County & Local

Ohio’s vulnerability disclosure program for elections indicates ‘maturity’

The first-in-the-nation policy allows independent researchers to look for flaws in voter registration websites across the state's 88 counties.

By Benjamin Freed

August 20, 2020

Frank LaRose (Georgebailey2015)

A pair of cybersecurity experts on Thursday praised Ohio’s new vulnerability disclosure policy for its election-related websites as being a mark of a mature organization.

Speaking during a weekly briefing led by Ohio Secretary of State Frank LaRose, who announced the policy earlier this month, Matt Olney, a director at Talos, Cisco’s threat intelligence division, and Matt Masterson, a senior adviser to the federal Cybersecurity and Infrastructure Security Agency, said the new initiative shows how far along some state governments have come in protecting their election infrastructure.

“The vulnerability disclosure policy invites the best and brightest,” Olney said of the policy, which permits independent cybersecurity researchers to look for and notify officials of vulnerabilities in election-related websites without fear of legal ramifications.

Ohio’s vulnerability policy — the first created by any statewide election authority — only applies to websites, not physical equipment such as voting machines or electronic pollbooks. Still, LaRose said, the policy shows that Ohio officials are open to assistance from white-hat hackers.

“We wanted to unleash the great minds that are out there to tell us where we’ve left a hole in our fence,” he said.

Olney also said it indicates how much Ohio election officials have come to appreciate the role of cybersecurity in their operations.

“It can be a little out of the blue for someone to call you and say, ‘Hey, your baby is ugly,'” he said. “It’s a very specific, very technical capability.”

Masterson, whose agency conducts routine scans of state and local networks as part of its role protecting critical infrastructure, said that vulnerability disclosure policies can be a low-cost way for governments to expand their IT and cybersecurity efforts.

“You get the benefit of the federal government testing your systems,” he said. “Now you get the benefit of researchers across the country. That is significant. You’ve basically increased your IT workforce and security workforce exponentially by allowing that kind of engagement with the cybersecurity community.”

Masterson also said that CISA recently published a guide for state election officials on how to establish vulnerability disclosure programs.

A good disclosure policy, he said, can help states and counties protect themselves against attacks like ransomware, which both CISA and industry experts have cited as a lingering threat against election-related IT, especially voter registration databases and the websites on which counties and states post unofficial results on election nights.

In Ohio, at least, all 88 county election boards are members of the Election Infrastructure Information Sharing and Analysis Center, the Department of Homeland Security-funded organization through which election officials share security information. LaRose in recent months has also implemented statewide use of endpoint detection monitoring software and required counties to develop contingency plans for any incident that disrupts the voting process.

“The bad guys only have to be right once,” he said. “We have to be right every day.”