Access Denied: electionlineWeekly on Making Websites Secure Yet Accessible for Overseas Voters
[Image via itexperience]
electionlineWeekly’s Mindy Moretti has a timely look at an issue that arises when election offices are caught between making elections accessible to voters and protecting themselves from outside threats:
Recently some Georgia voters living overseas attempted to access the state’s online voter registration database only to find that their access was denied.
Instead of access to the state’s online voter registration portal, overseas voters found an access denied warning along with contact information for assistance.
In an effort to secure the state’s website and OVR database, the Georgia secretary of state’s office made the choice to block international IPs from accessing the voter registration portal on their website.
According to a spokeswoman for the secretary of state’s office, the portal will be open from Sept. 18 to Election Day.
“I have a lot of sympathy for the states on these issues because they are caught between wanting to make an increasing number of online services freely available to voters and an exponential escalation in threats,” Susan Dzieduszycka-Suinat of the US Vote Foundation and Overseas Vote Foundation. “Not too long ago, this was being done without problems like what they face now. The attacks from hostile foreign powers are very real. These attacks are very real and bots can bog down these open services with SPAM just so many times before a state will want to put barriers up.”
However, Dzieduszycka-Suinat cautioned that blocking foreign IP addresses and locking overseas voters out of their services is the wrong kind of barrier.
“It won’t really do anything to dissuade a hacker. It will only turn away real voters. A hacker, or even a determined voter, will just get onto a VPN and to a US IP address, and guess what? They’re in,” Dzieduszycka-Suinat said.
The Federal Voting Assistance Program said that they reached out the Georgia secretary of state’s office for a better understanding of what was happening, but information appearing on social media is what concerned FVAP most rather than individual state policies.
“We are aware of reports that other states may also be limiting access to their websites from foreign-based IP addresses so we will continue to monitor social media. We are actively working to encourage states to leverage us as a key resource for access in light of any new cyber security protocols,” said FVAP Director David Beirne. “What will be especially interesting is to see if the impact of a whitelisting cybersecurity policy, or special access for known entities, will affect the ability of military and overseas voters to retrieve their electronic blank ballots — or if the impact is limited to online voter registration systems.”
The US Vote Foundation and Overseas Vote Foundation as well FVAP portals remain open to overseas IPs. According to Beirne, FVAP leverages a content delivery network which provides duplicate web servers for U.S. and worldwide distribution to offset internet latency in other countries. FVAP also maintains a web application firewall to dynamically mitigate intrusion attempts.
We reached out to some of the states with the highest percentages of members of the armed services, and that offer online voter registration, and the response was mixed.
Virginia Elections Commissioner Christopher Piper said that the commonwealth does not comment on specific election security protocols, however, quick check by a friend overseas, living in one of the former Soviet republics, found that Virginia’s online voter registration portal remains accessible to overseas IP addresses.
According to Hillary Rudy with the Colorado secretary of state’s office, most international IPs have access to Colorado’s online voter registration site. Colorado does have network blocks in place on some nations due to a high volume of attacks coming from the region. The Colorado Department of State also blocks IP addresses attempting to attack its systems, no matter the source of the traffic, until the attack stops.
Whitelisting and Blacklisting
One way that states can secure their sites—and some are already employing—is whitelisting and blacklisting.According to FedTech, the use of blacklisting as a form of cybersecurity protection is common, but it requires security personnel to keep a permanent eye out for any malware they want to block from an agency’s IT environment. Whitelisting lets IT teams grant advance permission for specific, trusted items (such as applications or URLs) to run on the network, instead of blocking access to previously identified risks and threats.
Colorado employs both.
“We use whitelisting based on known users as well as blacklisting of known malicious IPs. Whitelisting and blacklisting is done both by in-house staff and through threat intelligence platforms,” Rudy explained. “The cost to a jurisdiction of using automated threat sharing feeds is dependent not only on the cost of the feed itself (in our case, approximately $10,000 annually), but also based on the ability of technical infrastructure to ingest or consume those feeds and apply them automatically.”
Beirne from FVAP said that whitelisting versus blacklisting isn’t an either/or proposition and that FVAP would also offer that neither is a single solution to cybersecurity, but both operate as part of a comprehensive approach. Whitelisting conveys a sense of limiting access which is accurate for more sensitive areas of a website. Blacklisting is a recognition of known bad actors or those of a particular reputation.
Beirne said it’s important to recognize the need for an audit of traffic prior to whatever form of security it implemented.
“There is no doubt that whitelisting holds value, but the relative benefit needs to be weighed against the relative cost of limiting access,” Beirne said. “For example, an audit of web traffic historically can help identify the need for blacklisting against known bad actors and only whitelist those portions of a website that require a deeper level of privileged access to some portion of a system on the backend.”
Just as election offices need to be more sophisticated in combating the threats they face, they must also find ways to keep out bad actors without shutting the door on voters attempting to vote from overseas. It’s yet another layer in the cybersecurity challenge for the election community – but fortunately there are many sources of assistance. Thanks to Mindy for writing this story – and to FVAP, OVF and those states who are keeping the lines open even as they raise their guards. Stay tuned …