Vulnerability Management in Election Security

Vulnerability management is an ongoing, iterative process. Companies with large cybersecurity teams can still struggle with proving the efficacy of their vulnerability management efforts and investments into tools and other resources as it is. With the sophistication of cyber attacks consistently on the rise, there will likely never be a “set it and forget it” solution for vulnerability remediation. For any organization, vulnerability prioritization and remediation continue to demand time and resources to remain secure. For election security specifically, where machines are largely untouched for significant chunks of time, this presents a unique challenge.

Recent years have seen an increased focus on election security – something crucially important – and public trust in the current state of election security is concerningly low. 

The Current State of Election Security 

On a federal level in the US, election security responsibilities fall to the Cybersecurity & Infrastructure Security Agency (CISA). To meet that end, CISA provides resources and tools to state and local governments to help the local government officials, election officials, and vendors maintain election security in day-to-day operations, such as the Election Cybersecurity Toolkit, an Election Security Library, and even graphic novels. CISA also works with the Center for Internet Security (CIS) to host programs that provide a variety of cybersecurity services for election entities, as pictured below. 

Source: Center for Internet Security 

Ultimately, state and local governments are the ones with the boots on the ground (and the pressure on their shoulders) when it comes to ensuring the correct vulnerability management procedures are in place. And, like many teams tasked with vulnerability management, they have limited time and resources to meet the challenge. Relying on volunteers and faced with tight turnarounds, prioritizing the remediation of vulnerabilities is no easy task on the best of days. 

Many of the machines used for voting remain untouched for large chunks of time. Some aren’t powered on for years. Others are considered outdated, and finding parts to keep them maintained is a challenge – not to mention the unlikelihood of the software on some of these machines still being supported. As any cybersecurity expert could tell you: the older the hardware, the more likely it is to have a host of known vulnerabilities. 

Thus, election officials face the same challenges as most Vulnerability Management teams. Simply put, with so many vulnerabilities to patch, how can one begin prioritizing remediation? In addition to that, election officials struggle to keep election machines functional – their main focus – so that vulnerability remediation close to an election often falls to the wayside.

Election Security Up Close

Director of Global Security Governance and Compliance at Grey Group, David Kroening’s personal interest in election security led him to volunteer as an election poll worker to learn more about the process. 

“You see how limited the role really is,” said Kroening. “But also how very resolute they are to make sure that everything is secure. This is something that couldn’t be any more important, historically. Election security gets sidetracked by other conversations, and you don’t really get into the honest discussion of limited resources to ensure the machines are updated and patched. That’s where it gets to be a tough thing.”

Though there has been a focus on increasing investment into election security, especially in recent years, there are still very limited resources. As a result, when the voting equipment does get bounced out, Kroening found during his volunteering that equipment needs to be updated or massively patched – sometimes completely overhauled – to meet special requirements in regards to NIST standards for the equipment. 

It’s an all hands on deck problem, something that the government, relevant vendors, and nonprofits alike are working together to fix. Along with the call for more investment, election security is getting more oversight and regulation than ever before. 

The Reality of Vulnerability Management in Election Security

As we’ve already mentioned, older machines often mean they’re at risk to some seriously old vulnerabilities. But new voting machines, some of which boasting internet or bluetooth capabilities, aren’t without their own risks. Many push back against machines with those capabilities, believing voting systems not online are at low risk of sabotage; however, larger voting systems in many states are actually online already. 

As a whole, election security officials need to be concerned about outdated software, compromise during the supply chain process, and physical security access. 

Like any organization, prioritizing the remediation of many of these risks poses a challenge. Multiple vendors are used across multiple states – meaning what would be a crucial vulnerability to patch for one voting district may not be the same as another. State and local governments must find a way to prioritize based on the context of their environments. 

Also like any organization, the expertise to identify and rank these vulnerabilities is just as hard to find as the time in which to do it. For effective and efficient vulnerability management, tools like vulnerability prioritization platforms enable teams to scale remediation efforts. With this renewed investment in election security, Vulnerability management must be a focus. 

Election officials aren’t the only ones struggling with vulnerability management. About 70% of cybersecurity professionals report that their Vulnerability Management program is only somewhat effective or worse. See where prioritizing risk falls in the most recent State of Vulnerability Management Report.