There’s no doubt that election security is at the forefront of our minds, no matter the political party you align with. Although studies on voter fraud have found the issue to be much less widespread than the general public believes due to mis- and disinformation, it’s still crucial to validate and secure the integrity of elections.
With ongoing local, state, and midterm elections, U.S. elections must incorporate elements of network security architecture to ensure the security and integrity of elections. However, this has to be done efficiently. Zero Trust architecture, which eschews implicit trust even of personnel approved for access to resources, is not only a smart strategy for election security, but is also fully applicable to the oversight of voter registration databases.1
In this post, we’ll dive into some of the basics of Zero Trust Architecture (ZTA) for election protection as well as some cost-benefit analysis.
Why Zero Trust Architecture (ZTA) for U.S. Elections
Zero Trust is an approach to a security architecture that expands on the concept of least privilege. Under a least privilege architecture, access to resources is provided on a rigorously contingent basis. The minimum access needed for a user to carry out enterprise functions is allowed, with the goal of preventing an intruder from moving laterally within a system after gaining entry.2
Under Zero Trust, no user is accorded implicit trust. In addition to a user’s approved status (granted on a least privilege basis), access is based on variable environmental conditions. A user approved for access to a resource, for example, may be denied a session or subjected to additional verification procedures if a request is made from an unusual location, the user’s device shows a change in its security profile or other deviations from behavioral patterns are observed.
A Zero Trust deployment is comprised of two basic components: 1) a Policy Decision Point (PDP) that reviews information provided by multiple sources against a request for access and then determines whether to grant the request; and 2) a Policy Enforcement Point (PEP) that enables, monitors, and terminates connections to a resource based on forwarded requests or policy updates received from the PDP.
In the context of U.S. elections, the dynamic control environment of a Zero Trust implementation lends itself most readily to securing voter registration databases for which access decisions can be informed by the resources of a mature network. Activity logs and information provided by SIEM systems can alert a PDP of anomalous behavior associated with a user, threat intelligence feeds from reliable sources can flag high-severity vulnerabilities within a user’s environment, and an Identity and Access Management system can provide notifications of user attributes that fall short of compliance with access policy. 3
Zero Trust Guidelines for Secure Elections Using Humans & Automation
The voting phase of elections concerns manual and automated functions that only minimally involve network connections. That being the case, least privilege is a more applicable architecture for securing the voting process than Zero Trust.
The integrity of ballots and voting equipment can be protected to a significant degree by allowing employees, officials, volunteers, and voters only the minimum access required to perform critical activities. For the most part, determinations of appropriate access will depend on predetermined needs rather than the fluid circumstances monitored in a Zero Trust environment.
Guidelines provided by the U.S. Election Assistance Commission (EAC) for staffing at polling locations delineate roles and responsibilities for handling ballots and equipment at this stage. When fully implemented, these guidelines provide the equivalent of a least privilege control environment by granting each participant no more than the minimum access needed to fulfill predetermined roles.
Transporters of provisional ballots and voting equipment to polling locations are not permitted contact with these assets during the actual voting process. Voting machine technicians are allowed access to equipment solely for the purpose of conducting logic and accuracy tests prior to voting. Poll workers supervising voters are permitted contact with equipment and ballots only to the extent that voters require assistance. The voters are permitted contact with equipment and ballots only during the time required to cast individual votes.
Elements of Zero Trust can be incorporated into such a scheme by codifying EAC guidelines through state and county policies, which would then serve the function of a PDP. Additionally, empowering precinct officials to enforce these policies at voting sites would provide a mechanism analogous to that of a PEP.4
EAC guidelines concerning the “inbound ballot process”—the counting of ballots submitted by mail—would also provide what amounts to a least privilege implementation. In accordance with these guidelines, teams of personnel are allowed access to mailed ballots only for the fulfillment of distinct functions that collectively enable the ballots to be counted. Ballot collectors transport mailed votes from drop boxes and USPS centers to a counting facility in sealed containers but are not permitted to break the seals.
A separate team at the counting facility would then unseal the votes and run them through a sorting machine to register their receipt, automatically verify signatures, and sort them. Another team of adjudicators would verify signatures not automatically accepted by sorting machines against voter databases to determine their validity. Yet another team would then scan all accepted ballots for a final tabulation, which would be conducted by other personnel on a non-networked device and reported.
County officials present at a counting facility can provide the Zero Trust function of a PEP by enforcing limitations on the various teams’ access.5
Cost-Benefit Analysis of Zero Trust in Elections
Zero Trust Architecture, while helpful in elections, does not come without risks. Implementation of Zero Trust and least privilege architectures in the networked environments for which they are intended comes at a financial cost to organizations.
States and counties considering their partial or full deployment for election processes likewise face decisions about whether the benefits realized through enhanced security outweigh related costs. In issuing its recommendations for counting in-person votes and mailed ballots, the EAC suggests that cost constraints may make it desirable to cross-train teams to fill multiple functions.6 The resulting increased contact cross-trained participants in the vote-counting process would have with ballots and equipment would necessarily come at the cost of diminished security.
Determining whether this cost is acceptable in the context of elections involves different considerations than those faced by private companies, for whom cost is generally measured in financial terms. State and county officials must account for intangibles, such as diminished voter confidence in the integrity of the elections process.
What’s Next for Zero Trust Architecture in Elections
State and county officials can optimize decisions about incorporating Zero Trust or least privilege controls into voting processes by weighing the likelihood and impact of actions that compromise voter rolls or ballot integrity. An official may, for example, determine from a risk assessment that the likelihood of a malicious attempt to delete names from a voter registration database is low. That official may also determine that the potential impact of such an action—rejection of an electoral outcome’s legitimacy by a significant swathe of the public—is unacceptably high, leading to a decision to implement Zero Trust architecture in providing access to the database.
For more insights into Zero Trust and election security, subscribe to our blog.
1. The principle of least privilege, which limits access according to minimum need, is more applicable to the non-networked processes of counting in-person votes and mailed ballots.