New guide on election system supply chains aids risk evaluations
A new report by the Center for Internet Security aims to simplify the process for election technology vendors securing the supply chains they use in developing the products they sell to state and local officials.
Although the guide, published last week, had been in the works for months, its authors said it takes on added relevance in the wake of the so-called SolarWinds hack, a suspected Russian espionage operation that breached the software supply chains of numerous federal agencies, corporations and state governments.
So far, there has been no evidence the SolarWinds hack affected any U.S. election systems, the acting head of the Cybersecurity and Infrastructure Security Agency said Feb. 3, but the sheer amount of hardware and software used in the voting process leaves it vulnerable to similar compromises, said Aaron Wilson, a senior director for election security at CIS and one of the report’s authors.
“The election space is a lot like the rest of our technology space where the supply chain has inherent risks,” he told StateScoop.
Modern elections are conducted on an elaborate assembly of technologies, including voter registration systems, electronic pollbooks used when voters check in, ballot-marking devices, optical scanners that collect and tabulate ballots and election night results websites where unofficial counts are posted. And each of those are made up of their own, sometimes complex chain of components, the CIS report explains.
That means election officials need to be confident that their vendors have assessed and mitigated any risks with their third-party suppliers, Wilson said. While the larger vendors in the election technology market have large and sophisticated technical staffs, he said, there are also smaller companies that may need direction on how to avoid incidents that could undermine public confidence in an election.
“Our goal with this guide is to give our vendors guidance, both our voting system vendors that are larger, but also smaller shops that do one or two products,” he said. “We wanted to give them something that they could consume quickly then when they apply it to have a real impact in mitigating risk.”
Supply-chain attacks come in many forms, the report reads. While some, like the SolarWinds operation, include the compromise of a legitimate vendor’s software updating service, they can also include malicious code executions, fake download sites, insider threats and hardware corruption.
The aim of the CIS report, Wilson said, is to give those vendors a template for evaluating those risks that’s more digestible than the highly technical frameworks published by entities like the National Institute of Standards and Technology or the Defense Department. It also tells readers which of their components are more likely to pose greater cybersecurity risks.
The document breaks down different pieces of election technology into separate components. A typical voter registration system, for instance, may include several databases, a file storage system and a management application behind a firewall, but connected via the internet to members of the public registering to vote and election officials updating their voter rolls. Those lists, in turn, are eventually fed into electronic poll books, which include tablet computers, their own set of software and potentially connections to printers or bar code readers used to scan voters’ identifications.
“We broke down the components in each of those solutions to what might be discretely purchased,” Wilson said. “One company may purchase the tablet, one may purchase the printer. We do that threat modeling for them.”
But Wilson said the election community needs to be just as mindful of the makeup of its software as it is about its hardware, a fact made all the more obvious by the SolarWinds incident, which, he said, “underscores the need to be just as secure in your software supply chain as your hardware supply chain.”
“People tend to think of supply chain as hardware,” he said.