Jeff's comments here are a follow-up to his blog post "International hacks, politics and knee-jerk cybersecurity... never a good mix - Russia & the DNC Hack." You may want to read that post too!
Some software is more important than other software. The software in medical devices that keeps people alive? That’s important. The software that controls the economy? Important. The software that controls airplanes. Again… important. And the software that undergirds our democracy … the software that ensures our elections are fair? That’s pretty important stuff.
We need to hold the purveyors of this important software to a higher standard. We must have assurance that these critical applications are resilient against those who would undermine our democracy. This assurance isn’t necessarily easy to generate. Building rugged software that has strong defenses against both expected and unexpected attacks takes a level of rigor not found in most software organizations.
But we are not even close. Maybe not even really *trying*. When a voter records system is susceptible to SQL injection, we should all be concerned. SQL injection has been well known and well understood for over 20 years. It has headlined the OWASP Top Ten for 14 years. Protecting against SQL injection isn’t even tremendously difficult.
Could these attackers have modified voter records? Maybe even affect whether voters who thought they were registered could actually vote when they show up on Election Day? Or maybe the bad guys sell these records to one of the candidates, so they can target those critical “undecided” voters better.
I’ve reviewed the code of an electronic voting/election management system for one of the major vendors. I can only say that I expected better. What we found was that these systems have the same types of security mistakes as everything else. Which is to say they had a lot of easily identifiable vulnerabilities.
Let’s raise the bar for software that’s part of “critical infrastructure.” We shouldn’t have to blindly trust that software has basic security protections. Many years ago I proposed a “software facts” label that would let software buyers and users know about the security in an application. I find this highly preferable to a liability regime, and something that wouldn’t put undue burden on software producers. Let’s go Congress, FEC, FTC, NIST, DHS, NSA, and POTUS….
You know that quote from Marc Andreessen, “software is eating the world”? Well it just might.
CTO & Founder, Contrast Security