Synack is the latest cybersecurity company to offer state elections its services for free

The cybersecurity firm Synack will offer its penetration testing services to states for free in an effort to secure election systems for the 2018 midterms.

Synack, founded by two former NSA analysts, is best known for its bug bounty program that allows its carefully curated stable of researchers to probe a client’s systems for vulnerabilities. The researchers then disclose those soft spots through Synack’s platform.

The company’s offerings are already tuned to the needs of sensitive government clients, and Synack has worked with IRS and the Department of Defense through its “Hack the Pentagon” bug bounty program. States wary of bug bounties should have some peace of mind knowing that Synack emphasizes the intense vetting and low acceptance rate of its research team.

From now until November 6, Synack will offer free penetration testing for voter registration sites and voter databases through its “Secure the Election” initiative.

The offer’s fine print:

“Each eligible recipient will be limited to one (1) free 14-day Synack Crowdsourced Vulnerability Discovery Test of an online voter registration website or remotely-accessible database that is expected to be used in the November 2018 mid-term election.”

It’s possible that states wary of the federal government’s involvement in state and local elections will be less skittish of help coming from the private sector. The Department of Homeland security has stepped up its role in securing elections, but federal resources, including cybersecurity audits, remain opt-in.

Synack isn’t the only security company talking to states about securing elections. In late 2017, Cloudflare announced that it would extend it DDoS protection for free to states for their voter databases, voter registration sites and election result sites through what it calls “the Athenian Project.”  In April, enterprise security firm Centrify offered states its services at a discount in a similar “Secure the Vote” program.

“Synack’s pro bono service looks for vulnerabilities in remotely-accessible voter registration databases and online voter registration websites from a hacker’s perspective,” the company said in a press release.

“Synack’s crowd of researchers discovers vulnerabilities left undetected by other solutions and then helps to remediate them before an adversary can exploit them on election day.”

To protect election systems from hacking, states are getting cozier with Homeland Security

It might be a snow day in Washington, but the Senate Intelligence Committee hearing on election system security continued as planned. During Wednesday’s hearing, Homeland Security Secretary Kirstjen Nielsen and her predecessor Jeh Johnson appeared with a panel of state election officials to hash out the recommendations issued by the committee on Tuesday.

“This issue is urgent,” said Senate Intel Chairman Richard Burr in his opening statements. “If we start to fix these problems tomorrow, we still might not be in time to save the system for [2018] and 2020.”

The hearing often turned to what broke down during the 2016 election, describing the kind of measures and policies that need to be put in place to allow federal and state officials to communicate smoothly around future threats, including the established threat from Russia. We learned last year that Russia targeted election systems in at least 21 states. Many members of the committee expect other U.S. adversaries to adopt that same model around known vulnerabilities.

“Despite evidence of interference, the federal government and the states had barely communicated about strengthening our defenses,” said Senate Intel Vice Chair Mark Warner. “It was not until the fall of 2017 that DHS even fully notified the states they had been potential targets.”

So what’s changing?

For one, Homeland Security won’t let coordinating the security clearances for as many as 150 relevant state election officials get in the way of handing down important election system intelligence. Only 20 officials out of that 150 number have that clearance now.

“We’ve worked out the processes whereby if we have actionable information we will provide it to the state and local officials on a day read-in so we are not letting the lack of clearance hold us back,” Nielsen said. “If we have information to share with them in respect to a real threat, we will do so.”

According to Amy Cohen, executive director of the National Association of State Election Directors, an organization that brings together election officials in all 50 states, states have made “great strides” since the former DHS secretary designated all election systems as critical infrastructure in January of 2017.

States that may have been nervous about federal overreach after the critical infrastructure designation (which applied to all aspects of federal state and local elections including polling places, storage facilities, voter registration databases and the voting machines themselves) seem to be warming up to and opting into the “technical resources” that Homeland Security has on offer. As of today, more than half of the states have signed up for Homeland Security’s optional cybersecurity audits. That program helps states identify potential system vulnerabilities and makes recommendations based on its findings.

“To be clear, there has been a learning curve on the sharing of information,” Nielsen said. One challenge is understanding how states vary in operating and organizing their elections. For example, an election that would be run by a county in one state might be the domain of the governor or the secretary of state’s office in another.

“Today I can say with confidence that we know whom to contact in every state to share threat information,” Nielsen said. “That did not exist in 2016.”

While Homeland Security and the states have made progress since the 2016 election, those improvements are incremental and uneven. State budgets vary and some rely more heavily on federal funds for required steps for securing their elections, like purging insecure election machines and purchasing new machines that leave an auditable paper trail. Many states are currently undertaking the steps necessary to get their election systems up to Homeland Security’s recommended standards, even as U.S. adversaries likely continue to probe existing systems for cyber weaknesses.

“The threat of interference remains,” Nielsen admitted. “We recognize that the 2018 midterm and future elections are clearly potential targets for Russian hacking attempts.”

Senate Intel Committee gives Homeland Security its election security wish list

In a press conference today, the Senate Select Committee on Intelligence presented its urgent recommendations for protecting election systems as the U.S. moves toward midterm elections later this year.

“Currently we have an election upon us, and the past tells us that the future will probably hold another set of threats if we are not prepared,” Senator Kamala Harris said.

The bipartisan committee offered a set of measures to defend domestic election infrastructure against hostile foreign nations.

Before launching into the findings from its committee-wide examination of current practices, written up in an accompanying report, the group emphasized that states are “firmly in the lead” in conducting elections, although the federal government should work closely to provide funds and information.

Although there are many factors that can mitigate the risk to U.S. elections, election equipment itself, particularly internet-connected systems, remains a core concern in the report:

“States should rapidly replace outdated and vulnerable voting systems. At a minimum, any machine purchased going forward should have a voter-verified paper trail and no WiFi capability. If use of paper ballots becomes more widespread, election officials should re-examine current practices for securing the chain of custody of all paper ballots and verify no opportunities exist for the introduction of fraudulent votes.”

Because financial need varies from state to state, the committee recommended legislation that would create a grant program through which states could apply for election security funds, including the funding needed to conduct system audits.

“States should use grant funds to improve cybersecurity by hiring additional Information Technology staff, updating software, and contracting vendors to provide cybersecurity services, among other steps,” the report states.

The rest of the report focused on how to bolster U.S. election infrastructure and practice against foreign attacks. Now that the potential vulnerability of U.S. election systems is widely known, Russia may not be the only adversary looking to poke holes in U.S. systems.

“It may not be the Russians next time,” Sen. James Lankford said. “They have set a pattern that others could follow.” That means that Iran, North Korea or even domestic hacktivist groups could be following along.

The committee recommends that the U.S. work with allied countries to create international cyber standards to deter hostile nations from taking advantage of current gray areas in cyber policy, making it clear that attacks on election systems are “hostile acts.”

“We need a more transparent cyber doctrine so that other nation-states are on notice,” New Mexico Senator Martin Heinrich said.

The committee made multiple mentions of the Department of Homeland Security’s failure to coordinate with states — and state-level distrust of that department — during the 2016 election. In the past, information sharing between federal and state officials has been hampered by slow processes for obtaining the proper security clearances for state and local election workers.

“The Intelligence Community should work to declassify information quickly, whenever possible, to provide warning to appropriate state and local officials,” the report states.

States also lag behind when it comes to knowledge and implementation of basic cybersecurity best practices like two-factor authentication. The committee urges DHS to work to educate the states to establish a set of best practices to mitigate risk.

Tomorrow, the committee will have a chance to hand their wish list over in person. Homeland Secretary Kirstjen Nielsen will appear in the first of a three-panel hearing, alongside Obama-era secretary Jeh Johnson who oversaw the department during the 2016 election.