Modernizing voter registration Securing Automatic Voter Registration Data Webinar hosted by the Center for Technology and Civic Life & the Center for Secure and Modern Elections May 30, 2019 1:00pm – 1:45 Central Time 2
Hello, there! Whitney May Noah Praetz whitney@techandciviclife.org noah@praetzconsulting.com Maurice Turner mturner@cdt.org 3
The Center for Technology & Civic Life Using technology to improve how local government and communities interact @HelloCTCL www.techandciviclife.org 4
CSME/Implementation Working Group CENTER FOR SECURE AND Supporting election and agency administrators and advocates to ensure automated voter registration systems are implemented to maximize the accuracy and completeness of voter rolls while improving efficiency. Providing design, legal, communications, and data transfer support through our networks, as well as insight into campaigns and implementation efforts around the country. Comprised of a number of individuals and institutions. Staffed by Scott Seeborg of Center for Secure and Modern Elections: scott@modernelections.org 5
Housekeeping • Mute your audio if you aren’t speaking • Use chat to communicate • Update your screen name 6
Voter registration at the DMV and other agencies Motor Voter/NVRA/Federal Law Customers at motor vehicle agencies and state Health and Social Services agencies are offered the opportunity to register to vote under the National Voter Registration Act (NVRA). Automatic Voter Registration/State Law (so far) Qualified people who apply for or renew a driver’s license (or other government service) are automatically registered to vote, unless they decide to opt-out of voter registration. 7
Electronic data transfer is the key to Automatic Voter Registration The ability to transfer voter registration data quickly and accurately through electronic data transfer is a key feature of a modernized voter registration process. States using electronic data transfer have transitioned away from sharing voter registration data between agencies via paper forms and, instead, send data electronically on a regular schedule or in real time. 8
Today’s topics • Identifying threats • Learning how a secure system works • Developing a security plan
What are the threats? 10
Classes of potential threat actors Actors include nation states, hacktivists, criminal organizations, and insiders Highly resourced & sophisticated • Nation states & some hacktivist or criminal organizations; with or without insiders • Can combine cyber and physical access Sophisticated • Additional hacktivist and criminal organizations; with or without insiders • Usually advanced cyber skills Commodity • Actors with limited resources and usually without insider knowledge • Use existing tools and platforms to exploit known vulnerabilities 11
High-level threats and risks Vulnerabilities Connectivity • Hardware • Software • Access • Types of damage Confidentiality of information • Integrity of systems • Availability of systems and services • 12
Image source: www.cisecurity.org 13
Hypothetical scenarios
Hypothetical threat #1: Overburdened Clerk Scenario Clerks have growing list of election and non-election responsibilities and many offices • don’t have dedicated IT support. Clerk connects work laptop to public wi-fi network. • Risk Public wi-fi may be unencrypted which allows attackers to monitor and copy sensitive • data. Defense Virtual Private Network (VPN) apps create a protected tunnel inside a public network. • 2-factor authentication (2FA) uses 2 kinds of passwords to protect access to services • and data. 15
Hypothetical threat #2: Spearphishing a vendor Scenario Attacker sends a fake email to vendor claiming to be a Clerk who needs immediate • support. Vendor employee breaks security protocol to be helpful. • Risk Vendor employee grants database access to attacker or gives up credentials by clicking • link to fake login page. Defense Domain-based Message Authentication, Reporting & Conformance (DMARC) prevents • imposter emails. Strict role-based user access and secondary verification like a phone call. 16
Hypothetical threat #3: State-level ransomware Scenario Top-down state system is locked up because of ransomware attack • Risk No access to AVR records means no validation against Electronic Registration • Information Center (ERIC) records and no distribution of current records to localities. Defense Develop and practice robust business continuity plan, including testing back-ups to • minimize downtime of services. 17
How does a secure system work? 18
Encryption A secure system safeguards data at rest and in transit. ERIC example: “HMAC-SHA2-256 one-way hashing algorithm with a 1024-bit secret key. The secret key is housed in a PKCS#11 interfaced secure store that leverages AES-128 encryption. The distribution of the hashing application to the ERIC members is a closely monitored and structured process." 19
Validation A secure system ensures data is not corrupted as a result of error or attack. Remember: • AVR is likely to have more in-depth interconnectedness than OVR. • There is increased risk of non-voting data (e.g. social security number, driving restrictions) being changed intentionally or maliciously, or corrupted as a result of an error or attack. 20
Monitoring A secure system detects unusual traffic which can indicate fraud or an attack. Unusual traffic may include: • Requests from non-local IP addresses • Excessive outbound data flows • Activity during non-business hours 21
Developing a security plan 22
Top-down versus bottom-up Top-down system: Data hosted on a single, central platform of hardware and maintained by the state with data supplied by local jurisdictions Bottom-up system: Data hosted on local hardware and periodically compiled to form a statewide voter registration list Hybrid approach: Combination of a top-down and bottom-up system 23
How to get started • Map how other systems connect to voter registration database • Know who has access to what • Limit access to those who need it • Monitor permission changes • Require 2FA • Establish baseline activity • Make frequent backups and test them • Conduct penetration testing 24
Create a Memorandum of Understanding (MOU) 1. Introduction 2. Purpose 3. Scope 4. Definitions 5. Policy 6. User procedure requirements 7. Maintenance 8. Oversight 9. Responsibility for SOP compliance 10. Updates to MOU Source: https://transition.fcc.gov/pshs/docs/clearinghouse/DHS-MemorandumOfUnderstanding.pdf 25
Secure automatic voter registration data by: Today’s takeaways Updating data validation • procedures Keeping traffic logs • Practicing data recovery • 26
Group discussion questions What resonated with you today? What did we cover that you have questions about? Is there some thing we didn’t discuss today that you’re curious about? 27
Resources Recording of this webinar will be posted on the CTCL website www.techandciviclife.org/news/webinar-securing-avr-data Watch the webinar series on Vimeo www.vimeo.com/helloctcl
Next webinar Save the date Thursday, July 11th 1:00pm – 1:45pm CT
ModernReg.org
How to get help with your implementation The IWG coordinates support for state and local election and CENTER FOR SECURE AND agencies as well as advocates working to ensure smooth implementation of automated voter registration systems. We can assist with design issues, testing, legal review, public education and engagement plans, data transfer plans, and other issues. For assistance or to learn more, contact Scott Seeborg, Center for Secure and Modern Elections scott@modernelections.org 31
Recommend
More recommend
