2024 Q3

Research Team Status

  • Names of researchers and position 
    (e.g. Research Scientist, PostDoc, Student (Undergrad/Masters/PhD))
  • Dr. Natalie M. Scala, PI
  • Dr. Josh Dehlinger, co-PI
  • Skylar Gayhart, Graduate Research Student (funded by this project)
  • Vanessa Gregorio, Undergraduate Research Student (funded by this project)
  • Yavor Gray, Undergraduate Research Student (pro bono)
  • Noah Hibbler, Undergraduate Research Student (unfunded, for credit - Spring 2024; funded by this project - Summer 2024)
  • Hao Nguyen, Graduate Research Student (funded by this project)
  • Silverline Amara Offor, Graduate Research Student (funded by university)
  • Aaryan Patel, Undergraduate Research Student (unfunded, for credit)
  • Vince Schiavone, Research Specialist (funded by this project)
  • Alisa Martin, Graduate Research Student (funded by this project)
  • Emily Aguirre, Undergraduate Research Student (funded by this project)

     
  • Any new collaborations with other universities/researchers?

While not funded by this project, PI Scala holds a Faculty Affiliate position with the Applied Research Lab for Intelligence and Security (ARLIS) at the University of Maryland, College Park.  ARLIS hosts the Research for Intelligence and Security Challenges (RISC) summer internship program.  Dr. Scala is mentoring an intern team, supporting the Defense Counterintelligence and Security Agency.  As part of the intern team’s proof of concept model, they are using Security Behaviors Intentions Scale (SeBIS) data collected by the ESE lab as proxy data for their predictive risk model.  The intent is that the Likert Scale security nature of the SeBIS data mirrors the spirit of DCSA’s data, which is classified.  This is a synergy project where we can be one of the first to use SeBIS data to create predictions.  We intend to connect with Dr. Serge Egelman regarding SeBIS predictive models, if the interns find success in their efforts this summer.

New collaborations with other universities/researchers since the start of this funded project (9/1/24) includes:

  • Two of our student researchers (Noah Hibbler and Aaryan Patel) are the result of a continuing collaboration between the Empowering Secure Elections Research Lab at Towson University PI (Scala) and the University of Maryland Advanced Cybersecurity Experience for Students program.  
  • While not directly related to granted activities proposed in the current solicitation, synergistic collaborations with Dr. Thessalia Merivaki (Georgetown University) and Anne Arundel County Board of Elections, existing partners of the Empowering Secure Elections Research Lab, to conduct a survey of registered voters in Anne Arundel County, Maryland about their election/voting concerns related to location, security/integrity, trust in the system, etc. Note, no NSA funding was/is used for this project.  

 

Project Goals

  • What is the current project goal?

 

  • The accepted proposal defined three main goals (cf. Table 1 in Technical Proposal) to achieve throughout the duration of the project, as follows:
  • To develop and disseminate a systematic threat and mitigation analysis approach for cyber, physical, and insider risks that addresses the actions of adversaries and trusted insiders and is applicable to national critical infrastructure socio-technical systems and processes.
  • To create a framework to model relative likelihood risk assessments, including the actions of adversaries and trusted insiders as contributors to cyber, physical, and insider threat scenarios.
  • To develop, model, and analyze policy implications and security mitigations (e.g., adversarial implications, human behavior interdictions) and their ability to reduce cyber, physical, and insider risks to socio-technical critical infrastructure.
  • Based on the project timeline given in the accepted proposal, three main tasks/outcomes were defined in the first year of the project primarily supporting Project Goal 1, as follows:
  • A comprehensive, updated attack tree and mitigation analysis for critical infrastructure equipment and processes. 
  • A scenario analysis to categorize threat scenarios as cyber, physical, or insider with an adversarial or insider source. 
  • A risk assessment of threat scenarios on the updated attack tree that considers insider / adversarial attack costs and technical difficulties as well as information assurance assessments of the difficulties to discover an attack.
  • Regarding task/outcome 1, our team completed a comprehensive literature review to identify new threats for the precinct central optical scanner (PCOS), the critical infrastructure equipment we identified as a case study for this project. Identified threats have been analyzed and categorized (e.g., cyber, physical, and/or insider threat; phase of voting process, etc.). Through Failure Modes and Effects Analysis (FMEA), we defined new threats to PCOS voting and worked as a team to place them on an updated attack tree.  We are now in the process of validating the new tree and comparing its threats to the cyber, physical, and insider threat influence diagram first proposed by Locraft, et al. (2019) in the literature.  Once this validation step is complete, task 1 will be complete, aligning with the timeline given in the accepted proposal. 
  • Regarding task/outcome 2, our team continues to examine existing, open-source threat tree / fault tree analysis tools to adapt/modify, model, and analyze the cyber, physical, and insider threat scenarios arising from the newly updated PCOS threat tree developed through task/outcome 1. We continue to modify the AT-AT (Attack Tree Analysis Tool), an open source tool, to provide the desired functionality needed for this research.  Our updated AT-AT model is functionally working, and we are working to visually improve the user experience while using the tool.  After meeting with the hosting team at Vanderbilt, we intend for the tool to be hosted on the SoS VO upon completion.  Once the user functionality improves, task 2 will be complete, aligning with the timeline given in the accepted proposal. 
  • Regarding task/outcome 3, our team is continuing to research alternative methods/approaches to evaluate threat attack and mitigation costs. In prior work (Scala et al., 2022), our team utilized Du and Zhu’s (2013) security assessment approach to assess the associated attack costs (AC), technical difficulty, (TD) and discovery difficulty (DD); we adapted the same utility approach for this project.  We built the AC, TD, and DD functionality into the modified AT-AT tool and are able to calculate the relative risk of threat scenarios.  We also employed a team to use the Delphi Method to iteratively provide risk assessments for each threat on the updated PCOS tree, using the AC, TD, and DD utility framework.  The Delphi assessment is complete, pending any additional threats to be found via validation of the attack tree (task 1).  Once any remaining threats are identified, they will also be Delphi assessed, which will occur during the base year.  The timeline for this task, in the accepted proposal, is base year + option year 1.  Therefore, this task continues to be ongoing, with the final relative risk scenarios to be calculated in year 2, using the completed AT-AT tool.

     
  • How does the current goal factor into the long-term goal of the project?

The long-term goal/vision of the project, as detailed in the accepted proposal, is to “model the relative risks of adversaries and trusted insiders exploiting threat scenarios in developed attack trees, using critical infrastructure precinct count optical scanner (PCOS), in-person voting machines as a case study”. Project Goal 1 analyzes the existing Elections Assistance Commission threat tree (2009) for the PCOS voting system, the critical national infrastructure system selected as a case study for this project, and develops a comprehensive, updated threat tree (and other security analysis artifacts) reflecting new threats and the adaptive adversaries to be able to develop threat scenarios and mitigation strategies, Project Goals 2 and 3. 

 

Accomplishments

  • Address whether project milestones were met. If milestones were not met, explain why, and what are the next steps.
     
  • The project tasks/outcomes 1 and 2, as described in the prior sections, remain the targeted milestones for the base year, as defined in the accepted proposal.  Task/outcome 3 is a milestone for both the base year and option year 1.  Each of these tasks/outcomes are ongoing and proceeding according to the timeline given in the accepted proposal.  We are close to completion for tasks/outcomes 1 and 2, and intend for them to be complete in the near future.  Task/outcome 3 will continue into option year 1 (pending funding) along with additional tasks and outcomes, as defined in the accepted proposal. 
     

  • What is the contribution to foundational cybersecurity research? Was there something discovered or confirmed?

     

  • This project is still in its initial base year stages and, thus, has not yet made a significant contribution to foundational cybersecurity research literature. It is anticipated that upon the completion of project tasks/outcomes 1-3, contributing towards Project Goal 1, an updated, security threat tree analysis of the PCOS voting equipment will provide a contribution to election security research and the security assessment method used (i.e., incorporating a holistic, cyber, physical, and insider threat analysis and threat/mitigation cost assessment) will serve as a contribution to how critical infrastructure socio-technical systems could be assessed in the context of system security/integrity.
  • The first contribution to cybersecurity research will be the improved attack/threat tree AT-AT tool (described previously and aligned with task/outcome 2) that is currently being modified and finalized from an existing, open-source fault tree tool. When completed, this tool contribution will be publicly available at our lab’s repository (see https://github.com/Empowering-Secure-Elections/) with subsequent hosting on the SoS VO. We anticipate this initial version to be available in the near future (base year).  Any ongoing revisions to the AT-AT tool, as needed to support the research outcomes, will be reported on in future quarterly reports with updated hosting.  
     
  • Impact of research
    • Internal to the university (coursework/curriculum)
  • The following impacts of research reflect all those internal to Towson University made during the base year of this funded project. 
  • Project PI Scala was named as a Towson University Cyber Fellow to the newly established Center for Interdisciplinary & Innovative Cybersecurity. This has allowed the Empowering Secure Elections Research Lab, the project team for this project, to establish a permanent student and faculty research lab space within the center and provided significant computing equipment for the student research team. 
  • Secondly, although not directly related (and not funded) to activities proposed in the accepted proposal, this project has synergistically allowed the PIs to propose and develop a Security Assessment & Management Graduate Certificate (see https://www.towson.edu/cla/departments/interdisciplinary/grad/security-assessment-management-certificate/) in Fall 2023 and enrolled an initial student (Hao Nguyen, Graduate Student Researcher on this project team). 

  • Finally, this project has impacted 8 Towson University undergraduate and graduate students involved in this project. The current project team consists of five undergraduate and four graduate students, pursuing degrees in Computer Science, Supply Chain Management, Business Administration, Accounting, etc. who, if not for involvement in this project, would not otherwise have gained experience in authentic cybersecurity assessment research or, more specifically, election security research. 

     

    • External to the university (transition to industry/government (local/federal); patents, start-ups, software, etc.)

As this project is in its initial year, there have not been any research impacts external to the university to currently report. However, we have potential synergistic contributions under development with the Anne Arundel County Board of Elections and the Applied Research Lab for Intelligence and Security at the University of Maryland, College Park.  Both synergies were explained in previous sections of this report.

  • Any acknowledgements, awards, or references in media?

     

  • While not directly related to the proposed, funded project, the Empowering Secure Election Research Lab and project team continues to be recognized in local media for ongoing, synergistic work in election security through an existing, ongoing partnership with Anne Arundel County, Maryland Board of Elections.  The latest story was from the Baltimore Banner:  https://www.thebaltimorebanner.com/politics-power/local-government/banner-political-notes-MUGXODX7MREBJFHDTZZI2YFKEA/  Note, no NSA funding was/is used for this project.  
  • Dr. Scala was featured on Christian Broadcasting Network and the 700 Club, explaining the overview of the project and its intent to help secure critical infrastructure and the integrity of votes.    CBN: https://www2.cbn.com/news/politics/us-voting-process-under-scrutiny-all-things-could-possibly-go-wrong   700 Club: https://www2.cbn.com/video/shows/700-club-june-26-2024
  • Finally, two undergraduate students - Noah Hibbler and Aaryan Patel - are enrolled in the Advanced Cybersecurity Experience for Students (ACES) program at the University of Maryland, College Park, and contribute to this project.  The University of Maryland highlighted this in Maryland Today and then promoted it on social media as a research note: https://today.umd.edu/how-safe-are-voting-machines-dod-funded-lab-ids-vulnerabilities

 

Publications and presentations

  • Add publication reference in the publications section below. An authors copy or final should be added in the report file(s) section. This is for NSA's review only.

     

  • Publications/presentations directly related to the project during the current reporting quarter:
  • V. Gregorio, N. M. Scala and J. Dehlinger. “Securing Democracy: Threat Mitigations in Mail Voting Processes”. Presentation at the IISE Annual Conference and Expo, May 2024.  Corresponding technical paper accepted to IISE Magazine, with a future print date in 2024.
  • Synergistic publications/presentations not directly related (or funded by) to the accepted project proposal during the current reporting quarter:
  • A. Kassel, I. Bloomquist, N. M. Scala, and J. Dehlinger. “Understanding the Impact of Poll Worker Cybersecurity Behaviors on U.S. Election Integrity”. Proceedings of the Institute of Industrial and Systems Engineers (IISE) Annual Conference and Expo 2024, May 2024.

  • H. Nguyen, N. M. Scala, and J. Dehlinger. “Analysis of Security Behaviors of Supply Chain Professionals”. Proceedings of the Institute of Industrial and Systems Engineers (IISE) Annual Conference and Expo 2024, May 2024.

     

  • Optionally, upload technical presentation slides that may go into greater detail. For NSA's review only.
  • Slides from each IISE conference presentation are included with this report.
Lead PI:
Natalie Scala
Co-Pi(s):
Josh Dehlinger
Report Materials
Publications
Files