The Idaho secretary of state’s office last week became the fourth in the country to launch a vulnerability disclosure policy, giving white-hat hackers legal permission to poke and prod the office’s election-related websites for weaknesses.
Under the new policy, security researchers will be allowed to inspect a set of five websites for potential or real security flaws, such as exposures of sensitive data, and report them to be remedied without fear of reprisal or threat of prosecution.
“If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and IDSOS will not recommend or pursue legal action related to your research,” the policy reads.
The secretary’s office is working with the Center for Internet Security, which operates the federally funded Election Infrastructure Information Sharing and Analysis Center and will review reports submitted under the new policy. The goal is to have any confirmed vulnerabilities mitigated and disclosed within 120 days.
With the new VDP, Idaho joins Iowa, South Carolina and Ohio as the only states where secretaries of state have implemented programs allowing independent researchers to test election-related systems with a legal safe harbor. A fifth state, Colorado, has a penetration-testing program. In an interview Tuesday, Idaho Deputy Secretary of State Chad Houck said the policy had been under discussion for several years since he first heard about Colorado’s policy at a secretaries of state conference.
“Being novel for the sake of being novel is not worthwhile,” he said. “Being novel for the sake of moving an ecosystem forward, increasing confidence in that system and expanding the footprint and the tools that you have at your disposal and defense against unknown enemies is not only worthwhile, it’s critical.”
Idaho’s policy was finally realized when the EI-ISAC started looking for a state to partner with on vulnerability disclosures. The partnership was ideal because, Houck said, his office’s IT staff wouldn’t have the bandwidth to review every report that could come in.
“One of the things we found in the discussion is that it can be very time-consuming to handle vetting all of the false positive claims that would be reported,” he said.
Under the new policy, when researchers find a potential vulnerability, CIS will review the initial report. If the staff there can replicate the flaw, they’ll relay it back to Idaho’s IT team, which will begin mitigation.
Not having to clear the new policy through the Idaho legislature also made it easy to establish it, Houck said. One of the biggest choices, though, was whether the secretary of state’s office would launch the VDP before the Nov. 8 election. Houck said the office ultimately decided to wait until after, to avoid any risk of accusations of politicizing election technology.
The policy’s also coming into place as the Idaho secretary of state’s office changes hands. Lawerence Denney, who’s held the office since 2015, declined to run again this year and will be succeeded next year by Phil McGrane, the clerk of Ada County, which includes Boise. McGrane, a Republican, has been praised by his Democratic opponent for his administration of elections in Idaho’s biggest jurisdiction.
While Houck said he plans to bring McGrane “up to speed,” the intention was to launch the VDP with a limited scope of just the five election-related domains. The secretary of state’s websites related to the office’s other roles, like business filings and trademark registrations, are not covered, nor are any internal networks or hardware.
There are also guardrails on the sorts of research that can be conducted, too: Denial-of-service tests and attempts to degrade services are off-limits.
“We’ll start out with something we feel we can control at some level,” Houck said. “If we find we’re exercising effective controls there, we’ll open the scope and do more.”
And while the number of states where secretaries of state have opened themselves to independent, white-hat hacking remains small, Idaho’s joining that group is a sign of progress, according to Jack Cable, a security researcher and former election security technical adviser at the Cybersecurity and Infrastructure Security Agency.
“Idaho’s new vulnerability disclosure policy demonstrates the growing willingness of election officials to embrace security research, which can lead to greater public confidence in election security,” Cable told StateScoop, adding that he expects more states to follow ahead of the 2024 election cycle.
Houck and his colleagues can also expect to hear from Cable. When asked if he’d submitted any reports under the Idaho VDP yet, Cable replied: “Not yet, but I plan to take a look!”