A security researcher has discovered vulnerabilities in commercial platforms used by United States government agencies and courts. The vulnerabilities were found in 19 commercial platforms and could allow malicious actors to gain access to government and legal systems. Malicious actors could gain access to confidential data, compromise personal information and adjust documents. The research suggests these vulnerabilities could be leveraged to falsify voter registration databases.
Jason Soroko, Senior Fellow at Sectigo, a Scottsdale, says, “Jason Parker’s findings highlight a deep issue: government and legal systems rely on outdated infrastructure unfit for modern cybersecurity threats. Penetration testing is useful, but it is not enough. It uncovers flaws, however, it doesn’t fix the core weaknesses in legacy systems or address the need for proactive security. While rip and replace may not be possible for these systems, penetration testing can help to point out where more monitoring is needed, but it may be impossible to employ the security controls that are necessary.
“Many systems, 20 to 30 years old, lack modern features like strong authentication, encryption, and access controls. These gaps make them vulnerable to attacks. The fact that attackers can easily alter voter databases or access legal records shows the limits of relying on reactive measures like penetration testing.
“Government agencies should consider developing or adopting standardized security frameworks and guidelines that all vendors must follow. Procurement policies, with stated goals and outcomes needs to be part of the plan going forward.”
To manage these vulnerabilities, the research suggests that government entities should focus on penetration testing, employee training and software audits.
Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd, comments, “I partly agree with Jason about pentesting. These systems need more eyes on the target, however, and more importantly, there needs to be accountability around fixing what is found. In the case of election security, that is true at both the vendor AND the owner level.
“Pentesting addresses the eyes on the target problem, but not the accountability one. Such a vast and disparate set of systems requires the implementation of vulnerability disclosure programs with coordinated disclosure policies and safe harbor, such as those implemented by the voting machine manufacturers in 2020 and mandated into Federal Civilian Agencies by CISA in BOD 20-01.”