Election Security is National Security

By Rob Joyce

Mr. Rob Joyce is the Senior Advisor for Cybersecurity Strategy to the Director of the National Security Agency (NSA). Rob has worked at NSA since 1989, holding various leadership positions within both focus areas of NSA: the Cybersecurity and Signals Intelligence missions. His previous assignment was Special Assistant to the President and Cybersecurity Coordinator at the White House where he led the development of national and international cybersecurity strategy and policy for the United States and oversaw implementation of those policies. He ensured that the Federal Government was effectively partnering with the private sector, nongovernmental organizations, all branches and levels of government, and other nations. In addition to the Cybersecurity Coordinator role, Rob was the Acting Deputy Homeland security advisor for six months and the Acting Homeland Security Advisor for a month, covering topics well beyond cybersecurity to include terrorism, health security and disaster response/recovery. From 2013 to 2017, Rob served as the Chief of Tailored Access Operations (TAO), the NSA's mission element that provided tools and expertise in computer network exploitation to deliver foreign intelligence. Prior to becoming the Chief of TAO, Rob served as the Deputy Director of the Information Assurance Directorate (IAD) at NSA, where he led efforts to harden, protect and defend the Nation's most critical National Security systems and improve cybersecurity for the nation. He was elevated to the Senior Executive Service in 2001. Mr. Joyce began his career as an engineer and is a technologist at heart. He received his Bachelors Degree in Electrical and Computer Engineering from Clarkson University in 1989 and earned a Masters Degree in Electrical Engineering from The Johns Hopkins University in 1993. Throughout his career with NSA, he has been the recipient of three Presidential Rank Awards: distinguished (2017), distinguished (2011) and meritorious (2006). Mr. Joyce has served as a Scout Master and, until lawyers got in the way, enjoyed participating with the Boy Scouts in the annual World Championship of Punkin Chunkin, building a contraption to fling pumpkins for distance. Over the Christmas holidays, he runs a computerized light display synchronized to music, which is likely visible from the International Space Station.

Rob Joyce is the Senior Advisor for Cybersecurity Strategy at the National Security Agency.  He was also a key speaker at DEF CON 26, the premiere hacker’s convention held every year in Las Vegas.  Following in the footsteps of previous NSA leaders, Joyce’s mission at DEF CON this year was two-fold, to share information about the needed focus on national cybersecurity-focused threats and to recruit some of the world’s top talent to join in the mission.  Joyce penned the following opinion piece for The Cipher Brief just weeks before the 2018 midterm elections.  

OPINION — Many different organizations and individuals need to pull together to ensure we have secure and trustworthy elections.  The distributed nature of our elections throughout the state and local governments means there are widely varying levels of expertise and resources available, even when state and local officials leverage the federal government for support.  This election infrastructure can be expansive, and includes the voting machines themselves, the tabulation processes, the voter registration databases and the associated networks.  Each of these requires a detailed focus from many entities to protect against adversaries seeking access to data for influence operations, threatening the availability of the services, or posing threats to the integrity of the information.

I recently caught a glimpse of the kind of offensive focus I’m talking about at the Voting Village at DEF CON 26. I witnessed private individuals donating their time to improve the security of our election processes.  They’ve made incredible contributions, and are offering advancements for federal, state, and local election programs, as well as insights for the manufacturers of voting technology.  Strongly connecting all the contributors to our election process needs to be a goal for improving election security.  These connections are vitally important to ensure everyone is aware of the threats, best practices and needed improvements.

Amazing talent and expertise gathers at DEF CON with an enthusiasm to make things better.  The combination of skilled cybersecurity experts in partnership with industry and the ultimate end users of the technology – state and local election officials – is a powerful alliance.  There are great examples of companies embracing the enthusiasm of the DEF CON hacking villages, the automotive hacking village being an impressive model.  Watching Tesla supply equipment and change the terms of service on their warranty to fix cars damaged during cybersecurity investigations sends a powerful message about their intentions to support the security of their products.  The participation of Tesla’s engineers in the automotive hacking village connects them in a deeply operational way that results in improvements.  Steering the voting village to similar collaborative relationships will take us to the next level and address the constant erosion of trust, which only helps further the objectives of our adversaries.

Ignorance of insecurity does not bring you security.  As time passes, the security of any device begins to erode.  New exploitation techniques are developed.  New investigative tools are created.  Zero days are discovered in operating systems.  The capabilities and repertoire of the exploiters grows.  Developers of the security models for a device can never predict every creative idea that will be tried during exploitation.  For these reasons, we need to continuously red team our devices and processes.  This independent testing provides great benefit by straining assumptions and uncovering hidden flaws.

Another key aspect of securing our election processes is simply focusing on the fundamentals.  As we embrace electronic technology, the basic security practices of updating and patching are critical.  Having strong adherence to recommended security design practices is vital.  Often, paying attention to detail in the things that we already know how to do, removes significant risk.

While DEF CON continues to foster a venue to investigate election infrastructure in the Voting Village, the focus cannot simply be about calling out the state of security in our current technology. Rather the result needs to be developing tangible actions that lead to collaborations that will make us more secure.

Election security is a matter of national security, and there’s no question that progress has been made since 2016 – government-industry partnerships exist today that simply did not exist even a year ago.  These security-focused engagements between election officials, the federal government, and vendors will undoubtedly contribute to making the 2018 mid-terms the most secure elections in recent memory.  But there’s more to be done, and securing our elections is like a race without a finish line.  Together as a community – hackers, government and industry – can bring powerful assurances to a foundational component of our freedom: fair and trustworthy elections.


Categorized as:North AmericaTagged with:

Related Articles