Iowa Secretary of State Paul Pate announced Thursday that his office is launching a new program allowing outside security experts to find and patch weaknesses in its websites, including those related to elections.
With the new vulnerability disclosure program, Iowa becomes the second state, following Ohio, to give legal liability protections to researchers hunting for bugs that could leave its networks susceptible to attacks if left unaddressed. Pate’s office is working with Bugcrowd, an ethical-hacking firm that crowdsources cybersecurity professionals to look for flaws in its clients’ systems.
“We already have a strong infrastructure in place, but election cybersecurity is a race without a finish line,” Pate said in a press release. “We are bolstering our cyber maturity by allowing responsible testing and reporting of our systems to the private sector.”
While vulnerability disclosure programs are increasingly common with major corporations, very few state governments have implemented them. But states have been encouraged to use VDPs as part of their election security policies. In July, the Cybersecurity and Infrastructure Security Agency released a guidebook for election administrators on how to set up a VDP. Vulnerability disclosures are also part of the core cybersecurity framework offered by the National Institute of Standards and Technology.
Under Iowa’s new policy, Bugcrowd’s researchers will be able to report if they find any problems with websites operated by Pate’s office, including those hosting information about voter registration, absentee ballot tracking and election results. The policy also extends to sites relating to business filings and services for domestic abuse and sexual assault victims.
For now, the program only covers public-facing websites; physical election equipment, such as voting machines and electronic pollbooks, is not covered by the policy, though earlier this year, Elections Systems & Software, the nation’s largest vendor of voting equipment, launched its own vulnerability disclosure program.
Jeff Franklin, the chief cybersecurity officer for Pate’s office, told StateScoop in a phone interview that Bugcrowd’s field of researchers already reported several vulnerabilities during a “controlled launch” period that began last month.
“The security researcher community has a different perspective when they approach how an attacker thinks, and they add a different perspective than our day-to-day security team,” he said.
None of the flaws reported so far were “high-level severity,” he added.
Franklin also said that the VDP gives Pate’s office discretion over whether or not a vulnerability is publicly disclosed. Once a vulnerability is reported, Franklin said his team will aim to resolve it within 90 days, after which the secretary of state’s office can decide to go public.
“Based on the severity, we’ll make that call,” he said.
For now, the vulnerability reporting is limited to the state level, though Franklin said that if it’s successful, the VDP could be extended to counties in future years. But the new policy is also, he said, a marker of how much progress Iowa’s made as a cybersecurity organization.
“We were confident we were at a maturity level to engage the [security researcher] community,” Franklin said. “It’s a win-win for everybody. It taps into a community that wants to help and make things better.”