With the U.S. 2020 presidential election looming, there is a certain amount of anxiety about the state of election security systems. The federal government has not been sitting idly by, running multiple ongoing efforts, including those led by the Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA).
At the Voting Village within the DEF CON 27 conference in Las Vegas, members of CISA's National Cybersecurity Assessments and Technical Services (NCATS) outlined their mission and their challenges for election security.
"We're here to help secure our nation's election infrastructure," Jason Hill, chief of NCATS at CISA, told the audience.
Hill explained that NCATS offers its services for free to the federal government, as well as to state and local election officials. NCATS conducts cybersecurity assessments before an adversary is known to have breached a system, a point in time that he referred to as "left of boom." He added that NCATS tries to find all of the vulnerabilities it can and has several different services it offers.
One of the primary services is the Cyber Hygiene service, which is an external scan of a perimeter. Genevieve Marquardt, IT specialist at NCATS, explained that the Cyber Hygiene program does not go inside an organization. Vulnerability scanning is conducted with multiple tools, including the open source Nmap tool to identify assets and Nessus, to identify known vulnerabilities. She added that the scans are done continuously and automatically to help organization identify potential security issues.
Another core service offered by NCATS is the Phishing Campaign Assessment, which is a six-week engagement. As part of the engagement, NCATS sends six different emails to a customer, ranging from the Nigerian Prince scam to targeted spear phishing campaign, to see what will get through. Hill commented that there is usually someone that will click on one of the messages, so it's an effective exercise.
Another service offered by NCATS is the Risk and Vulnerability Assessment, a two-week penetration test.
"We have a remote penetration test where all we do is remote assessment work, including web app scanning, external penetration testing and a basic phishing campaign assessment," Hill said.
The other core program offered by NCATS is called the Critical Product Evaluation (CPE), in which equipment is tested and validated. Hill said that CISA is partnered with multiple labs where "the equipment can be sent to let some really smart people tear it down to look for software, firmware and hardware vulnerabilities."
NCATS is getting busier as the 2020 election cycle nears. Marquardt said that NCATS currently has about 1,300 customers. Of those, she noted that 200 or so are elections, but many more are starting to sign up with the elections coming up. NCATS has conducted five full phishing campaign assessments so far this year, with three more in progress. For remote penetration testing, NCATS has completed 25 engagements, with 20 more currently in progress.
Hill commented that NCATS is limited by its resources, but it can scale up through the use of third-party contractors as well.
"What we've done is we've offered to those counties and states that are asking for our services...a cyber-hygiene program. And right now we have a roughly 1,300 customers in our cyber-hygiene program and we can scale that up to about 6,000," Hill said. "There are roughly 3,007 counties in the United States, so if all of them wanted to sign up, they could."
Hill added, however, that NCATS services are voluntary and counties need to make a request in order to get them. While there are concerns and challenges that face counties and elections infrastructure, Hill cautioned that the overall situation isn't terrible.
"There are some good places, it's not all dire, that's not the picture I want to paint, because it's not that bad," Hill said. "There's really no difference between an election system and a normal network system that we test: we find the exact same vulnerabilities in all of the networks that we test."