Welcome to ISSA KC

The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. Through its membership, ISSA -Kansas City helps security professionals in the Kansas City area learn of information security issues and trends, which promote education, collaboration, and leadership, and further the information security profession.

The Government Wants You—To Hack U.S. Election Systems

Posted by VP ISSA Wednesday, November 15, 2017



 Two U.S. senators have introduced bipartisan legislation aimed at protecting American election systems from foreign interference.

The Securing America’s Voting Equipment (SAVE) Act would help shield voting systems, registration data, and ballots from theft, manipulation, and malicious computer hackers.

And requires your help to “hack the election.”

Among various authorizations and mandates, the proposed bill includes the creation of a “Cooperative Hack the Election” contest: Participants work with vendors to uncover (and ultimately defend) threats to electronic voting systems.

The goal of the annual bug bounty program is to “strengthen electoral systems from outside interference”; discover the most significant vulnerabilities to earn an as-yet-unspecified award.

Hackers, however, may not “exploit” uncovered vulnerabilities or “publicly expose” them, according to the legislation.

“Our democracy hinges on protecting Americans’ ability to fairly choose our own leaders,” Sen. Martin Heinrich (D-N.M.), who co-wrote the bill with Sen. Susan Collins (R-Maine), said in a statement. “We must do everything we can to protect the security and integrity of our elections.” The move comes after reports that election-related networks, including websites, in 21 states were targeted by the Russian government during the 2016 campaign.

If enacted, the SAVE Act would invite developers, network specialists, security experts, cyber criminals, and anyone with average computer skills who lives in their parents’ basement to infiltrate nationwide systems.

It also facilitates information sharing, provides guidelines for best practices, and entitles states to additional funding to develop their own solutions to election threats.

The Department of Homeland Security in June confirmed that “a small number” of voting networks—including those in Arizona and Illinois—were successfully compromised last year. Reports also suggested that voter registration databases in 39 states were penetrated.

A “truly disturbing” reality that Collins said should “serve as a call to action to assist states in hardening their defenses against foreign adversaries that seek to compromise the integrity of our election process.” “Until we set up stronger protections of our election systems and take the necessary steps to prevent future foreign influence campaigns, our nation’s democratic institutions will remain vulnerable,” Heinrich added.
(Fortunately, this bill (S.2035) is being given only a 4% chance of actually becoming law.)
Title I calls for the Director of National Intelligence to sponsor a security clearance up to Top Secret for each eligible chief State election official and one designee of such official. In general, the chief State election official is the state’s Secretary of State. There is no mention of what happens if the designated officials either are not eligible for a security clearance or fails a required background check. Title II directs the Secretary of Homeland Security to designate voting systems used in the United States as “critical infrastructure”. The definition of “critical infrastructure” as used in this bill is:
42 U.S.C. §5195c(e)
(e) Critical infrastructure defined
In this section, the term “critical infrastructure” means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
While the protection of voting systems is certainly important, I am not sure the designation as critical infrastructure is appropriate. Also, the designation of voting systems as critical infrastructure extends federal government control into an area traditionally left in State control. Title II also makes funds available in the form of grants for States to upgrade their voting systems, but those grants would be made available only to States that implement the best practices dictated by DHS. I don’t really have an issue with making funds available, but I think the States should be the ones to determine the best security practices for their own systems. Otherwise, there is too much potential for federal government overreach and mischief. (Just my opinion.)
Title III is the one that establishes the “Cooperative Hack the Election Program” and directs the DHS Secretary to develop the program which would include the creation of “an annual competition for hacking into State voting and voter registration systems during periods when such systems are not in use for elections”.
While I understand and accept the desire and need to discover vulnerabilities in computing systems, this is the type of activity that should never be done on live, production systems. It should only take place in controlled, test and development environments, designed to duplicate live environments.
Title III provides a safe harbor from prosecution under 18 U.S.C §1030, Fraud and related activity in connections with computers, for activities conducted that are associated with the program.
My feeling is that this is ill advised. Offering rewards to people for attempting to break into computer systems, especially live, production systems, even within certain constraints, is not a good idea. Nor is it a prudent use of taxpayer funds.  My personal opinion is that, if the States want to standardize security requirements and procedures for voting systems, it should be left to the National Association of Secretaries of State and the National Association of State Election Directors. They are responsible for the conduct of elections and can establish the standards, including the certification of vendors and equipment. If they want to consult with NIST, fine.  Authorize block grants to those association for that purpose if necessary and keep the federal government out of it (Joe Butin, CISSP, CIPP, e-mail message, November 9, 2017).

Upcoming Events

Aug 23rd - Chapter Meeting * Register

Sept 5th - SIG/WIS Meeting at Sprint

Oct 25 th - Chapter Meeting *Register

Nov 8th - Happy Hour *Register

Past events:

July 26th - Chapter meeting @ Hereford House

June 28th, 2018 - Chapter Meeting

May 24th, 2018 - Chapter Meeting

May 17th, 2018 - Happy Hour

Questions about upcoming meetings? email VP

Join the ISSA Kansas City Chapter

ISSA KC Mentorship Program Program Details

Mentor form/Application
Mentee form/Application


Join our mailing list to stay current on ISSA Kansas City!


For more information on how to join the Kansas City Chapter of ISSA click here. ** Join today! **


ISSA Member Login Page ISSA ** Login **


ISSA International’s Special Interest Groups (SIG) and Webinars:SIG On-Demand Conf

SIG groups are:

Security Awareness

Women in Security

Healthcare

Financial

Social Media

Chapter meetings are a great way to get to know your peers here in KC. And, if you're currently looking to make a career change, it's an invaluable way to build relationships that can provide you with the "inside information" on open security positions.










Do you have any membership questions? email link


Sponsors




Home





Image result for Synack

Image result for Forcepoint

Image result for Carbon Black

Image result for Zerto

Image result for Tenable

Related image


Image result for CyberArk

Image result for Critical Start

Image result for Securonix


Image result for OKTA


Image result for ProofPoint



Be a sponsor!!! Email us at president@kc.issa.org