COLUMBUS - Ohio Secretary of State Frank LaRose has issued the nation’s first state elections system Vulnerability Disclosure Policy. The policy, common among larger private sector businesses, establishes procedures for outside researchers to inspect the Secretary of State’s website for vulnerabilities. Once those vulnerabilities are reported, it allows 120 calendar days for LaRose’s office to repair the vulnerability before the researcher may publicly announce its discovery. Having a defined time period provides assurances to the cybersecurity community that reporting of potential vulnerabilities will be treated with the seriousness they deserve.
Since Secretary LaRose implemented the 2019 Election Security Directive, Ohio has been a national leader in election security. That directive set in place a 34-point security checklist for both the county boards and Secretary of State’s office. Those requirements were improved upon recently when the Secretary issued the 2020 Election Security & Accessibility Directive. This new policy continues Ohio’s position as the national leader in election security.
“We need to be vigilant and this smart approach ensures that Ohio continues to lead on election cybersecurity,” said LaRose. “Make no mistake, our nation’s enemies will be looking to disrupt our elections, and our websites & databases are among their top targets. By putting this policy in place, we’ll be able to work with cybersecurity researchers to find our vulnerabilities before the bad guys do.”
“Cybersecurity researchers can be important partners in supporting election officials by spotting and reporting vulnerability gaps,” said Christopher Krebs, Director of the Cybersecurity and Infrastructure Security Agency. “Ohio’s new vulnerability disclosure policy represents major progress in bringing together researchers and election officials to secure our election systems. Congratulations to Ohio Secretary of State LaRose and his team for leading the way.”
“The Ohio Secretary of State's vulnerability disclosure policy is a first in the US for a state, and a major step forward in election security,” said cybersecurity expert Eric Mill. “`By welcoming and authorizing good faith security research into its election systems, Ohio is making it safe for the public to report security issues to be fixed before they become a problem. This not only helps secure Ohio's election systems, it sends a positive message about collaboration between election officials and the security community that will open the door to further partnerships and will serve Ohioans and Americans well in the years to come.”
The policy describes what systems and types of research are covered, how to report vulnerabilities to the Secretary of State’s office, what is asked of cyber security researchers, and what researchers can expect from our office. You may view the entire policy by clicking here.