Update: On-going Efforts to Secure Government Websites
Among the many things we learned from our work with NBC Universal on the midterms this past November, was the reality that the Internet, like it or not is playing an ever-increasing role in the administration of elections.
This means Web sites are going to have to go through a thorough review and in some cases overhaul to fortify them from unauthorized cyber-incursions. This also means significant business opportunity for cybersecurity goods and services vendors. And it also means likely government legislative action at state and federal levels.
As part of my team’s research work, which contributed to our NBC gig, we’re continuing to track all of it as it impacts our work at the Institute and the TrustTheVote Project. Here’s a quick “cornucopia of updates” (sorry, I couldn’t resist the seasonal reference)…
Federal Level
This past week, the House passed the 21st Century Integrated Digital Experience Act (H.R.5759) — short name: the 21st Century IDEA. The bipartisan bill seeks to improve executive agency digital services. If enacted, the bill would mandate minimum accessibility, “searchability” (sic), and security standards for all new government websites, and require agencies to adopt web analytics tools to constantly improve sites’ functionality. Its companion bill S.3050 - 21st Century IDEA, awaits a vote in the Senate.
Section 3(a)(5) and Section 4(a)(5) of the House and Senate bills, respectively, call for federal government websites to use an “industry standard secure connection”.
Passage of the IDEA bill is clearly needed at the federal level, but a similar website modernization mandate is needed at a state and county level (see my note at the bottom regarding McAfee CTO Steve Grobman’s recently enlightening post on the subject.)
And while we’re on it, NextGov reports federal agencies will soon receive an AWARE score based on data from agencies’ continuous monitoring tools and will give DHS a holistic view of the government’s cybersecurity posture.
State Level
Last August, the Information Technology & Innovation Foundation (ITIF) published a report — Benchmarking State Government Websites — that ranked official state government websites, including their elections web pages, on speed, mobile friendliness, and security.
Most state websites scored poorly on two security features:
the use of Hypertext Transfer Protocol Secure (HTTPS), a standard protocol to encrypt communications between web browsers and websites; and
Domain Name System Security (DNSSEC), a set of protocols used to verify the IP address associated with a particular domain name is authentic.
County Level
Similarly, a recent ProPublica survey — The Overlooked Weak Link in Election Security — reports more than one-third of counties within toss-up congressional races in this November’s midterm elections had vulnerable eMail systems. The survey revealed a lack of two-factor authentication in several large county eMail systems — Cook in IL, Fayette in KY, Olmsted in MN, Linn in IA, Dakota in MN, Arapahoe in CO, Hamilton in OH, Hennepin in MN, King in WA, Orange in CA, and Harris in TX.
Tools to Help
This past October a great corporate friend of the OSET Institute, McAfee posted an article by Steve Grobman its CTO on its security blog to aptly illustrate how the simple “block and tackle” of election-related web site security is still often overlooked. More easy to understand writing like this will be necessary to properly support our election administrators in the trenches on the front lines of democracy. Good on Steve.
For our part, in the next few weeks, as an outcome of tools and research we prepared to support NBC News VoteWatch™ midterm election coverage, the OSET Institute will launch a free but very simple online service that is a mash-up of state, and in some cases local, data to help assess the cybersecurity of electoral infrastructure across the country.
Stay tuned.