Review - HR 7447 Introduced – Election System Pentests

Last month, Rep Spanberger (D,VA) introduced HR 7447, the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act. The bill would amend the Help America Vote Act of 2002, by adding to the existing election system certification system a requirement to conduct 3^rd party penetration testing of such systems. It would also establish a voluntary vulnerability disclosure program. No new funding is authorized by the legislation.

Moving Forward

Neither Spanberger nor her two cosponsors {Rep Deluzio (D,PA) and Rep Valadao (R,CA)} are members of the House Administration Committee to which this bill was assigned for primary consideration, nor the House Science, Space, and Technology Committee to which the bill was assigned for secondary consideration. This means that there is practically no chance that the bill will be considered by either committee. I see nothing in the bill that would engender any organized opposition. I suspect that it would receive some level of bipartisan support were it considered.

Commentary

While the term ‘penetration testing’ is used in the legislation, it is never defined. I would suggest using the definition of that term found in NIST 800-95 (pg C-3):

“A method of testing where testers target individual binary components or the application as a whole to determine whether intra or intercomponent vulnerabilities can be exploited to compromise the application, its data, or its environment resources.”

 

For more details about the provisions of this legislation, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-7447-introduced - subscription required.

Review - S 1500 Introduced – Election System Cybersecurity Testing

Earlier this month Sen Warner (D,VA) introduced S 1500, the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act. The bill would require the Election Assistance Commission (EAC) “to provide for the conduct of penetration testing as part of the testing and certification of voting systems and to provide for the establishment of an independent security testing and coordinated vulnerability disclosure pilot program for election systems. No funding is authorized in this legislation.

Moving Forward

Warner is a member of the Senate Rules and Administration Committee to which this bill is assigned for consideration. This means that there may be sufficient influence to see the bill considered in Committee. I do not see anything in the bill that would engender any organized opposition. I suspect that the bill would receive some level of bipartisan support. But again, as with most bills introduced in the Senate, this bill is not ‘important’ enough to be considered in the Senate under regular order. I also believe that there would be enough opposition to this bill to prevent it from being considered under the Senate’s unanimous consent process.

Commentary

One major item missing from this bill is the definition of the term ‘penetration testing’. NIST has a full page of potential definitions of the term. I think the most appropriate for this context would be the definition taken from NIST SP 800-137 under Penetration Testing. I would modify that definition slightly and add it in a new paragraph §231(e)(3):

“(3) In this section the term ‘penetration testing’ means a test methodology in which the researcher, using all available documentation (e.g., system design, source code, manuals) and working under specific constraints, attempt to circumvent the security features of an election system as that term is defined in §297.”

 

For more details about the provisions of this bill, including additional commentary about the penetration testing requirements – see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/s-1500-introduced - subscription required.

S 3311 Introduced – Voting Cybersecurity

Last month Sen. Blumenthal (D,CT) introduced S 3311, the Defending the Integrity of Voting Systems Act. The bill would amend the definition of ‘protected computer’ in 18 USC 1030 to include voting systems.

Protected Computer

Section 2 of the bill amends the definition of ‘protected computer’ §1030(e)(2) by adding “is part of a voting system”. It further clarifies that the voting system is either:

• Used for the management, support, or administration of a Federal election; or

• Has moved in or otherwise affects interstate or foreign commerce.

Moving Forward

Blumenthal and his two cosponsors {Sen. Graham (R,SC) and Sen. Whitehouse (D,RI)} are all members of the Judiciary Committee. This means that there is a good chance that they would have sufficient influence to have this bill considered in Committee. I do not see anything that would draw significant opposition to the bill. I suspect, however, that the current political back-and-forth on foreign political influence will cause slow movement on this bill, preventing consideration during the remaining months of this session.

Commentary

The big problem with this bill is the lack of definition of ‘voting system’. While the new paragraph §1030(e)(2)(C)(I) looks like an attempt at a definition by stating “is used for the management, support, or administration of a Federal election” the subsequent inclusion of the next phrase “or, has moved in or otherwise affects interstate or foreign commerce” compromises that definition by overly expanding the possible universe of covered computers. I understand that the crafters were trying to specifically include State and local government computers, but a broader reading of that language, especially the word ‘support’, is encouraged by the way Congress has been talking about ‘election interference’ to include influence operations on social media.

I also am concerned about any broadening of the scope of §1030 generally without some sort of effort to ensure that studies of computer systems by legitimate security researchers are not stymied by application of this section by prosecutors seeking to protect owners from the embarrassment of being publicly told that their computers are poorly secured.

Bills Introduced – 06-21-18

A day late and a dollar short. On Thursday with both the House and Senate in session, there were 40 bills introduced. Of those three may be of specific interest to readers of this blog:

HR 6175 To enhance maritime safety, and for other purposes. Rep. Hunter, Duncan D. [R-CA-50]

HR 6188 To direct the Secretary of Homeland Security to establish a program to improve election system cybersecurity by facilitating and encouraging assessments by independent technical experts to identify and report election cybersecurity vulnerabilities, and for other purposes. Rep. Quigley, Mike [D-IL-5]

S 3109 Department of Homeland Security Appropriations Act, 2019. Sen. Capito, Shelley Moore [R-WV]

The title of HR 6175 is vague to say the least. I will be watching for potential cybersecurity or chemical transportation issues.

I do not plan to expand this blog into the arena or election cybersecurity, but HR 6188’s potentially ground breaking (sorry, overstated deliberately) concept of outsourcing cybersecurity execution to the private sector is something worth looking into.

After a quick review of the S 3109 text and Committee Report I find no specific language for a short-term CFATS extension, but the funding tables do show funding for the program. More on this later.

Bills Introduced – 12-21-17

Yesterday with the House and Senate cleaning up in preparation for their Christmas/New Year recess, there were 51 bills introduced. Of those, one may be of specific interest to readers of this blog:

S 2261 A bill to protect the administration of Federal elections against cybersecurity threats. Sen. Lankford, James [R-OK] 

I am not sure if there is anything here that will merit further discussion of this bill in this blog, but I thought that it was worth noting, in passing if nothing else. Two things worthy of mention here. First this is supported by an interesting list of bipartisan supporters. Second, the bill was referred to the Senate Rules and Administration Committee instead of one of the committees to which we normally see cybersecurity bills referred.

Bills Introduced – 09-14-17

With both the House and Senate preparing to leave for their weekend recess, there were 64 bills introduced yesterday. Of those two may be of specific interest to readers of this blog:

HR 3776 To support United States international cyber diplomacy, and for other purposes. Rep. Royce, Edward R. [R-CA-39]

S 1821 A bill to establish the National Commission on the Cybersecurity of United States Election Systems, and for other purposes. Sen. Gillibrand, Kirsten E. [D-NY]

I am not sure what ‘cyber diplomacy’ is, but if it concerns control system security issues I will be covering HR 3776 here.

I do not really plan to expand the focus of this blog to include detailed coverage of election cybersecurity issues, but I will be watching S 1821 for the definitions it uses and the scope of coverage of the Commission.