Nov 2, 2020
Previous Election Security podcast: https://brakeingsecurity.com/2018-042-election-security-processes-in-the-state-of-ohio
Jeremy Mio (@cyborg00101)
(added cybersecurity Directives during 2018 last podcast -jmio)
(added new cybersecurity Directives since last podcast -jmio)
Vuln disclosure policy: Vulnerability Disclosure Policy - Ohio Secretary of State (ohiosos.gov)
Did anyone think to pentest the vuln acceptance form? (lol, layers in layers --brbr)
“Ohio has taken steps to combat those types of threats. In October, Ohio Gov. Mike DeWine (R) signed into law a measure that required post-election audits to ensure the accuracy of the vote count, and created a “civilian cyber security reserve” to defend against potential cyberattacks.
“His [secretary of state LaRose] first-of-its-kind Vulnerability Disclosure Policy invites Ohio’s crop of “white-hat” hackers — the good guys, opposite malevolent “black-hat” hackers — to break into the state’s election system, find bugs and report them so officials can ensure they’re fixed by Election Day.
There are some strings attached: White hats aren’t allowed to phish for information or tamper with electronic county voter registration systems, and actual voting machines — legally barred from being connected to the internet — are off-limits. If they do find sensitive information, they’re expected to report it.”
How did the threat model shift from the last time we talked?
What has changed in terms of organization and threats? You mentioned 4-5 different voting regions last time, all with different levels of technology. Any updates on the tech?
How did covid change how voting occurred?
How have you leveraged the Elections Infrastructure ISAC (EI-ISAC) in passing along threats and sharing information?
Has insider threat been part of your threat model and what has your group done to minimize the chances? (why does it feel like the Oscars has more scrutiny in terms of voting security than the US democratic process? --brbr)
What does physical security look like in terms of people going to the polls? (wasn’t sure if that was something in your purview --brbr) (this is not (Election Board and Sheriff), but can discuss high level -jmio)
Using hardware domain block services? Malicious Domain Blocking and Reporting (MDBR) Newest Service for U.S. SLTTs (cisecurity.org)
88 election districts will have access to domain blocking tech (mandated to start by 28 August 2020), cybersecurity experts. Can you give us an update on any of what was mentioned in the press release