States face long waits for DHS reviews of election security
- By Matt Leonard
To help states protect their election infrastructure, the Department of Homeland Security offers a number of free security screening services, ranging from basic cyber hygiene scanning to risk and vulnerability assessments that provide an in-depth, on-site review of internal and
external networks. And although DHS officials said that the security scans will be completed by April for states that have already requested the screening, latecomers that want the RVA could be waiting up to nine months, according to a Dec. 29 article in Politico.
The RVA waitlist – which includes private sector organizations as well as state election offices -- is nine months long, a DHS official confirmed, but states are being given priority.
These RVAs are not the only assessment of services states can access, DHS said.
One of the other services is the cyber hygiene screening for internet-facing systems, in which DHS remotely scans a state's internet-connected systems and assesses their vulnerabilities and configuration errors, reducing states' exposure to known threats. In other assessments designed for IT security managers, DHS comes in and conducts a holistic risk management evaluation, one DHS official said.
DHS also offers incident response assistance for identifying and remediating a cyber incident; information sharing, including classified briefings; and field advisors to help states improve the
cybersecurity preparedness of election systems and to secure voting machines and polling places.
But DHS calls the RVA “more thorough” than other assessments. It involves four to five professionals working with the state directly for two to three weeks.
DHS scopes out the state’s network 30 to 45 days before the RVA to understand the architecture and what databases the state wants examined. The first week of the RVA is run out of DHS offices in Arlington, Va., where security engineers try to break into the state’s system by probing for data leaks from web applications and sending phishing emails to state employees.
During week two of the assessment, DHS engineers set up in state offices and put their laptops on the network to look for insider threat vulnerabilities. The engineers try to gather user credentials, admin credentials, database access and domain controllers. Finally, they generate fake data and try to send it from the state's network back to the DHS Arlington office to test data leak prevention systems.
The DHS assessments scan is great at finding unpatched systems or out of date versions or operating systems and applications, but less effective at stopping social engineering attacks, according to Eric Hodge, director of consulting at CyberScout.
“What it’s not looking for, and the most common kinds of attacks today, are going to be where an attacker is trying to fool someone or trick someone into letting them in,” Hodge, who has worked with states on the assessment of voting systems, said. “It doesn’t do a very good job of checking for phishing attack vulnerabilities.”
The DHS official GCN spoke with pushed back against this assessment, saying it sends out phishing emails as part of its assessment, but if time is short and the state has strong email filtering system, it might ask to the state to whitelist the test phishing emails to see what happens when they land in employees' inboxes. DHS also offers separate phishing campaign assessments that aren’t part of RVAs.
But this testing is not something states can simply do themselves, regardless of their technical prowess, Hodge said. “There’s an old principle that if you built it, you can’t really test it objectively,” he said.
Assessments similar to the RVAs are also provided by private companies, though those cost money and require states to go through the acquisition process, Hodge said.