Elections Are Networked Affairs, and Vulnerable
Any election infrastructure that transmits information from one computer to another is using a network, unless some sort of human or mechanical interface physically moves digital storage media between them.
The creation of any network is likely to result in that network being connected to the internet; it is important to accept that even networks not designed for connection to the internet usually end up linked to it.
This means that every election network, designed for internet access or not, likely ends up within the global reach of every other internet-connected actor, whether in a nearby town or across the globe.
In such circumstances, it becomes necessary to know how the network is being used. Even for simple troubleshooting without the presence of threat actors, network and security administrators should be asking and learning how their networked resources are performing. Once they acknowledge the interest of threat actors, it becomes a necessity to monitor the network.
Election Officials Need to Monitor Network Traffic
However, it is critical to realize it is insufficient to simply deploy some sort of security appliance on the network that blocks what it considers to be suspicious or malicious traffic. It’s also not sufficient to deploy the same or another security appliance that generates alerts when it detects suspicious or malicious activity.
These are both helpful, but it is also important — and perhaps primarily so — to install a passive system that conducts an audit of the traffic it sees, silently recording the use of the network in a format that allows later inspection and validation to assure voters and administrators the network performed as expected and was not abused by threat actors.
In this capacity, a network-based solution can work in concert with other sources of security data, such as infrastructure and application logs, endpoint system logs and security software. Because the network itself is the lowest common denominator in any networked environment, it is the last best hope to detect suspicious or malicious activity.
Anything that uses the network can be seen, and potentially evaluated for misuse, based on how it interacts with the network. This applies to mobile devices that connect to Wi-Fi, operational technology or anything else that communicates with the internet.
If one waits until the month or week of the election to install this monitoring infrastructure, it will be too late. Threat actors are likely already probing election networks for weaknesses.
With less than six months left before the election, now is the time to ensure they are properly instrumented with network security monitoring solutions. This time window allows analysts to collect data, investigate it for signs of compromise or tampering and introduce improvements and safeguards to frustrate the intruders when they try additional intrusion campaigns.
These remaining months will give red teams chances to demonstrate what sort of vulnerabilities the election networks still possess and determine whether blue teams can identify and respond to real intruders as well as red team campaigns. Finally, once the election happens, the necessary network security monitoring processes, tools and personnel will be tested and ready.
Even if the personnel or processes are lacking, deploying the proper instrumentation will provide outside election officials or consultancies with the data they need to conduct spot checks or in-depth analysis of worrisome situations. Just as we want elections themselves to have an audit trail in the event of recount, we also want an audit trail for network access to election systems. This applies to whatever hybrid method of voting occurs.
Only by having the proper data provided by network security monitoring systems will voters and election officials gain the information needed to validate trustworthiness and develop confidence in the election process.