Online Voting System

Cybersecurity

The sanctity of elections and ensuring every vote matters demands that cybersecurity be treated with the highest regard in an online voting system. Below is a description of some of the practices in place at Skypunch Technology to ensure the system complies with the highest industry standards for cybersecurity.

National Institute of Standards and Technology Special Publication 800-53

Learn more about this publication at both the NIST website and for a more general overview, at its Wikipedia article. While originally created to provide a collection of privacy controls for federal information systems, it has emerged to serve as a benchmark for many other entities including private companies. Skypunch maintains compliance with it by enabling the NIST 800-53 standard in Security Hub, a service within Amazon Web Services that understands both the Skypunch system architecture and the controls within the NIST standard. If and when the architecture fails to satisfy a control, Security Hub identifies that for remediation. As technology and the standard itself evolve, this is regularly monitored to maintain 100% compliance.

Partnering With CISA

The Cybersecurity and Infrastructure Security Agency (CISA) is the agency within the United States Department of Homeland Security charged with securing America’s critical infrastructure. That includes public sector election systems and Skypunch Technology works with CISA to perform an in-depth monthly vulnerability scan using industry-standard tools. Much of this scanning activity is driven by the Open Web Application Security Project’s Application Security Verification Standard.

Red Team Testing

Through its residency in Vantage Ventures, Skypunch Technology has formed a partnership with the West Virginia University John Chambers College of Business and Economics, recognized as a National Center of Excellence for Cybersecurity in Critical Infrastructure. This relationship means that professors with expertise in cybersecurity lead students through such exercises as:

  1. vulnerability scanning
  2. penetration testing
  3. threat hunting
  4. auditing and compliance with various industry standards

The relationship is a win-win as it provides students with an experential learning model in a real-world environment while Skypunch enjoys the benefit of having many different sets of eyes perform various assessments.

Code and Package Scanning

Source code is scanned and machine learning is used to identify spots where that code could be improved with regards to security and/or performance. Additionally, should known vulnerabilities exist in any of the packages upon which source code relies, those are also identified so they may be patched. This scanning service runs any time source code is updated or new package vulnerabilities become known.

Amazon Web Services Certification

When working with Amazon Web Services (AWS), it is important to have an expert understanding of the environment in order to properly remediate the findings that may be identified from all of the aforementioned activity. The same AWS certified engineers available from Skypunch’s AWS consulting services are behind the construction and maintenance of the voting system and apply that expertise thoughout.