The Center for Internet Security Unveils New Approach to Verify Non-Voting Election System Security
First of its kind program can help ensure the security of elections
EAST GREENBUSH, N.Y., and WASHINGTON D.C., December 7, 2021- Election officials and elections technology providers have long been dedicated to continuously strengthening the security and integrity of the elections process. Today the Center for Internet Security (CIS) released the results of its Rapid Architecture-Based Election Technology Verification (RABET-V) pilot program, adding another tool to help election professionals in this mission. RABET-V is a unique approach to verifying the security of internet connected election technology, like voter registration databases and e-pollbooks, with a single standard. While the Help America Vote Act defines voting systems and ways of testing them, there has been no equivalent method of testing non-voting technology.
The RABET-V approach supports rapid product changes and updates to non-voting election technology by design. It uses a risk-based approach to validating the security of updates, helping save time and money in the development process.
For example, if a software update or change is made to an e-pollbook by a vendor, RABET-V enables security verification of just those aspects impacted by the changes, not the entire product, which will take longer and cost more.
The faster, less expensive software updates enabled by RABET-V make it easier to continually get more advanced and secure election technology onto the front-lines in elections offices across the country supporting the continued integrity of elections.
“The Center for Internet Security is committed to preserving the integrity of the US election process, and has spent the last two years working with federal, state and election technology industry partners to develop RABET-V. This new process for testing is based on modern software development and testing practices, and allows for rapid changes in those products and services that could otherwise leave systems vulnerable,” says Mike Garcia, Senior Cybersecurity Advisor for CIS.
The pilot, which was funded by a grant from the Democracy Fund, was publicly evaluated by two expert committees: a steering committee comprised of elections officials and federal officials who work on elections; and a technical committee of cybersecurity experts from government, industry and academia. We also recruited two technology providers to participate in the program. VR Systems and KnowInk each provided their e-pollbook products, while VR systems also provided their election night reporting system, for evaluation by RABET-V.
The pilot determined the following:
- RABET-V is a viable process for validating the security of non-voting election technology
- We can use RABET-V to evaluate the software development process of this technology to assess how secure it is.
- RABET-V enables faster, more economic updates with a multi-tiered testing processes.
- RABET-V is compatible with several operational and economic models which are outlined in a companion paper to the final report.
“VR Systems is pleased to have been involved with the RABET-V pilot, and are encouraged by the results,” says Jamie Remes, Product Manager at VR Systems. “The centralized and modular approach to ensuring security in election software updates demonstrated in the RABET-V pilot will make it significantly more efficient and cost-effective for election technology vendors to deploy the latest and most secure versions of software. Preserving the integrity of our nation’s elections infrastructure is critically important to VR Systems. RABET-V can play an important role in maintaining a high standard of security across the country.”
While more real time data is needed, response to the pilot program suggests that most states should be able to incorporate the RABET-V results to further help secure their election processes.
You can read the entire report here: https://learn.cisecurity.org/RABET-V-Final-Report
The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit, responsible for the CIS Critical Security Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously evolve these standards and provide products and services to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the rapidly changing cybersecurity needs of U.S. election offices. To learn more, visit cisecurity.org or follow us on Twitter: @CISecurity.
To arrange an interview with CIS Senior Security Advisor Mike Garcia, please contact Kelly Wyland, Media Relations Manager at CIS, at [email protected] or by phone/text: 518-256-6978.