How public-private partnerships can support election security
Bruce Potter is our CISO here at Expel. In his past life, he served as the senior technical advisor to the members of President Obama’s Commission on Enhancing National Cyber Security.
It’s only March but it feels like November 2020 is right around the corner. In case you’ve been living under a rock, election security is a hot topic leading up to the next national election — every day there’s a new headline about how to improve election technology or get rid of it altogether or how to stop threat actors from meddling in U.S. elections. Between security at the ballot box, concerns around central voting databases, issues with third-party data aggregators and information operations on social media, there’s a lot to keep tabs on.
Many of the potential answers to the “What should we do about it?” question falls into the public policy realm. Various national, state and local agencies are responsible for addressing some of these issues. The integrity of voter registration databases is largely a state and local government concern. As much as private industry may have opinions on how to properly secure these systems, it is ultimately the job of dedicated civil servants to decide what to protect and how to do it.
That begs the question …
What can and should the private sector do? And specifically, how and why should private sector security organizations be involved?
Cybersecurity companies have an incredible capability to know the nitty gritty details of malware and malicious activities that are happening inside our customers’ networks and systems every single day. These companies are the ones that are on the front lines when it comes to defending businesses against attacks ranging from commodity malware to highly targeted state actors.
While the U.S. government does its part when it comes to protecting our democracy and could do even more, the reality is that many citizens look to the government for help in times of crisis but want the government to be involved in as little as possible on a regular basis.
I’ve done a fair bit of contract work with the government that had the potential to positively impact the private sector, but there were often hurdles outside each respective agency’s control that stalled or complicated each project. First — which is sometimes the case for cybersecurity in general — there are various spheres of authority that get in the way of productive outreach. National Security Agency (NSA) has lots of great ideas but is in general only responsible for the protection of classified systems. Defense Advanced Research Projects Agency (DARPA) and Department of Defense (DoD) have “defense” in their names, so you know what their focus is. And Department of Homeland Security (DHS) often is focused on critical infrastructure but not on the protecting citizens at large.
With no single agency leading the charge on all things cybersecurity, it’s difficult to find a point person to conduct public outreach.
Second, and more the purview of the private sector, is the concern that when the government shows up and says, “We’re from the government, we’re here to help,” our natural inclination is to be incredibly skeptical. It can be difficult to accept assistance and outreach from a government agency when there’s no overt problem to contend with. However, without ongoing involvement that starts long before there’s ever a problem, it’s difficult if not impossible for the government and private sector to collectively be effective when there’s an issue.
Private industry is an essential part of our national defense when it comes to cybersecurity. The stronger the security of private industry organizations and their service providers is, the better the security of our nation. We’ve recognized that in formal policy already through the Clinton-era Critical Infrastructure definitions.
It’s time we think about how private industry can participate in protecting our democracy through future election cycles.
Imagine a public-private partnership — yes, this is an overused phrase and even a “dirty word” in some circles — between U.S. government entities “in the know” and cybersecurity companies that have visibility into global networks with the specific purpose of sharing information around election integrity. While there are pockets of sharing outside of critical infrastructure verticals (sometimes through MOUs, other times through a simple handshake), there is no comprehensive program in place to share information about election security with a broad set of private sector partners.
What advantage would this type of program have? First off, managed security service providers (MSSPs) and endpoint detection and response (EDR) companies have an incredible view into the global operations of businesses across many industries, and a deep understanding of the security concerns and threats they face each day. If the U.S. government would share the tactics, techniques and procedures of know election threat actors, private sector cybersecurity firms could develop custom detection rules to find these actors within the global networks we have visibility into already. Then, working with our customers, we could quickly share information with the government to inform their operations and help stop attacks against our election systems.
Further, this sort of partnership will shed light into the darkness. The more that private sector entities become engaged in this problem, the fewer places the adversaries have to hide. While we know some of what has transpired in social media, little of that has been shared with the public and the data has largely been confined to a few large tech companies. Involving a broad group of cybersecurity organizations in these activities will help demystify malicious activities that target not just U.S. elections but those around the globe.
Of course, this type of partnership doesn’t come without risk. Cybersecurity companies are often third parties to the data they oversee — the data is actually owned by their customers and can’t be shared without explicit permission. In order to be successful, this type of program would have to be well socialized in advance in order to get buy in not just from the cybersecurity companies but from the organizations they support. Which means that if a program like this were to exist, the gears need to be turning now in order to have an impact on 2020 elections.
Private sector cybersecurity companies can do far more than just writing blog posts about election security or shaking their collective fists at the cloud. By pulling more private sector partners into the fight against election meddling, the U.S. government can multiply the impact of the knowledge it already has about election threat actors. And by including a broad set of companies — not just a few large companies — we can collectively see into more dark corners and find more malicious activity than would otherwise be possible.
We’d also be spreading knowledge of our actions farther and wider, giving a sense of real progress and security to the public at large. At the end of the day, that’s exactly what our citizens and our national election systems deserve.