Comments on Voluntary Voting System Guidelines 2.0 Principles and Guidelines
TAGSBest Practices Software and Information Assurance Vulnerability Analysis CERT/CC Vulnerabilities
The U.S. Election Assistance Commission recently held a public comment period on their Voluntary Voting System Guidelines 2.0 Principles and Guidelines. At the CERT/CC, we focus our attention on sectors that are new to (or perhaps slow to adopt) common vendor security practices like Coordinated Vulnerability Disclosure (CVD). To that end, Deana Shick, Jonathan Spring, Art Manion, and I collaborated to provide our feedback to the EAC. The remainder of this post contains the comments we submitted, lightly edited for blog publication.
The CERT Coordination Center, part of the Software Engineering Institute, a Federally Funded Research and Development Center operated by Carnegie Mellon University, has been advising and working on computer security since 1988. Based on our experience with vulnerability management, we have the following two top-level recommendations:
- The Principles and Guidelines should add a principle for supplier or vendor practices, perhaps under the heading "Maintainability." At a minimum, such a principle should specify:
- supplier support for vulnerability management, including coordination and remediation of vulnerabilities in voting systems.
- each vendor form a Product Security Incident Response Team (PSIRT), according to the FIRST PSIRT services framework.
- The Principles and Guidelines should recommend that anyone who finds a vulnerability in a voting system report it to the Department of Homeland Security, specifically the Cybersecurity and Infrastructure Security Agency's Vulnerability Management and Coordination team.
We also have the following suggestions:
- Principle 1 should include "securely" in "accurately, completely, robustly, and securely carry out election processes." It should add an item 1.4 to specify that "The voting system is designed using commonly-accepted security engineering practices." See National Institute of Standards and Technology (NIST) special publication 800-160 v1 as an example.
- Principle 2.5 should identify the importance of availability of the voting systems, in addition to integrity. "Availability" is in the sense of cybersecurity, part of the confidentiality-integrity-availability trio.
- Principle 3 should encourage the integrity of the voting system throughout the supply chain, and encourage vendors to supply a software and hardware bill of materials (SBOM).
- Principle 4 should make clear that commercial off-the-shelf (COTS) devices and software need to maintain a patch management and vulnerability management capability. Any software updates to the COTS product, particularly security updates, should be able to be integrated into the voting system without breaking the system.
- Principle 14 should include an additional item that appropriate software updates, especially security updates, be approved and applied in a timely manner.
- Principle 14 should include an additional item that updates be delivered securely, with proper cryptographic protocols as recommended by the National Institute of Standards and Technology (NIST). This also includes security for the update service itself: adversaries can employ update services as a vector to attack the integrity of the voting system (For example, the malware "notpetya" used such services).
- Principle 15 should include an additional item encouraging appropriate information sharing among voting system vendors and owners. This could occur under the structure of an Information Sharing and Analysis Center (ISAC) or Information Sharing and Analysis Organization (ISAO), as encouraged by Presidential Decision Directive 63 (1998) and Executive Order 13691 (2015), respectively.