Election systems need zero trust
- By Patrick Sullivan
As midterms loom at a critical juncture in the political landscape -- one fraught with distrust from cyber tampering by foreign powers -- government agencies at all levels are taking a closer look at cybersecurity around the voting systems.
New York state is currently conducting election security drills with the help of the Department of Homeland Security to restore voter confidence in the elections. The U.S. Election Assistance Commission is revising the Voluntary Voter System Guidelines -- the recommended standards for voting systems addressing functionality, accessibility, and security -- which were last updated in 2005. Following the recommendations of a congressional investigation, local elections officials are removing Wi-Fi connectivity from all voting machines.
This flurry of activity shows that government agencies are taking action to defend against the digital threats they face from hackers who scan the internet looking for opportunities to break into private systems by exploiting vulnerabilities in everything from servers to smart TVs. With thousands of domains regularly probed for the existence of newly uncovered vulnerabilities, government agencies are realizing that trust is a commodity they cannot give away. To protect the integrity of the election process as well as all the other data government holds, agencies must adopt a zero trust security posture.
What is zero trust?
A zero trust model for security architecture is exactly what it sounds like. It assumes that every network segment, whether under agency control or on the public internet, is hostile and untrusted.
There was a time when security architects assumed that their internal networks could be safe and trusted. When computers were all deskbound and hardwired to the corporate network, users who were logged into the enterprise network were assumed to be trusted -- whether they were SysAdmins, an accountants or an external contractors. As users have moved outside the walls of the office and applications have moved to the cloud, the assumptions driving these models need to be questioned.
Furthermore, the notion that perimeter security devices like firewalls can keep internal networks safe from penetration and worthy of being trusted has repeatedly been proved incorrect. A true zero trust model gives each user exactly what he or she needs to complete the task at hand, and nothing more.
How to apply zero trust in government agencies
Because of the sensitive data under their care, agencies are instilled with a sense of urgency around protecting their data. But the handicap of bureaucracy and legacy systems can cancel out that benefit. That said, implementing a zero trust security model is not out of reach for government . Agencies should not try to make this shift all at once. Instead they should find a strategic process that allows them to make solid, steady progress to a zero trust model.
Zero trust may be a radical change from the way agencies have set up their networks. But it is also built around a core concept as old as security itself: that of “least privilege,” or giving users as little access as possible without impacting how they do their jobs. Adopting this model requires as much a shift in philosophy as in technology. A zero trust culture means that just because a user has network access does not mean he can be trusted with every asset in an agency. Front desk clerks should not have network access to backend databases simply as a result of being located on a trusted internal network segment. Nor should contractors working with an agency's billing system have a path to employee records just because they have network access through a VPN.
Adopting a solution that helps IT teams give employees access to all the applications or systems they need at the right time without relying on an “all or nothing” approach across internal networks is crucial for success.
By moving access decisions up the protocol stack well above the network layer, zero trust models place much more reliance on strong authentication and are rooted in a reliable understanding of user identity. These identity-aware approaches make it much easier for security architects to support least privilege, making it easy to ensure access to applications matches the requirements for access based on the individual's role.
The integrity of the election process depends on citizens being able to trust the results that come out of it. Ironically, this requires a technology system that doesn’t trust anyone. The old mantra of “trust, but verify” must be replaced with “never trust, and always verify.” Today, there is no consistent approach to election security across the agencies responsible for ensuring it. Whatever policies become standard should include the principles of zero trust.