State

Colorado official details plans for penetration testing of election systems

Trevor Timmons, CIO for the Colorado secretary of state, explained a new partnership with the security firm Synack to test election systems ahead of Nov. 3.

By Benjamin Freed

July 28, 2020

(Getty Images)

The Colorado secretary of state’s office said Tuesday it is partnering with the security firm Synack to conduct penetration tests of its election systems ahead of the presidential vote.

In an interview with StateScoop, Trevor Timmons, the chief information officer for Secretary of State Jena Griswold, said Synack’s team of white-hat hackers will poke and prod the agency’s election infrastructure, including the statewide voter registration database and Griswold’s office’s main website.

“We need to know [vulnerabilities],” Timmons said. “We’ve got enough time that if they found anything we’d be able to respond to them.”

Timmons said Synack will be focusing on anything that’s “internet-connected.” While Colorado is one of five states where nearly all voters cast ballots by mail, the penetration tests will also include electronic poll books at physical precincts for people who choose to vote in person.

Colorado has used penetration testers to review its election systems before, Timmons said, including services offered by the U.S. Department of Homeland Security and other private companies. But he also said that Synack, which has offered its services to election officials in previous cycles, is providing these tests on a pro bono basis as part of an expansion into the election space.

“Rigorous testing can also act as a deterrent to our adversaries,” Mark Kuhr, Synack’s founder and chief technology officer, said in a press release.

Timmons said his office already conducts regular vulnerability scans, as well as periodic audits of county election offices, but that he wants Synack’s testing to be rigorous. If vulnerabilities are found in the coming weeks, Timmons said, there should be enough time to plug them in time. While Election Day is Nov. 3, Colorado sends every registered voter a ballot three weeks beforehand.

“We want them to go pretty hard at us,” he said. “The reality is you’re probably going to find something.”

While Timmons said Griswold’s office has “solid” segmentation between its election assets and the rest of its operations, he noted that some cyberattacks, like ransomware, can jump across networks.

“If they want to take a run at our business registration systems to see if they can achieve some lateral movement, we need to know that,” he said.

The penetration testing will be conducted at the state level, but elections in Colorado are ultimately conducted by individual county clerks’ offices. Still, Timmons said, the state takes a “top-down” approach in which counties are required to use the same security systems as the state, as well as implement certain measures, including multi-factor authentication, endpoint detection, antivirus software and routine password replacements.

“You’re relying on the strength of every layer of your defenses to protect you,” he said.