Rob Joyce is the Senior Advisor for Cybersecurity Strategy at the National Security Agency. He was also a key speaker at DEF CON 26, the premiere hacker’s convention held every year in Las Vegas. Following in the footsteps of previous NSA leaders, Joyce’s mission at DEF CON this year was two-fold, to share information about the needed focus on national cybersecurity-focused threats and to recruit some of the world’s top talent to join in the mission. Joyce penned the following opinion piece for The Cipher Brief just weeks before the 2018 midterm elections.
OPINION — Many different organizations and individuals need to pull together to ensure we have secure and trustworthy elections. The distributed nature of our elections throughout the state and local governments means there are widely varying levels of expertise and resources available, even when state and local officials leverage the federal government for support. This election infrastructure can be expansive, and includes the voting machines themselves, the tabulation processes, the voter registration databases and the associated networks. Each of these requires a detailed focus from many entities to protect against adversaries seeking access to data for influence operations, threatening the availability of the services, or posing threats to the integrity of the information.
I recently caught a glimpse of the kind of offensive focus I’m talking about at the Voting Village at DEF CON 26. I witnessed private individuals donating their time to improve the security of our election processes. They’ve made incredible contributions, and are offering advancements for federal, state, and local election programs, as well as insights for the manufacturers of voting technology. Strongly connecting all the contributors to our election process needs to be a goal for improving election security. These connections are vitally important to ensure everyone is aware of the threats, best practices and needed improvements.
Amazing talent and expertise gathers at DEF CON with an enthusiasm to make things better. The combination of skilled cybersecurity experts in partnership with industry and the ultimate end users of the technology – state and local election officials – is a powerful alliance. There are great examples of companies embracing the enthusiasm of the DEF CON hacking villages, the automotive hacking village being an impressive model. Watching Tesla supply equipment and change the terms of service on their warranty to fix cars damaged during cybersecurity investigations sends a powerful message about their intentions to support the security of their products. The participation of Tesla’s engineers in the automotive hacking village connects them in a deeply operational way that results in improvements. Steering the voting village to similar collaborative relationships will take us to the next level and address the constant erosion of trust, which only helps further the objectives of our adversaries.
Ignorance of insecurity does not bring you security. As time passes, the security of any device begins to erode. New exploitation techniques are developed. New investigative tools are created. Zero days are discovered in operating systems. The capabilities and repertoire of the exploiters grows. Developers of the security models for a device can never predict every creative idea that will be tried during exploitation. For these reasons, we need to continuously red team our devices and processes. This independent testing provides great benefit by straining assumptions and uncovering hidden flaws.
Another key aspect of securing our election processes is simply focusing on the fundamentals. As we embrace electronic technology, the basic security practices of updating and patching are critical. Having strong adherence to recommended security design practices is vital. Often, paying attention to detail in the things that we already know how to do, removes significant risk.
While DEF CON continues to foster a venue to investigate election infrastructure in the Voting Village, the focus cannot simply be about calling out the state of security in our current technology. Rather the result needs to be developing tangible actions that lead to collaborations that will make us more secure.
Election security is a matter of national security, and there’s no question that progress has been made since 2016 – government-industry partnerships exist today that simply did not exist even a year ago. These security-focused engagements between election officials, the federal government, and vendors will undoubtedly contribute to making the 2018 mid-terms the most secure elections in recent memory. But there’s more to be done, and securing our elections is like a race without a finish line. Together as a community – hackers, government and industry – can bring powerful assurances to a foundational component of our freedom: fair and trustworthy elections.