HR 7447 Introduced

Election System Pentests

Last month, Rep Spanberger (D,VA) introduced HR 7447, the Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing (SECURE IT) Act. The bill would amend the Help America Vote Act of 2002, by adding to the existing election system certification system a requirement to conduct 3^rd party penetration testing of such systems. It would also establish a voluntary elections system vulnerability disclosure program. No new funding is authorized by the legislation.

Definitions

Subsection (e) of the newly proposed §297 provides the definitions of seven key terms used in Section 3 of the bill. Two of the key terms (‘information system’ and ‘security vulnerability’) are defined by reference to existing statute definitions.

The most important key term for this new section is ‘election infrastructure’. This term is very broadly defined and specifically includes:

• Electronic mail and other communications systems (including electronic mail and other systems of vendors who have entered into contracts with election agencies to support the administration of elections, manage the election process, and report and display election results) and

• Other systems used to manage the election process and to report and display election results on behalf of an election agency.

Existing Certification Process

Section 2 of the bill would amend §231 of the Act (52 USC 20971) by adding a new subsection (e), Required Penetration Testing. The new subsection would require the Election Assistance Commission to “provide for the conduct of penetration testing as part of the testing, certification, decertification, and recertification of voting system hardware and software by accredited laboratories under this section.”

Unfortunately, this subsection does not provide a definition of the term ‘penetration testing’, nor is the term defined in §3(e). I would suggest using the definition of that term found in NIST 800-95 (pg C-3):

“A method of testing where testers target individual binary components or the application as a whole to determine whether intra or intercomponent vulnerabilities can be exploited to compromise the application, its data, or its environment resources.”

Pilot Program

Section 3 of the bill would require the Commission to “establish an Independent Security Testing and Coordinated Vulnerability Disclosure Pilot Program for Election Systems (VDP–E)”. The voluntary pilot program would exist for five years and would include provisions for vetting (specifically including background checks) researchers who would participate in the independent security testing program.

The program would require participating researchers to:

• Notify the vendor, the Commission, and the Secretary of any cybersecurity vulnerability they identify with respect to an election system, and

• Otherwise keep such vulnerability confidential for 180 days after such notification.

• Would require that vendors notified of a vulnerability classified a ‘high’ or ‘critical’ by NIST standards to:

• Send a patch or propound some other fix or mitigation for such vulnerability to the appropriate State and local election officials, in consultation with the researcher who discovered it, and

• Notify the Commission and the Secretary that such patch has been sent to such officials.

For election systems that have a current Commission certification, the Commission would be required to provide for an expedited certification review of the patch or fix. In the event that such a certification verification was not provided within 90-days, the fix would be considered to be certified. After 180 days from the date the Commission was notified of the vulnerability by the researcher, the Commission would be required to forward the vulnerability to CISA for inclusion in the database of Common Vulnerabilities and Exposures.

Safe Harbor – Subsection (d) provides for the voluntary participation of both vendors and researchers in the pilot program. Vendors would be prohibited from taking actions against participating researchers under 18 USC 1030 (Computer Fraud and Abuse Act) for “accidental, good faith violations of the program.” Similarly, vendor would be prohibited from taking actions under 17 USC 1201 (Digital Millennium Copyright Act) for circumvention of technology controls. Paragraph (4) would exempt vulnerabilities reported in the pilot program exempt from disclosure under 5 USC 552 (Freedom of Information Act).

Moving Forward

Neither Spanberger nor her two cosponsors {Rep Deluzio (D,PA) and Rep Valadao (R,CA)} are members of the House Administration Committee to which this bill was assigned for primary consideration, nor the House Science, Space, and Technology Committee to which the bill was assigned for secondary consideration. This means that there is practically no chance that the bill will be considered by either committee. I see nothing in the bill that would engender any organized opposition. I suspect that it would receive some level of bipartisan support were it considered.