Election offices should take note of a recent supply chain attack on Axios, a software tool used by developers to connect applications to services and data sources, which is downloaded millions of times per week. The attack is believed to have originated in North Korea. This serves as a reminder that geopolitical conflicts can put election offices in the crosshairs, whether directly or indirectly.
Why Election Officials Should Be Concerned
The Election Security Exchange is not aware of this particular supply chain vulnerability being exploited in election infrastructure. However, election infrastructure, like any other sector, relies upon many third-party providers, vendors, and other technology suppliers who, in turn, rely upon other suppliers, including open-source tools and code. A supply chain attack is when a threat actor targets a piece of hardware or software that many other systems rely on, rather than attacking those systems directly. This is why it is so important that election officials require a bill of materials for both software and hardware from their third-party providers, vendors, and other technology suppliers.
A bill of materials (sometimes called an “SBOM,” short for Software Bill of Materials) is like the ingredients list on product packaging in the grocery store. For example, a customer may want to know what ingredients are in a frozen meal, and the company that makes that product should know not only what the ingredients are but also where they are sourced. That way, if a particular ingredient is recalled, customers who purchased the meal using that ingredient will also be informed.
If election officials require their third-party providers, vendors, and other technology suppliers to provide a bill of materials, they will know the “ingredients” for their election technology. It provides additional assurance that the third-party providers, vendors, and other technology suppliers are maintaining and tracking components in their own supply chain. When these supply chain issues arise, election officials can check whether the attack affects them.
Supply Chain Attacks
Supply chain compromises and their full impact usually become widely known long after the initial compromise and notification. A supply chain compromise can impact you even after you believe you have patched the vulnerability. When a compromise happens, election officials should require that ALL third-party providers, vendors, and other technology suppliers provide assurance that the election infrastructure the election official owns or operates is not impacted.
Election officials need to discuss these vulnerabilities and threats with their IT or cyber teams to ensure they understand if the election infrastructure is impacted and/or what needs to be done to remediate the issue. These conversations should not start when you are aware of a vulnerability, though. Election officials should be asking questions of internal IT/cyber professionals, third-party providers, vendors, and other technology suppliers on an ongoing basis, starting before procurement and implementation of any new election infrastructure.
A simple question to ask your third-party providers, vendors, and other technology suppliers right now: “Does any software you provide or manage for our office use Axios? If so, can you confirm you are not running versions that were compromised, and that you have checked for signs of compromise?” For additional guidance on supply chain risk management and bill of materials requirements, review the resources highlighted in the Resource Library section of this newsletter.
The Situation Room focuses on real security incidents and threats in the news relevant to election security. To review previous issues, see the newsletter archive.