity.com

Contact Me: https://justinfimlaid.com/contact-me/

Twitter: @justinfimlaid

LinkedIn: https://www.linkedin.com/in/jfimlaid/

Intro & Operation Fortitude

In 1943 during World War 2 the Allied Forces began to plan their invasion of Europe and reclaim the territory from German occupation. The challenge at the time was that the German Army was deeply entrenched along the coastline and there were no obvious spots where to successfully start the invasion. In an attempt to mitigate the risk of Allied Forces being overrun during an invasion attempt the Allied Commanders created Operation Fortitude to prepare for the invasion. Operation Fortitude was split into two parts Fortitude South and Fortitude North.  Fortitude North was a planned invasion of Norway, Fortitude South was a planned invasion of Calais France. Now Calais was an obvious and expected invasion location because of its short distance from England to France over the English Channel. However the Allied plan and the purpose of Operation Fortitude was actually to divert German forces away from the actual invasion site which was Normandy. Each attack site for Fortitude North and Fortitude South was staffed by a fake army called the First United States Army Group. The US went through excruciating detail to create the appearance that a real and significant force was forming at both of these locations to give the German Army the appearance that that attack was imminent. The Allied Forces did such a good job of creating the deception that the attack was to occur any time the German Leadership assigned their best Field Marshals to defend Calais France against the army that was amassing at the Fortitude South location. On June 6 1944 the Allied Forces invaded Normandy but still the German Army was so sure that an invasion was to happen in the Northern Territory of Norway and Calais France, they left their troops encamped there waiting for an attack and invasion that would never happen. The result was that the Allied Forces were successful in Normandy and the German Army did have a chance and an opportunity to reinforce Normandy with the troops from Calais but choose not to do so because they were so convinced that a second and third attack was going to occur in both Norway and Calais. Deception techniques such as these have been part of our history for a long time. Most of these operations have been classified and not released to the public. However deception techniques such as these defensively and offensively are used within our security industry today.

Elections Security

Today’s question actually comes from the Associated Press whom I talked with a few weeks ago on the topic of election security. As a starting point let’s define election security.  In the most simple terms election security is the confidentiality integrity and availability of any single vote for the purposes of counting towards a popular election. Today the responsibility for elections resides within the Secretary of State’s office. The Secretary of State Agency within any state government is a unique agency in that it tends to be an independent agency.

Sometimes the Secretary of that agency is elected sometimes it’s appointed by the governor. What’s also interesting about the agency is more often than not that agency will also have its own independent Information Technology team. So as an example the State may have their own CIO or CTO and the Secretary of State Agency will also have their own CIO that governs the Information Technology Group for the Secretary of State agency.

Now any time we talk about security of a system it’s important to understand the data flows of that system so that we can understand the security touch points of any place where data is being processed, transmitted, or stored. Since we’re talking about voting let’s start from the beginning. So the first question is where do you go to vote? Depending on the state in which you reside voting locations is either a responsibility of the Town which you reside or in some states there might be a county function but in all cases in order to vote your name needs to be on the list. So if you show up at a voting location and your names on the list you’re not allowed to vote. That list is referred to as the voter registration database. In some states adds, deletes, and edits is a state function in other states this happens at a county level in changes are pushed up to a state held master voter registration database. In many states the voter registration database is comprised of data from the Department of Motor Vehicles, Health and Human Services, or other third party systems. Some states also allow you to register online to vote, other states offer same day registration, while other states require you to register days in advance before the actual vote. All of these systems are interconnected and can be very complex to manage. But the one thing that’s true is that if you show up on the day to vote in your names on the list you’re not going to be able to vote.

So the second part of this is now that your name is on the list. How do you actually cast your vote? This varies from state to state. However in some cases this could still be a paper vote tallied locally, in other cases it could be a paper ballot fed into a machine that will digitally record the vote and perform automated tallying, then in other cases there is a fully digital vote where you walk up to a computer terminal and cast your vote in digital format. When it comes to tallying votes I know that Secretary of State agencies take this very seriously. They audit the machines that tallied the votes and they also follow Generally Accepted Auditing Standards to ensure integrity of the tallying system.

Now once other votes have been tallied the next step is to disseminate the results and report the results out to the public. This can occur through a variety of means. It can occur through a web portal. It can occur through social media. It can also occur through news outlets television stations now. Worth noting is that some of the systems used for tallying and reporting are maintained and managed by third parties or vendors that the state rely on to carry out this function.

Gaming Targets

Now that we’ve gone through the high level overview of how a vote is cast there is a couple obvious places in the process where the voting process can be gamed:

  1. You show up to vote but are not on the voter registration database list.
  2. You can vote but your vote isn’t recorded correctly.
  3. You show up to vote. You can vote your votes recorded correctly, but it isn’t reported correctly.

Now for the sake of time I’ll let you do the impact analysis of what would happen if anyone in those three areas were gamed.

Areas to Protect

There are a lot of inter-dependencies on other parts of this state in order to make the voting process have success. The first one is the voter registration database. This database is not maintained solely by the Secretary of State’s office. In most cases is an aggregation of  input from various different systems to make up that voter registration database.  The Secretary is State is not solely responsible for the security of the systems that comprise that list.

The second one is that state government has a heavy reliance on vendors and third parties to maintain and host the systems. In some cases those vendors offer cloud services and are actually custodians of state information.

The third one is that the Secretary of State Agency is an agency within the larger State Government. The best way I would explain the Secretary of State Agency and State Government relationship would be the analogy of a house. The State Government would be the house and the Secretary of State Agency would be a room within the house. So any cyber attack on any room within the house would mean that you would have to attack the house itself first in order to get to the room within the house.

Key takeaway here is that if you want to ensure the confidentiality integrity and availability of any one single vote, the responsibility for the voting process integrity spans the entire State Government not just the Secretary of State’s office or agencies directly responsible for elections reporting.

Elections Security is a State-wide Responsibility

Election security has dominated our headlines for the last couple of years. There still have been no known successful attacks on our election system today however with the heightened awareness of election security it’s driven awareness to that multiple vulnerabilities exist within our election system. But perhaps that the perception is that we’re so focused on where we think the attack will occur we’re overlooking other areas within the state that might be better targets to exploit and would more pervasively impact the State Government and the citizens that it supports.