How RI National Guard’s Protection the Election from hacker

RI National Guard’s  Protection the Election from hacker

U.S. Army Col. R. Michael Tetreault is the Rhode Island National Guard’s top-ranking techie, a key player in the state’s efforts to protect election technology from cyberattacks.

Over the past three years, Tetreault and his team of cyber defenders have assessed the election system’s fortifications, providing assistance and advice to Rhode Island’s Board of Elections.

Of course, the ultimate test of that cybersecurity initiative will come Tuesday, as voters across the state cast final ballots, polls close and officials work to certify the tally.

Since 2016, the threat to local election systems across the country has grown clearer, much as terrorism came into greater focus after the attacks of Sept. 11, 2001.

Rhode Island’s public entities were not immune from cyberattacks routed through foreign countries in 2016, when Russian agents targeted the U.S. election.

Early that year, the Rhode Island State Police said a local hacker, a teenager, had made use of a Russia-based web server to deliver threatening phone messages to Rhode Island schools. A wave of similar hoaxes disrupted schools in New England and around the globe.

Four years later, Tetreault and his team have developed a rapport with state election officials working to secure voting technology.

“We have no political affiliation,” Tetreault says, “no political aspirations, no financial aspirations. It is literally to just be that citizen soldier and improve things for the good of everybody, and that is our only purpose for being there.”

The role of the U.S. military in the actual machinery of Rhode Island’s election system, even on a strictly advisory basis, is a historic development reflecting an unfortunate reality of the tech era: While combat itself remains an overseas phenomenon, cyber combat now happens in the homeland.

Technology has brought enemies far closer to systems of democracy than, for example, the German U-boats that prowled waters off New England’s coastline during World War II.

“It is not an exaggeration to say that election security, whether we’re talking about California and Texas, or whether we are talking about Rhode Island, is a national security issue,” says one election technology expert, Eddie Perez, of the Silicon Valley-based OSET Institute.

OSET, which stands for Open Source Election Technology, is a nonprofit focused on preserving democracy by, in part, ensuring the security of election technology.

“It is absolutely necessary,” Perez says, “to have a high confidence in the outcomes of our domestic elections and their legitimacy – if you’re not going to have the potential for real division and a real lack of unity in your country.”

Tetreault was a reservist when he entered the National Guard’s officer corps about 30 years ago, arriving in the artillery.

In the early 1990s, some military leaders prayed that rapidly advancing information technology would greatly expand the awareness of U.S. troops in battle.

By the time Americans were into their first lengthy redeployments in Iraq in the 2000s, cutting-edge information technology was beginning to answer some of those prayers.

When the Blue Force tracking systems were working as planned, troops knew much more about the environment around them and were at less risk of killing each other as a battle unfolded.

Protecting such information systems has been a classic scenario for the military’s cyber defenders.

“That is a system that gets a lot of attention,” says Tetreault.

During those early years of Blue Force, Tetreault transitioned from mostly weekends to full-time duty, embracing management of the Rhode Island National Guard’s information technology systems.

Tetreault’s job also involves training scenarios for cybersecurity. And when his specialized cyber team competes against other teams in simulations, he says they will try to knock out Blue Force tracking.

Three focal points drive Tetreault’s efforts to either defend or attack such an asset:

“Confidentiality,” he says, is making sure only authorized people see the sensitive data. “Integrity” is making sure the data isn’t tampered with. “Availability” is keeping the data accessible to the people who need it.

“If you hit someone on any of those three points you degrade their ability to do things,” he says. “You’re always looking in those three dimensions when you’re looking at cybersecurity. ... Blue Force Tracker is a great example.”

The team that Tetreault commands in Rhode Island is called the DCOE, or Defensive Cyberspace Operations Element.

Part of the team’s role, says Tetreault, is to deal with any attackers who might take a run at local Department of Defense networks.

It has about six or seven people. They hold numerous civilian and government certifications. About half of them work for defense contractors during the week.

One warrant officer just returned from a yearlong deployment with the U.S. Cyber Command, where he was involved with protecting critical infrastructure.

On three occasions, the element participated in the National Guard Bureau’s Cyber Shield exercise, which immerses cybersecurity personnel in scenarios where they work on skills for helping government officials and local businesses thwart cyberattacks.

In such training scenarios, some of the talented attackers (Tetreault calls them “rock stars”) try to stage end-runs around cyber defenses while other cybersecurity personnel try to ward them off. Another exercise, Cyber Guard, has drawn the team to the National Security Agency in Maryland on two occasions and to the FBI Academy in Virginia.

The events that Rhode Island’s team has participated in represented almost all of the exercises that the U.S. General Accountability Office was able to catalog when it looked at the issue for a 2016 report, finding that the Department of Defense needed to do more to leverage National Guard cyber capabilities to help civil authorities across the United States.

Tetreault and his counterparts in Massachusetts and New Hampshire actually organized one of the exercises that came up on the GAO’s radar. That was Cyber Yankee, which has been held annually in New England for six years.

In the 2019 installment, participants included a collection of power companies, a Massachusetts water authority, Citizens Bank and CVS.

In Rhode Island, starting in 2017, Tetreault and his team embarked on a security assessment delving into election processes, personnel and technology.

Tetreault is careful to emphasize that the Guard provided “assistance and advice” under policies set by the Department of Defense and the president.

Personnel did not, for example, take over keyboards and carry out the particular recommendations that they made.

The Guard’s examination was wide-ranging, identifying strengths, such as the paper-based nature of the voting system; and weaknesses, such as the use of modems for transmission of unofficial results on election night.

Modems provide what’s known as an “attack surface” to foes – a potential entry point. In this case, the particular modems had been “reachable from anywhere on the internet,” says Tetreault.

“Obviously one of our recommendations was to eliminate the modems completely and not transmit,” Tetreault says.

But elections officials wanted to hold on to their ability to speedily collect unofficial election results using the modems.

The Rhode Island Division of Information Technology participated in the assessment. In response to the findings, the election data is encrypted, based on fresh inputs generated for each election, and it’s transferred over a private Verizon wireless network, according to the state’s chief information security officer, Brian Tardiff.

In a 2019 report on the board’s cybersecurity effort, Tardiff acknowledged continued “residual risk” while asserting that the level of risk overall was lowered “drastically” through a dramatic “downsizing” of the attack surface.

Critics, including Perez of the OSET Institute, say such risk is unacceptable. Others, including the board’s deputy director of elections, Miguel Nunez, say that layers of “military-grade” encryption and other protocols have reduced “the risk as close to zero as possible.”

“Everything we do is risk,” says Tetreault. “Risk is your threats times your vulnerabilities times your probabilities. You’ve got to look at all of those.”

The Guard’s cyber team also studied the way that official results will move from voting precincts to the Board of Elections via special USB drives, which can be likened to thumb drives.

Another focus was the central voter registration system, which continues to provide online access to voters wanting to update their information.

Last year, the office of Secretary of State Nellie Gorbea tapped into $3 million in federal allocations for election security and had the system overhauled.

“They took it down and built a new system,” says Tetreault, “with the latest software, the latest patches.”

The online access to the system is a security concern, but good controls and monitoring are in place, Tetreault says.

More traditional aspects of security, such as locking up equipment, controlling personnel and access, factor into cybersecurity, experts say.

Tetreault says the board has made some “great” security improvements at its new facility, newly relocated from Providence to a headquarters on Plainfield Pike in Cranston.

“You put your seat belt on,” Tetreault says. “That’s no guarantee you’re not going to get hit.”

One worst-case scenario that Perez can envision involves an attacker who penetrates physical security defenses to tamper with official results.

In Philadelphia, he warns, someone has stolen some specialized USB-drives from an election office. Those stolen USB sticks, he says, are compatible with the voting tabulation machines used in Rhode Island, which could introduce a vulnerability.

In another scenario, attackers hack into the early, unofficial results, creating an enormous disparity between unofficial results and official results. That could inflict tremendous damage by undermining confidence in the system, Perez says.

Officials emphasize that Rhode Island has a certain strength that other states lack: The basis of its system is old-fashioned paper ballots marked by voters. Hackers based in Russia or Iran can’t alter paper records.

“We have backup,” says the leader of the Guard’s cybersecurity unit. “Low tech,” adds Tetreault, “is good tech.