IT audit professionals looking for a fresh example of cybersecurity risk to study should turn their gaze to Wisconsin. A voter fraud conspiracy theorist there uncovered what is indeed a legitimate risk to election integrity, and his discovery speaks volumes about taking a risk-based approach to design of internal controls.
The gadfly in question is Harry Wait of Dover, Wisc. Last week he demonstrated that the state’s method for distributing absentee ballots by mail is unsound. Wait did this by logging into Wisconsin’s online elections portal to request absentee ballots for Robin Vos, a Republican and speaker of the state Assembly; and Cory Mason, Democrat and mayor of Racine, Wisc.
To request a ballot by mail through the state’s online portal, all a person needs to do is enter the voter’s name and date of birth. Then the ballot will be sent to whatever address you request, in case you’re temporarily living somewhere other than your address of record.
Wait followed that procedure using the names and birth dates of Vos and Mason. He documented his entire stunt, posted news of it online, and then demanded that state officials do something about the weakness that he had uncovered.
Wait never did receive ballots for Vos and Mason, because immediately after requesting them through the portal he emailed election authorities and turned himself in. His adventures in ballot theft, however, have caused the predictable uproar. State and local authorities are threatening to prosecute him for voter fraud (“I would be willing to take that hit for the country!” Wait says in response) and Wisconsin election officials are wondering how to respond ahead of the state’s Aug. 9 primary elections.
Meanwhile, astute IT audit professionals might be asking yourselves the same question that occurred to me as I read about Wait’s cybersecurity violation.
Wouldn’t multi-factor authentication have prevented all this foolishness?
Matching Risks and Controls
The lesson here for cybersecurity and IT audit professionals is the importance of looking at a system, identifying the security risks to it, and then implementing appropriate controls to reduce those risks to acceptable levels. Wait and Wisconsin have given us an example of how that seemingly simple concept can go wrong in practice.
First, let’s remember what multi-factor authentication (MFA) is: a system of access control that challenges users based on something they know (a user ID and password), plus something they have (a cell phone or key fob, to receive a one-time access code). By now probably all of us have encountered MFA as we pay our mortgages online, or change passwords to important accounts, or log into sensitive corporate databases from Starbucks.
MFA is tailor-made for scenarios like requesting an absentee ballot. If Wisconsin’s online elections portal had used it properly (say, capturing the voter’s cell phone number when he or she registered to vote), Wait wouldn’t have been able to request ballots for Vos and Mason unless he also had physical possession of their cell phones. Even if he knew their phone numbers, he wouldn’t have been able to see the one-time codes sent to those devices.
That’s the whole issue here. Absentee ballot fraud is indeed a risk; Wait proved that. It’s also a pervasive risk, because anyone could steal any Wisconsin voter’s ballot. But it’s not a severe risk, in the sense that someone could employ this tactic at a scale large enough to affect the outcome of an election. You’d need to do that many thousands of times over, spread across many districts and dates to avoid arousing suspicion.
Put more simply, and in audit terms, Wisconsin’s online portal has an access control risk that’s a mile wide and an inch deep. In that case, you need a way to tighten access control that’s proven to work, scalable, and not burdensome to the user. Multi-factor authentication meets all those criteria.
Moreover, it shouldn’t be news to anyone that election integrity is an issue, and that MFA is a good solution for it. Cybersecurity professionals have stressed the importance of MFA for years. CISA, the top cybersecurity regulator in the United States, issued a bullet in February that specifically urged organizations to implement MFA for any remote access to corporate data. (The bulletin was issued as a warning against Russian intrusions, but the advice is just as valid for right-wing kooks committing voter fraud.) The SEC has sanctioned companies over sloppy use of MFA for years.
So what can we say about risk assessment, based on this incident?
- Start by considering the context of the risk. Is it important to your stakeholders? How would it unfold? What damage would it cause?
- Find solutions that are appropriate to the dimensions of the threat. What controls are proven to work? Can they scale with the size of the threat? Are the controls easy for users to understand and use?
- Implement controls as swiftly as necessary. For a threat that’s pervasive, you need a control that can be implemented quickly and visibly, to show stakeholders that you’re responsive to the issue.
In 2022, after years of bickering over election integrity and voter fraud, one would hope that state election boards do better.
Keeping Risks in Perspective
I don’t believe any of that would placate Wait and his ilk very much. They feed on ths suspicion that somebody out there — Hillary Clinton, the Chinese, undocumented immigrants; maybe some amalgamation of all three — is altering the outcome of U.S. elections. In their minds, the weakness Wait discovered is proof thereof.
Such people need to calm down. Wait did discover a legitimate weakness in access control in Wisconsin, but the weakness isn’t proportionate to the threat cited. That’s another important point about risk management that audit professionals need to keep in mind as they assess large systems.
That is, anyone who wanted to alter the outcome of an election in Wisconsin wouldn’t use the Wait weakness to do it. The attacker would need to run this exploit tens of thousands of times, ideally across numerous regions within Wisconsin and over a long period of time to avoid suspicion. But the more an attacker ran this exploit, the greater the odds that people would discover it because they’d notice their ballots were already taken.
From the attacker’s perspective, why bother with all that? The better way to sway the outcome of an election is to flood the social media space with misinformation. It’s easier to do, easier to hide, and faster to implement. Hence Russia used that strategy to sway Wisconsin toward Donald Trump in 2016 — and it worked.
In theory, one could also hack into the tabulation systems states use to calculate vote totals. That would be the opposite of Wait’s weakness: a narrow risk with severe consequences. It would also require advanced technical expertise, meaning only a few state-sponsored actors could achieve it; and election security professionals already work hard to prevent it.
Risk and audit professionals need to keep those multiple perspectives in mind as you perform a risk assessment. What’s the ultimate threat you want to prevent? Who would be able to achieve that outcome, and how? Does this weakness here in front of me allow that unwanted outcome to happen? Those are the questions you need to ask.
Here, the ultimate threat is an illegitimate election outcome — but the weakness Wait discovered won’t achieve that. To be clear, Wait’s weakness does need attention, and really never should have been allowed to exist in the first place. But it’s a long way from the existential threat to election integrity that conspiracy theorists like to believe.