2014 Feb Redesign Roof

electionLine

A project of the Democracy Fund

2014 Feb Redesign Search

2014 Feb Redesign Print/Email

Print | Email

Nice Social Bookmark

electionlineWeekly — September 6, 2018

Table of Contents

I. In Focus This Week

Access denied
Keeping voter sites secure while still keeping them accessible

By M. Mindy Moretti
electionline.org

This story has been updated.

Recently some Georgia voters living overseas attempted to access the state’s online voter registration database only to find that their access was denied.

Instead of access to the state’s online voter registration portal, overseas voters found an access denied warning along with contact information for assistance.

In an effort to secure the state’s website and OVR database, the Georgia secretary of state’s office made the choice to block international IPs from accessing the voter registration portal on their website. The site does remain open to those wishing to apply for their absentee ballots.

According to a spokeswoman for the secretary of state’s office, the portal will be open from Sept. 18 to Election Day.

“I have a lot of sympathy for the states on these issues because they are caught between wanting to make an increasing number of online services freely available to voters and an exponential escalation in threats,” Susan Dzieduszycka-Suinat of the US Vote Foundation and Overseas Vote Foundation. “Not too long ago, this was being done without problems like what they face now. The attacks from hostile foreign powers are very real. These attacks are very real and bots can bog down these open services with SPAM just so many times before a state will want to put barriers up.”

However, Dzieduszycka-Suinat cautioned that blocking foreign IP addresses and locking overseas voters out of their services is the wrong kind of barrier.

“It won't really do anything to dissuade a hacker. It will only turn away real voters. A hacker, or even a determined voter, will just get onto a VPN and to a US IP address, and guess what? They're in,” Dzieduszycka-Suinat said.

The Federal Voting Assistance Program said that they reached out the Georgia secretary of state’s office for a better understanding of what was happening, but information appearing on social media is what concerned FVAP most rather than individual state policies.

“We are aware of reports that other states may also be limiting access to their websites from foreign-based IP addresses so we will continue to monitor social media. We are actively working to encourage states to leverage us as a key resource for access in light of any new cyber security protocols,” said FVAP Director David Beirne. “What will be especially interesting is to see if the impact of a whitelisting cybersecurity policy, or special access for known entities, will affect the ability of military and overseas voters to retrieve their electronic blank ballots -- or if the impact is limited to online voter registration systems.”

The US Vote Foundation and Overseas Vote Foundation as well FVAP portals remain open to overseas IPs. According to Beirne, FVAP leverages a content delivery network which provides duplicate web servers for U.S. and worldwide distribution to offset internet latency in other countries. FVAP also maintains a web application firewall to dynamically mitigate intrusion attempts.

We reached out to some of the states with the highest percentages of members of the armed services, and that offer online voter registration and the response was mixed.

Virginia Elections Commissioner Christopher Piper said that the commonwealth does not comment on specific election security protocols, however, quick check by a friend overseas, living in one of the former Soviet republics, found that Virginia’s online voter registration portal remains accessible to overseas IP addresses.

According to Hillary Rudy with the Colorado secretary of state’s office, most international IPs have access to Colorado’s online voter registration site. Colorado does have network blocks in place on some nations due to a high volume of attacks coming from the region. The Colorado Department of State also blocks IP addresses attempting to attack its systems, no matter the source of the traffic, until the attack stops.

In South Carolina, where the state election commission's website is oversee by the state's IT department, the portal remains open to overseas IPs.

"Our firewalls rules for online voter registration and our statewide voter registration system are managed by our state Division of Technology Operations (DTO).  Blocking international IPs could have a negative impact on legitimate registrations, particularly by military and overseas citizens," explained Chris Whitmire, director of public information and training. "We also understand that this type of control can be circumvented using a spoofed IP address."

The Washington secretary of state's website and online voter registration system remains open to international IPs.

"Washington State used multiple third-party sources to help identify malicious domains and IP addresses and dynamically block them," explained Erich Ebel, communications director for the secretary of state's office. "In addition, if suspicious traffic is detected by the security devices, the system will dynamically block suspect addresses. The next layer of defense are our Security Analysts, who may at times elect to block certain IP addresses."

Ebel said the secretary of state's  goal is to keep the public-facing elections website accessible to as many Washington voters as is feasible, wherever they are in the world.   

Whitelisting and Blacklisting
One way that states can secure their sites—and some are already employing—is whitelisting and blacklisting.

According to FedTech, the use of blacklisting as a form of cybersecurity protection is common, but it requires ­security ­personnel to keep a permanent eye out for any ­malware they want to block from an agency’s IT ­environment. Whitelisting lets IT teams grant advance permission for specific, trusted items (such as applications or URLs) to run on the network, instead of blocking access to previously identified risks and threats.

Colorado employs both.

“We use whitelisting based on known users as well as blacklisting of known malicious IPs. Whitelisting and blacklisting is done both by in-house staff and through threat intelligence platforms,” Rudy explained. “The cost to a jurisdiction of using automated threat sharing feeds is dependent not only on the cost of the feed itself (in our case, approximately $10,000 annually), but also based on the ability of technical infrastructure to ingest or consume those feeds and apply them automatically.”

Beirne from FVAP said that whitelisting versus blacklisting isn’t an either/or proposition and that FVAP would also offer that neither is a single solution to cybersecurity, but both operate as part of a comprehensive approach. Whitelisting conveys a sense of limiting access which is accurate for more sensitive areas of a website. Blacklisting is a recognition of known bad actors or those of a particular reputation.

Beirne said it’s important to recognize the need for an audit of traffic prior to whatever form of security it implemented.

“There is no doubt that whitelisting holds value, but the relative benefit needs to be weighed against the relative cost of limiting access,” Beirne said. “For example, an audit of web traffic historically can help identify the need for blacklisting against known bad actors and only whitelist those portions of a website that require a deeper level of privileged access to some portion of a system on the backend.”