Cybersecurity
The sanctity of elections and ensuring every vote matters demands that cybersecurity be treated with the highest regard in an online voting system. Below is a description of some of the practices in place at Skypunch Technology to ensure the system complies with the highest industry standards for cybersecurity.
National Institute of Standards and Technology Special Publication 800-53
Learn more about this publication at both the NIST website and for a more general overview, at its Wikipedia article. While originally created to provide a collection of privacy controls for federal information systems, it has emerged to serve as a benchmark for many other entities including private companies. Skypunch maintains compliance with it by enabling the NIST 800-53 standard in Security Hub, a service within Amazon Web Services that understands both the Skypunch system architecture and the controls within the NIST standard. If and when the architecture fails to satisfy a control, Security Hub identifies that for remediation. As technology and the standard itself evolve, this is regularly monitored to maintain 100% compliance.
Partnering With CISA
The Cybersecurity and Infrastructure Security Agency (CISA) is the agency within the United States Department of Homeland Security charged with securing America’s critical infrastructure. That includes public sector election systems and Skypunch Technology works with CISA in the following ways with any findings promptly addressed.
Weekly Cyber Hygiene Scanning
Each week CISA uses industry-standard tools to scan the Skypunch online properties for various vulnerabilities mostly related to network and hardware configuration, but also some common web exploits.
Web Application Scanning
On a monthly basis CISA scans for vulnerabilities using industry-standard tools focused on the application itself. Much of this scanning activity is driven by the Open Web Application Security Project’s Application Security Verification Standard.
There is some overlap between the two above-mentioned scans but they are also focused on different things and provide very thorough coverage.
Red Team Testing
Through its residency in Vantage Ventures, Skypunch Technology has formed a partnership with the West Virginia University John Chambers College of Business and Economics, recognized as a National Center of Excellence for Cybersecurity in Critical Infrastructure. This relationship means that professors with expertise in cybersecurity lead students through such exercises as:
- vulnerability scanning
- penetration testing
- threat hunting
- auditing and compliance with various industry standards
The relationship is a win-win as it provides students with an experential learning model in a real-world environment while Skypunch enjoys the benefit of having many different sets of eyes perform various assessments. It should be noted that the students might be freshmen, or they might be gradudate level students already in the workforce as cybersecurity professionals.
Code and Package Scanning
Source code is scanned and machine learning is used to identify spots where that code could be improved with regards to security and/or performance. Additionally, should known vulnerabilities exist in any of the packages upon which source code relies, those are also identified so they may be patched. This scanning service runs any time source code is updated or new package vulnerabilities become known.
Amazon Web Services Certification
When working with Amazon Web Services (AWS), it is important to have an expert understanding of the environment in order to properly remediate the findings that may be identified from all of the aforementioned activity. The same AWS certified engineers available from Skypunch’s AWS consulting services are behind the construction and maintenance of the voting system and apply that expertise thoughout.
Cybersecurity Maturity Assessments
Outside parties (for example CISA or private companies) conduct cybersecurity maturity assessments when necessary to ensure not only that the technology is complying with accepted standards, but also that operational best practices are followed.