Government agencies use platforms that have vulnerabilities

A security researcher has uncovered vulnerabilities in commercial platforms utilized by United States government agencies and courts. These vulnerabilities were discovered in 19 commercial platforms and could potentially grant malicious individuals access to government and legal systems, compromising confidential data, personal information, and document integrity. The research indicates that these vulnerabilities could be exploited to manipulate voter registration databases.

Jason Soroko, Senior Fellow at Sectigo in Scottsdale, remarked, “Jason Parker’s discoveries shed light on a significant problem: government and legal systems are dependent on outdated infrastructure that is ill-equipped to handle modern cybersecurity threats. While penetration testing is beneficial in identifying flaws, it does not address the fundamental weaknesses in legacy systems or the necessity for proactive security measures. Although it may not be feasible to entirely replace these systems, penetration testing can help identify areas where increased monitoring is essential. However, implementing the necessary security controls may prove to be challenging.”

“Many systems, some dating back 20 to 30 years, lack contemporary features such as strong authentication, encryption, and access controls, leaving them vulnerable to cyber attacks. The ability of attackers to easily alter voter databases or access legal records underscores the limitations of solely relying on reactive measures like penetration testing.

“Government entities should consider developing or adopting standardized security frameworks and guidelines that all vendors must adhere to. Procurement policies, with clearly defined objectives and outcomes, should be included in future planning.”

To address these vulnerabilities, the research suggests that government organizations should prioritize penetration testing, employee training, and software audits.

Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd, added, “I agree with Jason regarding penetration testing. However, these systems require more scrutiny, and importantly, there needs to be accountability when addressing the issues that are identified. This is particularly crucial for election security, both at the vendor and owner levels.

“While penetration testing helps in scrutinizing vulnerabilities, it does not address the crucial issue of accountability. Given the extensive and diverse range of systems in place, it is imperative to implement vulnerability disclosure programs with coordinated disclosure policies and safe harbor protections, similar to those adopted by voting machine manufacturers in 2020 and mandated for Federal Civilian Agencies by CISA in BOD 20-01.”