Safeguarding Election Security Through Penetration Testing

May 13, 2024

https://www.linkedin.com/sharing/share-offsite/url=mailto:?subject=Safeguarding%20Election%20Security%20Through%20Penetration%20Testing&body=

The Challenge

Founded in 2018 by seasoned election security experts, VotingWorks stood as a leading non-profit vendor, specializing in open-source software for election security. Its flagship tool, Arlo, developed in collaboration with the U.S. Department of Homeland Security, spearheaded risk-limiting audits (RLAs), a critical aspect of its offerings.

Given its role in election security, the assurance of trustworthiness was paramount for VotingWorks. To instill confidence in states, counties and municipalities utilizing its software, the company operated on the principles of transparency. While its code was publicly accessible, transparency formed just one layer in its quest to deliver a secure and reliable election audit product.

Safeguarding Election Security Through Penetration Testing

As the 2020 general election loomed, public scrutiny on election security and auditing intensified. Citizens, media and officials raised concerns about vote accuracy. The stakes were high, which prompted sophisticated threat actors—even state-sponsored groups—to eye potentially vulnerable election data management software. For government agencies viewing Arlo, the confidence that these threats couldn't tamper with election or audit outcomes was imperative.

This urgency was particularly acute in swing states like Georgia, which had reviewed all 5 million ballots through Arlo's RLAs. Other pivotal states, including Michigan and Pennsylvania, had also utilized Arlo in their election processes.

However, despite the critical need for security, a federal standard for RLA software like Arlo hadn't been established as of 2020. VotingWorks faced the task of identifying an independent partner with robust software security credentials and profound experience in testing and securing emerging technologies to address these pressing security concerns.

Kroll was top of mind.

Kroll's Solution

Upon soliciting competitive bids, VotingWorks opted to collaborate with Kroll for the penetration testing of Arlo before the 2020 election audits. This comprehensive penetration test encompassed both an open-box web application security assessment and a technology-assisted source code review.

The assessment delved into the penetration testing of the software itself, ensuring that the logic was not only developed, but also implemented securely. Additionally, it included a thorough examination of the infrastructure supporting Arlo, spanning both production and staging environments. This aspect was crucial as VotingWorks provides the Arlo software and extends hosting and management services to its clients utilizing Arlo. The overarching goal of the penetration test was to evaluate the platform's security for post-election audits, aiming to instill trust in both states and voters.

Safeguarding Election Security Through Penetration Testing

The Impact

VotingWorks, committed to earning voters' trust, found a valuable ally in Kroll during the penetration-testing phase for Arlo. This collaboration yielded several key advantages in line with its foundational goal:

  • Enhanced product security: Through Kroll's assessment, VotingWorks swiftly identified and addressed security findings affecting Arlo's integrity. The rigorous penetration test pinpointed three low-risk security issues in the Arlo platform ahead of its deployment for the Georgia recount. Prompt action led to immediate resolution of two issues, while dedicated efforts were allocated to resolve the third. This proactive approach ensured a more secure product, not just for Georgia, but for all governments utilizing Arlo for RLAs in the 2020 elections and beyond.
Safeguarding Election Security Through Penetration Testing
  • Continuous software vigilance: Recognizing that security is an ongoing process, VotingWorks aligned with Kroll in this shared perspective. As Arlo continued to evolve and adapt to the threat landscape, Kroll continued to support VotingWorks in its efforts to keep Arlo at the forefront of election security and trust.
  • Strengthened trust: By partnering with Kroll for penetration testing and continuous security assessments, VotingWorks demonstrated a tangible investment in transparency and collaboration with security experts. This ongoing commitment to testing and improvement was a vital component in establishing trust, especially for software integral to sensitive and high-profile purposes such as election integrity. VotingWorks built trust with governments and voters, emphasizing the importance of a robust and continuously fortified security framework overall.

Need help staying ahead of a complex challenge?

Talk to an Expert

Stay Ahead with Kroll

Red Team Security Services

Red team security services from Kroll go beyond traditional penetration testing, leveraging our frontline threat intelligence and the adversarial mindset used by threat actors to push the limits of your information security controls.

Learn More

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Learn More