Secure America

How Counties can Upgrade Old Voting Equipment and Achieve Secure, Constant Connectivity and Cost Savings

A main priority for the 2020 elections is ensuring that voter data is protected and secure after hackers targeted a reported 21 states in the 2016 election. State, local, tribal and territorial governments have the right to operate their own election procedures and must take their own precautions in setting up a voting system with security at the top of mind.

In 2018, Congress set aside $380 million so that counties across the U.S. can upgrade their voting systems.  The use of old voting machines and equipment that isn’t manufactured anymore creates considerable security vulnerabilities that are unable to be patched, or machines breaking down when they’re needed the most. This time around the highest priority will be ensuring election results have better built-in cyber defenses and can continue to operate resiliently.

Security is such a large factor because counties need the assurance that voter data and personal information remains completely private. Further, with many having few to no IT staff onsite, counties need a network solution that is fast to deploy and is easy to maintain with the ability to troubleshoot connectivity and security remotely.

There are some excellent resources for State, Local, Tribal and Territorial government IT leaders for how to secure all aspects of an election systems infrastructure including endpoint and application security.  The National Cybersecurity and Communications Integration Center’s (NCCIC) has documented best practices for securing election systems infrastructure – Security Tip (ST19-001).  Additionally the Center for Internet Security has a “Handbook for Elections Infrastructure Security” that has prioritize list of security requirements to follow for securing election systems.

Counties that are using Internet connected voting systems also need reliable, secure, and constant connectivity for their temporary polling places. These locations stretch all across the U.S. from places like rural towns — where it might be difficult to get connectivity — to big cities.

Secure Connectivity for Elections

Cradlepoint offers secure edge networking for elections through its NetCloud Service for branch and pop-up networks.  Cloud-managed and software-defined routers include advanced security and Unified Threat Management (UTM) features, such as app-based control, multi-zone firewall, web content filtering, and comprehensive Intrusion Protection System (IPS) and Intrusion Detection System (IDS) and secure web gateway functionality from Z-Scaler.

Through NetCloud Manager, Cradlepoint’s cloud-based network management service — regardless if there is only one vote center, or hundreds or thousands, the network can be managed from one centralized management and reporting location. NetCloud Manager provides zero touch deployment of all edge routers and with a consistent and updated configuration. This saves time with over tasked IT teams and provides complete reporting and visibility down to the web sites visited, the applications running at each location, and any threats that have been mitigated by the layered security functions running at each location.

The Cradlepoint solution also comes with NetCloud Perimeter, a free software defined networking capability that delivers encrypted network isolation from all common network access methods. This feature is used for isolation of any device that communicates over IP based networks. This ensures complete security and privacy of all communications because only devices that are invited to participate and authenticated can communicate on the private software defined network. NetCloud Perimeter uses an authenticate first connect later approach, and that authentication action is only possible via invitation to the network and can be managed via NetCloud Manager.

Connection Flexibility & Multi-Carrier Failover

For a constant connection and uptime in the most remote locations, counties can count on seamless failover between a variety of WAN sources, keeping election services up and running without downtime, which could be disastrous. In rural areas with inconsistent connectivity, the ability to leverage dual LTE modems to automatically fail over between carriers is the only way to ensure constant connectivity to ensure every vote is cast. 

Cost-Savings

Through multi-WAN connectivity, robust data security, cloud-based network management, and software-defined technologies saves significant money on hardware and IT man-hours.

It was just recently announced that the Department of Homeland Security (DHS) will fund grant programs totaling more than $1.7 billion to state, local, tribal, and territorial governments as well as transportation authorities, nonprofit organizations, and the private sector to help with the Nation’s fight against terrorist attacks, major disasters, and other emergencies. Grant recipients can use the programs in part to implement activities related to cybersecurity.

Aside from available opportunities from the government to achieve a safer nation, there are a variety of ways states and counties can prepare for secure networking during elections. 

Safeguarding County Voting Systems

During elections, some counties need to install temporary voting centers.  Voting centers could go up at a variety of locations, and with few to no IT staff onsite, they need a network solution that can secure the network and be simple to deploy and easy to maintain. Network security and availability is mandatory for sensitive voter information and counties need to be prepared to deploy a network solution and have a simple conversation about how it is set up and works, should the public ask. In this blog I’ll list out a number of methods agencies can utilize to ensure reliable and secure networking for voting centers.

Educate Employees
 

It’s imperative for agency employees and personnel to be savvy about how network breaches occur. According to Verizon DBIR 2019 Executive Summary Report, Privilege Misuse and Error by insiders account for 30 percent of breaches in the public sector.  Having solutions that are easy to deploy and maintain with minimal human intervention is one way to help improve this risk for a public agency.  Additionally, phishing is a major attack vector that nearly all organizations must deal with. According to a report by PhishMe, 91 percent of cyberattacks start with a phishing email. Cybersecurity is a shared responsibility when it comes to combating the ongoing threat of phishing attacks, malware, and other security breaches that occur year-round. By making all personnel aware of how to look for cyber threats, they can work together to stay secure.

Patch Early & Often
 

One simple way to keep networks secure is to make sure all devices, applications, and operating systems are patched and updated.  Regardless of the size of the agency, they should adopt a ‘patch early, patch often’ way of thinking to protect networks with regular reviews of system settings.

IDS/IPS Products
 

Agencies can use products with intrusion detection systems (IDS) and intrusion prevention systems (IPS), which are key tools for protecting the network against cyber-attacks. IPS sifts through IP traffic coming into the router, detects attack attempts, and rejects malicious packets. If the router has a cloud management system, an IPS tool can work with the cloud manager to provide real-time alerts that notify the organization when an attack is taking place and should be blocked.  Additionally, integrating the network and endpoint security logs into a centralized Security Incident and Event Manager (SIEM) tool will improve the efficiency responding to high priority security events.

Segment Out the Network
 

Another way to prevent intruders from reaching an agency’s valuable data is network segmentation. Using an application aware firewall combined with virtual LAN configurations can better lock down the network and communications between different networks to only allow certain applications to communicate, thus blocking rogue communications paths. This can help with data breaches such as pivot attacks, where hackers breach an easily accessible part of the network, then move from there into an area where sensitive data is stored. Agencies that use multiple connection LTE gateways can also segment applications onto their own devoted networks, thus eliminating pivot attacks from happening at the voting centers.  This is called “air-gapping” the network.

Software-Defined Perimeter
 

Agencies can also use software defined perimeter technology, where possible, to allow for micro-segmentation. For example, Cradlepoint’s NetCloud Perimeter allows agencies to micro-segment users, devices, groups, applications, and resources with simple software only policies, as well as offer LAN-like performance to remote users on virtually any device, in a matter of minutes — without complex configurations. These invitation-only encrypted overlay networks are highly secure, as they utilize a private address space — eliminating the need for routable IPs on the Internet — thus obscuring them from potential hackers.

Private LTE
 

The use of WANs with (NAT)’d or private LTE IP networks is also beneficial. Private IP addresses provide a way for devices to communicate with the other devices on a network without being directly exposed to the public Internet and using the agency’s private address space.

Defense in Depth
 

Another defense method to prevent malware from infecting systems is using defense in depth endpoint protection. Defense in depth is a cybersecurity protection method that uses multiple security measures to protect the network. So, if one line of defense is breached, additional layers of defense are set up to ensure that threats can’t get through. One product that Cradlepoint partners with is Zscaler.  Zscaler delivers additional safety measures to networks such as: advanced persistent threat (APT) protection, web filtering, data loss prevention, cloud application visibility, guest WiFi protection, SSL decryption, traffic shaping, policy management, and threat intelligence. 

The Nationwide Cybersecurity Review Yearly Assessment (NCSR)
 

NCSR is a no-cost, anonymous, annual assessment designed to measure gaps and capabilities of state, local, tribal and territorial governments’ cybersecurity programs. It’s based off NIST 800-53 standards and has other compliance crosswalks, like CIS 20 controls, HIPAA and PCI built in. 

The assessment can be used to:

  • Set security baselines for your organization to improve security posture and keep cybersecurity top of mind
  • Use as a security roadmap for your organization and has reports and templates to compare and report your posture verses your peers and other agencies
  • Help agencies operationalize and improve your security posture

Questions / More Information Contact USAT:

For all your M2M connectivity needs visit ExpressM2M a service of USAT

For consultation on your next M2M / IoT project contact a USAT Representative