In the midterm elections set to take place later this year, all 435 seats in the house, 33 seats in the Senate and a number of local and state elections will be contested. Regardless of how the elections shake out, the most important factor in the election is the security of the process. If the past few years fraught with election hacking around the globe serve as an any indicator, we should be skeptical of what might happen.

The voting process of the United States, and no doubt countries around the world, is inadequately equipped to defend against professional cyberattack attempts. Ethical hackers hacked a WINVote machine during the DEFCON conference last year in Las Vegas, and it took only a few minutes to hack into and tamper with votes and voter information.

ADVERTISEMENT

So, how do we go about protecting ourselves against these attacks and ensuring secure elections for the future? We should utilize hackers that have been vetted for trust and skill to test these critical assets in a controlled and managed environment.

Uncover the Unknown Unknowns

Hackers are creative, persistent, and constantly evolving. And, in the case of foreign government sponsored hackers, they’re well-funded and highly skilled. To achieve their mission, they will exert immense effort to search for unknown vulnerabilities, monitor changes to connected digital systems, and capitalize on any mistakes made in the system setup process.

If we want to stay ahead of the adversaries and protect ourselves against their methods, we have to think like them and mimic their tradecraft as part of our defenses. We can start by defining the threat model, establishing the attack surface, and devising devious methods of influence that could turn the course of an election.

In the U.S., the most obvious attack surfaces include voting machines, voter registration, and new networks established for the real-time vote tallying. Instead of asking DHS to run some vulnerability scans for known vulnerabilities (that should be patched anyway) or relying upon compliance-based checklists, we need to spend our efforts looking for new exploitable vulnerabilities in the various systems and networks that encompass our vast attack surface. If we can uncover new vulnerabilities, potentially already discovered but not disclosed by our adversaries, we can raise the bar on the security of our entire system.

Engage a Diversity of Perspectives

In U.S. elections, especially at the state level, there are too many combinations of voting machines and network setups to test adequately using traditional methods. We need a new model to scale to this type of diverse attack surface.

By engaging a crowd of vetted and managed hackers, we can stay ahead of the threat. This innovative approach of utilizing managed crowdsourced testing leverages a crowd of hackers to help organizations discover vulnerabilities in a secure manner, verify any patches and harden their digital assets against attack. This crowdsourced security solution has been adopted by the public and private sector alike, seeing early adoption by the Pentagon, the IRS and Fortune 100 banks and retail companies.

Where Cyber Legislation Still Falls Short

As a country, we are making considerable progress with the Secure Elections Act, the NIST Cybersecurity Framework, and other recent legislation that will help make our election processes more secure. Both the NIST Cybersecurity Framework and the Secure Elections Act call for a more “crowdsourced” approach to security. Involving independent experts who think like the adversary will certainly help states find unknown vulnerabilities left undetected by traditional scanners or compliance-based security tests. However, there is still more for our consideration:

With any crowdsourced model, there are concerns with allowing outside hackers to test for sensitive vulnerabilities.

Vetting these experts for skill and integrity before they participate ensures that we can trust they will do the right thing when no one is looking.

We must set standards for the quality and rigor of these assessments.

It’s important to make sure the right technology, controls, and processes are in place to ensure security above all else.

Further, the NIST Cybersecurity Framework aptly calls for broad adoption of vulnerability disclosure. A program that accepts vulnerability reports from the public is a good start; companies and organizations benefit from a variety of eyes on a target. However, organizations need to think critically about how they will manage the program, sift through the high volumes of reports, and uphold trust and integrity throughout.

We won’t be able to say we’ve secured our elections to the best of our ability unless we bring trusted hackers into the inside and use their expertise as a our defense against cyber attacks. Our leaders need to prioritize the security of our election process, and they should look for solutions that scale and that have trust, reliability and accountability at the core.

Mark Kuhr is the CTO and co-founder of Synack, a cybersecurity company that harnesses the power of crowdsourced hackers and a data-driven platform to secure digital assets.