A recent NPR story outlined alarming election security issues on a variety of fronts. The story recounted individual security incidents impacting private companies specializing in products and services ranging from election systems and technologies to voting machines and data bases.
From the discovery of a Maryland data center company that stores Maryland’s voting data is owned by a Russian Oligarch, to the Florida company that services voter registration software in eight states that was hacked by Russian operatives prior to the 2016 election, to the largest voting machine company in the country that admitted it had installed software on its systems considered be extremely susceptible to hacking.
It is this growing group of private companies and vendors that make up the decentralized approach to election security and form the basis of a cottage industry that exists because the local and state governments who run elections don’t have the resources or expertise to maintain all aspects of an election themselves.
Everyone agrees that we have reached a critical point where we have to solve the problem to protect voting data, prevent bad actor breaches, and ensure election results are accurate and documented as trustworthy. As a result, the voting industry’s security practices are understandably under intense scrutiny.
What is needed is simple approach and solution focused on protecting critical data sets that can be applied to a myriad of voting systems, data, and applications.
It starts with the use of multi-factor authentication (MFA) and keeping voting machines disconnected from Wi-Fi networks. The current single-factor approach of simply providing a driver’s license to prove identity, must be expanded to include a second step, such as a finger print or perhaps a code sent to a voters’ cell phone to verify the voters’ legitimacy.
The US voting system must be treated with the same standards that apply to critical infrastructure that requires similar levels of authentication before voting services can be accessed. By performing this level of voter MFA, voting machines would not be required to be connected to the Internet during the voting process, making the security of these individual voting machines effectively a non-issue.
Taking it one step further, the advent of Software Defined Perimeters (SDP) that employ an “authenticate first” approach, would be ideal for protecting voting data stored in voting systems and by service providers in off-premises data centers. SDPs are ideal for securing every connection to a service, application or critical infrastructure. It is relatively simple with each solution engineered specifically to protect a predefined service, application and/or IT environment, and has been proven as 100% effective.
For more information on SDPs check out this white paper.