Inside Cybersecurity

December 2, 2023

Daily News

Center for Internet Security issues guide for election tech suppliers, identifying threats and mitigation options

By Charlie Mitchell / February 11, 2021

A new guide for providers of election-system technology “identifies the most common attack types on supply chains and provides an analysis of each election infrastructure component, the supply chain threats impacting them, and mitigation approaches,” according to the Center for Internet Security, which crafted the guidance including a five-step process for identifying and managing supply risk.

“The guide is intended to assist election technology providers in identifying the most significant cybersecurity supply chain risks for their products and choosing appropriate risk mitigation approaches for those risks. It also aids in the development and implementation of a meaningful supply chain risk management program,” according to a Wednesday release from CIS, which is home to the Multi-State ISAC and the CIS Controls and CIS Benchmarks.

The guide “focuses on the cybersecurity risks involving hardware, firmware, and software that are in the election technology supply chain. In addition to IT that ships with election equipment, this also includes externally-sourced tools used to develop hardware and software in-house, such as software development kits, code libraries, IT infrastructure, and the tools used to create, manage, and maintain that infrastructure,” according to CIS.

The guide’s “5-step process for identifying and managing suppliers based on a prioritization of risk to election technology products and services” includes:

  • Identify and document supply chain, including asset identification
  • Assess risks to prioritize critical components and services as those facing the most significant threats
  • Assess your relationships with suppliers relative to criticality of products and services
  • Align and manage supplier relationships to manage risk
  • Conduct ongoing assessment and monitoring of key dependencies associated with critical components

CIS notes in the release, “Just prior to this guide being finalized, the world learned of the SolarWinds supply chain attack. While currently there is no evidence that the SolarWinds attack impacted election offices, the new CIS guide also provides a SolarWinds supply chain attack case study.”

Aaron Wilson, CIS’ senior director for election security, explained, “The case study takes the viewpoint of an organization whose supplier has been successfully attacked, such as a customer of SolarWinds, and shows how to manage suppliers, limit the likelihood of successful attacks, and reduce the consequences when a successful attack occurs.”

EAC adopts updated voting system guidance

Meanwhile, the U.S. Election Assistance Commission on Wednesday adopted “Voluntary Voting System Guidelines 2.0,” which the commission called “a major step toward improving the manufacturing and testing of voting machines.”

According to the commission, “The four EAC Commissioners unanimously approved the VVSG 2.0 documents including the Principles and Guidelines and Requirements, as well as approving the Testing and Certification Program Manual, and Voting System Test Laboratories (VSTL) Manual.”

The National Association of State Election Directors called the guidelines a “marked improvement,” though the EAC didn’t adopt the version championed by the state officials.

“The VVSG 2.0 marks a significant step forward for our industry. NASED members have worked on the VVSG 2.0 since 2014, and we are pleased that the EAC has finally voted to approve them so that voting system manufacturers can begin building equipment that uses modern technology and meets security needs. These standards require software independence -- they must produce independently verifiable records -- as well as leverage common data formats and improve accessibility for all voters,” the NASED said in a statement.

“While we are disappointed that the VVSG 2.0 does not look, structurally, like the version preferred by most election officials and approved by the Technical Guidelines Development Committee in September 2017 or by the EAC Standards Board and EAC Board of Advisors in April 2018 (and again by all three in 2020), there is no doubt that the standards themselves are a marked improvement. NASED members will continue our work with the EAC via these bodies and as an organization to demand that the standards do not remain essentially static for another 15 years or more,” the state officials group said. -- Charlie Mitchell (