a) What is a Holistic Exposure and Adaptation Testing (HEAT) Process (and what is it not)?
IFES’ HEAT process (currently in final development and outlined below) is a process for simultaneously
identifying and testing the potential exploitation of vulnerabilities in the use of election data
management technology. HEAT tests the technology itself, as well as the legal and operational
frameworks in which the technology is being deployed. In contrast to a technology certification or basic
testing process, the HEAT process is a holistic way to examine vulnerabilities and ensure they can be
corrected, communicated, or managed. For example, in a traditional certification process, a certain
technology platform may be tested to ensure that data is secure. The process would not, however,
prepare the EMB for a simple website disruption that could severely damage the institution’s credibility
with the public, regardless of whether the data remains free of errors or incursions.
The HEAT process is not intended to provide certification of any systems. Technology certification is a
specific process of evaluating voting hardware and software to ensure they provide all the basic
functionality, accessibility, and security capabilities required. There are various challenges associated
with pure “certification” processes in practice, in which only the hardware or software is considered in
isolation from the wider electoral environment. In 2010, the Philippines COMELEC sought a vendor to
certify their EVMs. It was clear from the outset that any company contracted for certification would
identify several potential security flaws and would make recommendations to absolve themselves if
anything went wrong. The company ultimately chosen, SysTest Labs, noted that the EVMs were
appropriate for their intended use, but only under certain conditions. SysTest Labs recommended
adequate safeguards and procedures, including a “statistically significant random manual audit” and a
disaster recovery plan. They recognized risks to using the machines, and their recommended procedures
were meant to detect potential flaws and to scrap the automation if necessary, even mid-election. In Kenya, the IEBC started the process of finding a certification and testing company but discovered that no
company was willing to certify the technology without access to manual processes, chain of custody,
source code review, procurement transparency, and other similar information. Certification was
ultimately not pursued.
Types of testing and review provided by the U.S. Department of Homeland Security
Risk and vulnerability testing: A multi-week probing of the entire system required to run an election.
Cyber-infrastructure survey: An expert-led assessment accomplished through informal interviews.
Cyber-resilience review: Helping election officials conduct their own self-assessments.
Cyber-hygiene scans: Probing election systems remotely and reporting vulnerabilities.
There are various other types of testing
processes that can also examine elements of
election technology development or use. Logic
and Accuracy (L&A) testing is the process by
which voting equipment is configured, tested,
and certified for accuracy prior to an election.
Each component is tested to verify that it is
fully functional and free from mechanical
problems and that each voting unit contains
the appropriate ballot styles for its designated
polling place. Penetration testing (pen tests)
consists of a variety of tools used to identify
technology vulnerabilities, including port
scanning, vulnerability scanning (software and
firmware), packet sniffing, and review of log files. A risk-limiting post-election audit checks a random
sample of voted ballots, or voter-verifiable records, in search of strong evidence that the reported
election outcome was correct.[1] If the reported outcome is incorrect, then the audit may lead to a full
hand re-count that reveals the correct election outcome. By design, once the audit finds strong evidence
that the reported outcome was correct, it can stop. Thus, the audit adapts to the facts of a particular
election. Following the 2016 elections in the U.S., and the designation of election systems as “critical
infrastructure,” the U.S. Department of Homeland Security designed a variety of testing and review
processes (outlined in the text box at right) that it has offered to states. However, these testing
processes are focused primarily on the technology system itself, and are subject to lengthy delays that
raise challenges for states seeking to implement changes ahead of elections.[2]
IFES aims to incorporate elements of existing testing processes within a straightforward, holistic testing
process that can help an EMB correct vulnerabilities in the system that could lead to known or unknown
manipulation of election data, system failure, or future legal challenges. The HEAT process will not be a
mechanism to approve or reject the decision to use a particular technology or a particular vendor,
although it can inform effective vendor relationships and cybertechnology supply chain threats, as well
as the interaction between different technology platforms that might be used in different parts of the
electoral process. A HEAT process can also help an EMB prepare for the resources and processes they will need to have in place in the event a security breach or system failure occurs, or in case the system is
challenged in court. This is particularly important with respect to the type of evidence required and
admissible with respect to election technology, and to establish a chain of evidence that can be used in
future legal challenges. ICT officials need to work closely with legal officials within an EMB to address
this vulnerability.
As with all aspects of the electoral process, positive public perceptions and public trust are critical to the
credibility of elections and the acceptance of results. The HEAT process is designed to help reinforce
with political stakeholders and the public the risk-mitigation measures inherently needed for the proper
use of election technology and the importance of contingency planning. Ultimately, the HEAT process
aims to increase public confidence in the electoral process and help EMBs to exercise and document due
diligence measures. However, because the HEAT process focuses on identifying vulnerabilities, it must
be carefully managed and communicated to build, rather than erode, public confidence in the EMB and
in the technology. Hence, an EMB must ensure it has enough time and resources to address the issues
that are found, or these vulnerabilities could be exploited to call into question various aspects of the
process, from the validity of the voter register, through to the legitimacy of the election result.
b) Outlining the Holistic Exposure and Adaptation Testing Process (HEAT Process)
Identify
The HEAT process is designed to be EMB-led and provide a capacity-building element for the EMB, as opposed to an external assessment. As such, the first step of the HEAT process is undertaken by the EMB itself with technical assistance as required, and requires the EMB to identify which election data
management technology or technologies should be HEAT-tested. The HEAT process focuses primarily on
electronic systems or platforms related to election processes that include any forms of automation or
digitalization, such as voter registration, voter identification, voting and vote count, and results
transmission and tabulation. Depending on how advanced the management system is, it can also include
candidate registration, the ballot design (in complex elections such as local elections) and ballot printing.
One or more of these can be tested, as relevant and applicable to the country in question, and the HEAT
process is being specifically designed to target these systems and processes. However, depending on the
EMB’s mandate and specific circumstances of the country in question, there may be other relevant data
management systems or platforms that an EMB may wish to test, such as political party registration
databases, campaign finance databases and reports, systems for redistricting of constituencies and
precincts and polling station allocation, procurement and inventory databases, personnel and financial
databases, website and social media platforms, and case management systems used in complaints
adjudication.
Apart from identification of assets that need protection, the EMBs should be in a position to evaluate
the likelihood of any looming cybersecurity threats, be it DDoS attacks and insider attacks, spearphishing
or an exploit through malware. Listing all possible threats and including an assessment of how
imminent the danger is helps to prepare for further steps in the HEAT process.
Collect
After identifying the specific election data management technology to be HEAT-tested, the relevant EMB
staff should collect and collate all relevant information for the HEAT team. This includes laws, rules,
procedures, manuals, and training material, formalized strategic policies if any, on the one hand, and the
technical information such as system design (schematics), data security policies, set-up and
configuration scripts, program source code, and other relevant material, on the other. It will be
important to collect all relevant laws and rules so the HEAT team can identify provisions in the legal
framework that may be used to challenge election technology and data management processes later in
the election process, to ensure adequate regulations and policies are in place to govern the use of the
data management technology, to ensure roles and responsibilities are clarified, especially between
EMBs and technology vendors, and to identify contingency measures. The relevant laws and rules will
include the Constitution, national electoral laws, EMB regulations, any other relevant national laws or
rules on data management, data protection, or cybersecurity, laws and rules on civil procedure and
evidence, and relevant national case law, where applicable. In addition to these legal materials, the EMB
should collect all relevant policies, procedures, strategies, operational plans, guidance documents
manuals and training materials used in the electoral process that are relevant in whole or in part to the
election technology being tested.
During the collection phase, the EMB will also conduct a system-mapping exercise to visualize
components of the system being HEAT-tested, as well as linkages and information flow between
institutions and individuals. System mapping is a tool within the larger research method of systems thinking that visualizes linkages among key actors. Often individual and institutional connections, or lack
thereof, can impact the election process. The links that the EMB holds with any other authority within
the country, other independent agencies or government agencies dealing with data protection, should
be clearly identified at this stage. The cybersecurity community is unified in saying that sharing of
cybersecurity information is critical for adequate protection and resilience, and the election process is
not an exception to this. What is exceptional about elections, however, is that the independence of the
EMB must be maintained, regardless of any collaborative efforts.
System mapping can shine a light on otherwise hard-to-identify incentive structures, interactive effects
and leverage points for identifying and addressing vulnerabilities in the electoral process. Without a
consideration of the system design (a system map) and the underlying cybersecurity assumption, it is
very difficult to recognize the existence of all the specific vulnerabilities. A system map is a visual
depiction of the components of a system at a point in time, while an actor map is a type of system map
that focuses on relationships and interconnections between various actors involved in a system. These
maps help show how the parts of and people within a system are connected, identify weak connections
or gaps, bring out ideas for intervention points in the system, and help identify ways of determining
whether these changes have occurred. The HEAT team will provide instructions and templates, or can
directly guide the EMB through this process. The resulting map will form part of the HEAT team’s
exposure process in step three.
Expose
Step three requires the HEAT team to collectively analyze the relevant EMB materials and systems map
and expose vulnerabilities within the five different types of exposure – technological, human, political,
legal and procedural. Because the process looks holistically at these five different types of exposure, the
HEAT team should generally consist of a technology expert, legal expert, and election operations expert.
Step one of the HEAT process should feed into the identification of the HEAT team, in terms of the
specific technology or technologies being tested. The core question will be: who is qualified to help test
and assess the election technology and the framework or context in which it is deployed? Once
identified, during this part of the process the HEAT team will identify and record vulnerabilities that the
EMB faces in using the specific technology being tested, categorized under the five types of exposure,
and will list preliminary options for mitigating or managing vulnerabilities.[3] In addition, the HEAT team
should look at certain external elements that can significantly impact the election process, especially in
terms of possible negative influence or disinformation campaigns against the EMB or other election
stakeholders, and will examine existing EMB communication strategies.
Exploit
Drawing on the specific vulnerabilities identified during steps two and three, the HEAT team will guide
responsible EMB officials through a tailored election simulation tabletop exercise (TTX) to test EMB
responses to specific forms of exploitation. A TTX is a training simulation that mirrors real-world
conditions, uses an accelerated timeline to increase pressure, gives everyone a role with corresponding
responsibilities, and enables participants to absorb information, make decisions, and execute plans. It is
similar to the “red-teaming” process used by the U.S. Department of Defense to “challenge emerging
operational concepts in order to discover weaknesses before real adversaries do.”[4] The HEAT team will
draw on the vulnerabilities identified in step three of the HEAT process and test participant responses as
these vulnerabilities emerge or are exploited in a simulated environment. This step has two purposes –
testing existing capacity and responses of EMB officials and serving as a more impactful learning exercise
for officials who will be responsible for making necessary changes to reduce EMB cybersecurity
exposure. Lower-level commissions require substantial training related to the election process, in
general, and cybersecurity is no exception. The TTX can help reveal and emphasize for EMB officials the
exact training needs required for different staff in the EMB, for example around cyber hygiene and
spear-phishing.
Adapt
The final step of the HEAT process is a collaborative de-briefing exercise and strategy session with the
relevant EMB officials. This session will aim to identify and prioritize actions to address vulnerabilities
that were not satisfactorily mitigated in the exploitation phase, with the ultimate goal of minimizing
levels of exposure across the five dimensions. The session will consider who has responsibility to fix or
correct vulnerabilities, short and long-term cost considerations, time considerations, and transparency
and communication.
In terms of technology exposure, some of the essential tools that EMBs might consider using to avoid
system crashes are carefully designing systems, testing, set-up, configuration, piloting, audits and
contingency planning. EMBs should have back-up plans for new systems, including the possibility to
revert to old systems in the event of a crisis. For example, if seat allocation is relatively complex, the
EMB that bears responsibility may decide not to rely exclusively on software being used for the first
time, even if that software has been tested.[5] EMBs should have advanced network-monitoring
capabilities to determine with some level of certainty the nature of events that occur in its systems.
Having a strategy in place would allow EMBs to react quickly, apply contingency plans, or restore from
backups.
In terms of human exposure, measures against insider attacks are often self-explanatory – such as
monitoring physical access to servers – but sometimes additional action may be required. This can entail
doubling up IT experts when logging in to sensitive servers, never using wireless networks for sensitive
LANs to avoid close-proximity, fraudulent Wi-Fi access attacks (so-called evil twin attacks). Control
systems must be in place to ensure accessibility is strictly compartmentalized, logs created, and logs
regularly reviewed by ICT supervisors for compliance and abuse. Vetting personnel when hiring is a good
practice but needs to be conducted carefully to avoid nepotism or discrimination and to avoid
introducing new problems, such as potential bureaucratic delays. A good EMB should also have a data
security strategy to avoid having outdated, obsolete, or underutilized election systems that can lead to
inefficient data management.
For political exposure, EMBs should carefully plan and execute procurement processes for election
technology, and develop sound communication and consultation mechanisms on cybersecurity issues.
Specific measures may also need to be put in place to strengthen the de jure or de facto independence
of the EMB and its leadership. At the same time, greater collaboration may be required with law
enforcement personnel and intelligence agencies, depending on the nature of the cyberthreat. This
would need to be done carefully, recognizing the need for the EMB to also maintain independence both
in practice and in terms of public perceptions. For legal and procedural exposure, various legal or
regulatory amendments or reforms may be required, along with the development or refinement of
strategy documents, operational plans, training materials, or other manuals and guidelines.
The EMB may have certain cybersecurity practices in place, but those might be scattered in multiple
documents, informal files kept by IT specialists, or not even recorded in written form, but only employed
in practice. The HEAT team should encourage the EMB to consolidate and lay down all their security
practices and assumption in one place; in this way, they will be more accessible, transparent to the EMB,
and possible to be challenged (for example, if the system does not place any constraints on the size and
structure of passwords, this can be highly problematic). This, if formalized, can become the EMB’s
cybersecurity strategy. The establishment of such a strategy will increase the EMB’s resilience against
cyberattacks.
Ultimately, the goals of the HEAT process are to holistically test specific election technology systems for
vulnerabilities, to directly involve relevant EMB officials in the process and ensure it can be an exercise
in capacity development, and to identify adaptations that the EMB can lead or influence to reduce
cybersecurity exposure levels.
[1] Mark Lindeman and Philip B. Stark “A Gentle Introduction to Risk-Limiting Audits,” IEEE Security and Privacy,
Special Issue on Electronic Voting, 2012, https://www.stat.berkeley.edu/~stark/Preprints/gentle12.pdf.
[2] Tim Starks, “The latest 2018 election-hacking threat: 9-month wait for government help,” Politico, December
29, 2017, https://www.politico.com/story/2017/12/29/2018-election-hacking-threat-government-help-231512?cid=apn.
[3] Over time, IFES will develop a global database of vulnerabilities and recommendations as the HEAT process in utilized with local partners. This can serve as a reference tool for EMBs and technical assistance providers.
[4] Defense Science Board Task Force, The Role and Status of DoD Red Teaming Activities, United States
Department of Defense, 2003, https://fas.org/irp/agency/dod/dsb/redteam.pdf.
[5] In Denmark during the 2009 European Parliament elections, Statistics Denmark used seat allocation software but also informally had MS Excel spread sheets as a backup to check that their calculations were correct.
