Krishna Raja
Managing Director
Cyber Risk
Toronto
Mon, May 13, 2024
Safeguarding Election Security Through Penetration Testing
Discover how VotingWorks joined forces with Kroll to ensure the trustworthiness of its flagship tool, Arlo
The Challenge
The Challenge
Founded in 2018 by seasoned election security experts, VotingWorks stood as a leading non-profit vendor, specializing in open-source software for election security. Its flagship tool, Arlo, developed in collaboration with the U.S. Department of Homeland Security, spearheaded risk-limiting audits (RLAs), a critical aspect of its offerings.
Given its role in election security, the assurance of trustworthiness was paramount for VotingWorks. To instill confidence in states, counties and municipalities utilizing its software, the company operated on the principles of transparency. While its code was publicly accessible, transparency formed just one layer in its quest to deliver a secure and reliable election audit product.
As the 2020 general election loomed, public scrutiny on election security and auditing intensified. Citizens, media and officials raised concerns about vote accuracy. The stakes were high, which prompted sophisticated threat actors—even state-sponsored groups—to eye potentially vulnerable election data management software. For government agencies viewing Arlo, the confidence that these threats couldn't tamper with election or audit outcomes was imperative.
This urgency was particularly acute in swing states like Georgia, which had reviewed all 5 million ballots through Arlo's RLAs. Other pivotal states, including Michigan and Pennsylvania, had also utilized Arlo in their election processes.
However, despite the critical need for security, a federal standard for RLA software like Arlo hadn't been established as of 2020. VotingWorks faced the task of identifying an independent partner with robust software security credentials and profound experience in testing and securing emerging technologies to address these pressing security concerns.
Kroll was top of mind.
Kroll's Solution
Kroll's Solution
Upon soliciting competitive bids, VotingWorks opted to collaborate with Kroll for the penetration testing of Arlo before the 2020 election audits. This comprehensive penetration test encompassed both an open-box web application security assessment and a technology-assisted source code review.
The assessment delved into the penetration testing of the software itself, ensuring that the logic was not only developed, but also implemented securely. Additionally, it included a thorough examination of the infrastructure supporting Arlo, spanning both production and staging environments. This aspect was crucial as VotingWorks provides the Arlo software and extends hosting and management services to its clients utilizing Arlo. The overarching goal of the penetration test was to evaluate the platform's security for post-election audits, aiming to instill trust in both states and voters.
The Impact
The Impact
VotingWorks, committed to earning voters' trust, found a valuable ally in Kroll during the penetration-testing phase for Arlo. This collaboration yielded several key advantages in line with its foundational goal:
- Enhanced product security: Through Kroll's assessment, VotingWorks swiftly identified and addressed security findings affecting Arlo's integrity. The rigorous penetration test pinpointed three low-risk security issues in the Arlo platform ahead of its deployment for the Georgia recount. Prompt action led to immediate resolution of two issues, while dedicated efforts were allocated to resolve the third. This proactive approach ensured a more secure product, not just for Georgia, but for all governments utilizing Arlo for RLAs in the 2020 elections and beyond.
- Continuous software vigilance: Recognizing that security is an ongoing process, VotingWorks aligned with Kroll in this shared perspective. As Arlo continued to evolve and adapt to the threat landscape, Kroll continued to support VotingWorks in its efforts to keep Arlo at the forefront of election security and trust.
- Strengthened trust: By partnering with Kroll for penetration testing and continuous security assessments, VotingWorks demonstrated a tangible investment in transparency and collaboration with security experts. This ongoing commitment to testing and improvement was a vital component in establishing trust, especially for software integral to sensitive and high-profile purposes such as election integrity. VotingWorks built trust with governments and voters, emphasizing the importance of a robust and continuously fortified security framework overall.
Need help staying ahead of a complex challenge?
Red Team Security Services
Red team security services from Kroll go beyond traditional penetration testing, leveraging our frontline threat intelligence and the adversarial mindset used by threat actors to push the limits of your information security controls.
Penetration Testing Services
Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.
Discover More Client Stories
Client Story
Client Story
Kroll's Managed Detection and Response Services Elevate a UK Bank's Cyber Risk Mitigation Capabilities
Apr 11, 2024
Learn how Kroll's exceptional customer service and security expertise gave their client confidence to continue its growth securely and safely.Client Stories
Resolving a Highly Complex Security Breach for a Global Multinational
Feb 14, 2023
Discover how Kroll employed its integrated expertise in Cyber Security Services, Financial Fraud, Workflow Assessment, and Physical Security Services to resolve and enable a fast recovery from the damage caused by a highly complex security breach.Kroll is headquartered in New York with offices around the world.
55 East 52nd Street 17 Fl
New York NY 10055
Sign up to receive periodic news, reports, and invitations from Kroll.
Our privacy policy describes how your data will be processed.
© 2024 Kroll, LLC. All rights reserved.
Kroll is not affiliated with Kroll Bond Rating Agency,
Kroll OnTrack Inc. or their affiliated businesses. Read more.