Securing Election Infrastructure through Vulnerability Scanning and Penetration Testing; The Weaponization of Public Records Requests in Election Infrastructure

Elections are the foundation of a representative democracy, but election infrastructure is currently facing some challenges that put elections at a risk. First, I will address the issue of securing election infrastructure through vulnerability scanning and penetration testing. Particularly, I will focus on my experience as an intern at the locality of Salem. Then, I will delve into a sociotechnical issue: the weaponization of public records requests in orchestrated campaigns. I will explore the impact and analyze the potential measures that can be taken as a response. The connections between these two topics lies in the shared component of election infrastructure. My technical and sociotechnical research, though different in focus, collectively contribute to the strengthening of this shared component and therefore democratic processes.
The Locality Election Security Standards (LESS) are a set of standards that must be met by localities in Virginia to continue to receive access to resources. Since many localities struggle to meet these standards due to various reasons, including a lack of funding, a coalition was formed between Virginia universities and the Virginia Department of Elections to help these localities meet these standards by sending students from these universities as interns. I worked as an intern in Salem, and like many others, my locality was having trouble meeting some standards due to a lack of funding. Along with my partner, we helped the locality, first by filling out documents to secure funding for thousands of dollars worth and equipment, and then by directly helping meet some of the standards. This report will particularly focus on two of them.
The first standard was GR 3 Risk Assessment, Section 3 Vulnerability Scanning, and, more specifically, standard 3.1, which requires systems to go through routine vulnerability scans, with scanning frequency based on severity. To meet this standard, we contacted CISA and served as the point of contact. With CISA’s free vulnerability scanning services, the locality should be receiving frequent scans, reports, and possible mitigations, with frequency of scans being proportional to the severity. The second standard was GR 4, specifically Section 4 standard 1.2, which requires an external penetration test to be conducted every two years. For this standard, we could not meet it due to time constraints, but we made progress by forwarding information on the appropriate tools to the IT worker so that he could conduct the penetration test himself.
I explored the sociotechnical research question: What is the impact of orchestrated campaigns on election infrastructure and what are some potential remedies? To answer the first part, I showcased multiple counties that had experienced very significant increases in the number of public records requests. This increase affected the normal functioning of the already arduous task that is carrying out elections by taking away precious time from election officials and directing it to answering requests. To find potential solutions, various case studies were explored and the feasibility of said solutions was analyzed. Moreover, the Social Construction of Technology (SCOT) framework was utilized to explain how the technology of public records requests has been shaped by the attackers and the groups that react to these attackers.
Three related papers were explored. These three highlighted the lack of standardization in handling records requests, the lack of required public records data and discrepancies, and finally the problem as a whole as well as several potential solutions with their respective case studies. The solutions that were investigated included creating an online portal where previous requests can be accessed, creating an FAQ to clarify information, providing training for staff, adding fees proportional to the cost of requests, and changing the response time deadlines. The first three were deemed appropriate if resources were available, the fourth was deemed appropriate if justified by unreasonable requests, and the last was deemed appropriate when increasing response deadlines and only appropriate if necessary when implementing full blackouts periods.

School of Engineering and Applied Science

Bachelor of Science in Computer Science

Technical Advisor: Rosanne Vrugtman

STS Advisor: Pedro Augusto Francisco