The recent Department of Homeland Security designation of state election assets as U.S. critical infrastructure – if it stands -- is a key to mitigating cyber threats to American democracy, said a researcher during the Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective on Jan. 11, 2017 at the University of Maryland. The designation means state governments can ask DHS for help to secure election infrastructure including voter registration databases, voting machines and other systems that manage the election process and report and display results on behalf of state and local governments.
The DHS move follows allegations Russia hacked Democratic National Committee computers and voter registration files in various states. The United States as a target “is an increasingly big deal given we have so many layers of vulnerability at different scales,” said Indiana University professor Scott Shackelford as part of his “Making Democracy Harder to Hack” presentation. He spoke to about 60 scholars and working professionals in the fields of public policy and information security who gathered for the event sponsored jointly by the UMD’s School of Public Policy and Robert H. Smith School of Business.
“The U.S. has 3,000 different election and voting jurisdictions employing a huge variety of voting systems,” Shackelford said. “That could be a good thing in terms of making it difficult to scale an attack to change the outcome of (a national) election but it does make it easier to target particularly vulnerable counties in swing states.”
Useless Paper Trails
The aforementioned variety includes Pennsylvania, where 47 of 67 counties use voting machines that don’t leave a paper trail, making it difficult to do audits and check results. But it’s more complex. “State after state, starting with Florida, have it made it illegal to actually count votes from a paper trail, so the paper trail in these states is virtually useless,” said Rebecca Mercuri, founder and CEO of Notable Software, Inc. founder and CEO. “Not only do we need to look at voting methods, we also need to look at the voting laws.”
States constitutionally govern their voting procedures, said Shackelford’s research colleague Anne Boustead, a Harvard Kennedy School postdoctoral fellow. “This includes states like Texas allowing counties to individually govern their procedures. (See Verified Voting’s state-by-state breakdown of voting systems)… Variations in voting systems means variation in protectability.”
In Wisconsin, voting procedures vary jurisdiction to jurisdiction within the counties, added Mercuri, who gave a separate talk at the forum on digital forensics and economic cybersecurity policy.
Pitfalls, Strategies for 2018
Voting machine tabulation systems stand out as vote-hacker targets, said Shackelford. He listed other U.S. election vulnerabilities going forward to 2018 and 2020:
“Foreign interference in shaping the conversation, including through disinformation campaigns, news leaks and fake news. Case in point: the DNC hacking and its aftermath.”
“Hacking to delete or limit the number of entries in poll books: You go to the poll on Election Day and find your information isn’t entered in correctly. Maybe you don’t vote… Ultimately this contributes to delays and can be done in targeted ways in specific counties and specific swing states.”
“Disseminating the results to the news media. Those feeds can be hacked as well. We saw this – again – in Ukraine in 2014. Hackers from Russia got into the systems and messed with news feeds… One outlet carried the fake results. Such hacking to news from the U.S. Eastern time zone could influence West coast voter turnout.”
“Hacking other critical infrastructure: A power outage in a certain region or even shutting down key websites could influence voter turnout.”
To account for the risks, Shackelford said preserving the DHS critical infrastructure designation is a good start. “More proactive measures can include air-gapping (eliminating wireless and physical connection) as much voting infrastructure as possible and requiring security audits and NIST cybersecurity framework compliance from voting machine manufacturers and suppliers, he said. And, “establishing a ‘voting ISAP (Information Security Automation Program)’ would lead states and local jurisdictions into sharing cyber threat data and best practices.
Georgia, for example is the only voting-machine state that tests every newly installed voting machines, while other states typically test just one out every new fleet of machines, said Mercuri.
“And, the federal government always can increase funding for state voting systems and-or incentivize states to change their laws to allow audits and [recounts by] paper trails, said Shackelford.
The 2017 forum in its 13th year was coordinated by Lawrence Gordon, EY Alumni Professor of Managerial Accounting and Information Assurance, in the Smith School; Martin Loeb, professor of accounting and information assurance and Deloitte & Touche LLP Faculty Fellow, in the Smith School of Business; and William Lucyshyn, research director at DARPA and a senior research scholar at the Center for Public Policy and Private Enterprise in UMD’s School of Public Policy. Tony Hubbard, who leads the cybersecurity offering for KPMG’s Federal practice, delivered the Ira H. Shapiro Memorial Lecture with a presentation titled “The State of Cybersecurity from the Federal Cyber Executive Perspective.”
Nudging the Private Sector
Gordon presented the paper Increasing Cybersecurity Investments in Private Sector Firms – published in the Journal of Cybersecurity and coauthored with Loeb, Lucyshyn and Smith School accounting professor Lei Zhou. The work, which was awarded Honorable Mention in the NSA’s recent Best Scientific Cybersecurity Paper Competition, presents an economics-based framework for evaluating governmental approaches to increase private sector investment in cybersecurity.
The potential for government incentives and regulations to spur such investment, said Gordon, rests on two fundamental issues: whether firms are utilizing the optimal mix of inputs to cybersecurity, and whether firms are able, and willing, to increase their investments in cybersecurity activities. “In the private sector, the name of the game is revenue growth,” he said. “Generating $20 million from a $10 million investment trumps saving $20 million from that same $10 million for cyber protection.”
This attitude is persistent, even when breaches occur “because they affect earnings and stock prices in the short run, but companies recover in the long run,” Gordon said. “However, cost-savings from cybersecurity are increasingly recognizable, and this case can be made more strongly.”
Gordon closed his presentation with a whiteboard animation video illustrating the Gordon-Loeb Model, which has been widely acclaimed in both the academic and practitioner literature. The model shows that it is generally inappropriate for firms to invest more than 37 percent of the expected losses from cybersecurity breaches.
Earlier, Smith School Dean Alex Triantis referenced the model while welcoming forum participants. “Businesses obviously now are fully aware of the work Marty [Loeb] and Larry [Gordon] have done on trying to have a perspective of how much one should invest in cybersecurity and what is really critical, and academia has wakened and gotten very involved as well,” he said. “So having this interface we have here today between academia, government and business is the only way we’re going to solve problems.”
Triantis also cited the university’s undergraduate ACES (Advanced Cybersecurity Experience for Students) program which engages business, criminology, computer science and engineering and other majors and “really speaks to the ability to try to find cybersecurity solutions that cut across many different disciplines.”
Other speakers included David Mussington, director of UMD’s Center for Public Policy and Private Enterprise, who presented “A Cybersecurity Agenda for the New Administration” and Tim Weisenberger, ground vehicle project specialist for technical programs at SAE International, discussed his organization’s work in developing cybersecurity guidelines for auto engineers. (Read more about his presentation here.)
University of Michigan engineering professor Mingyan Liu presented “Fine-grained Data Breach Prediction Using Business Profiles;” University of Tokyo professor Kanta Matsuura presented “BSafe: A Blockchain Research Network;” and Nottingham Business School professor Paul Klumpes presented “Understanding the Impact of Cyber Risk on Insurer Capital.”
- Greg Muraski, Office of Marketing Communications