Research Team Status

• Names of researchers and position 
  (e.g. Research Scientist, PostDoc, Student (Undergrad/Masters/PhD)
• Dr. Natalie M. Scala, PI
• Dr. Josh Dehlinger, co-PI
• Skylar Gayhart, Graduate Research Student (funded by this project)
• Yavor Gray, Graduate Research Student (funded by this project)
• Vanessa Gregorio, Undergraduate Research Student (funded by this project)
• Noah Hibbler, Undergraduate Research Student (unfunded, for credit)
• Erich Newman, Undergraduate Research Student (funded by this project)
• Hao Nguyen, Graduate Research Student (funded by this project)
• Silverline Amara Offor, Graduate Research Student (funded by university)
• Aaryan Patel, Undergraduate Research Student (unfunded, for credit)
• Vince Schiavone, Research Specialist (funded by this project)
   
• Any new collaborations with other universities/researchers?
• Two of our student researchers (Noah Hibbler and Aaryan Patel) are the result of a continuing collaboration between the Empowering Secure Elections Research Lab at Towson University PI (Scala) and the University of Maryland Advanced Cybersecurity Experience for Students program. 
• While not directly funded by the current solicitation, a new, synergistic collaborations with Dr. Thessalia Merivaki (Assistant Professor of American Politics in the Department of Political Science and Public Administration at Mississippi State University) and Anne Arundel County Board of Elections (existing partners of the Empowering Secure Elections Research Lab) began to conduct a survey of registered voters in Anne Arundel County, Maryland about their election/voting concerns related to location, security/integrity, trust in the system, etc. 

Project Goals

• What is the current project goal?

The accepted proposal defined three main goals (cf. Table 1) to achieve throughout the duration of the project, as follows:

1. To develop and disseminate a systematic threat and mitigation analysis approach for cyber, physical, and insider risks that addresses the actions of adversaries and trusted insiders and is applicable to national critical infrastructure socio-technical systems and processes.
2. To create a framework to model relative likelihood risk assessments, including the actions of adversaries and trusted insiders as contributors to cyber, physical, and insider threat scenarios.
3. To develop, model, and analyze policy implications and security mitigations (e.g., adversarial implications, human behavior interdictions) and their ability to reduce cyber, physical, and insider risks to socio-technical critical infrastructure.

Based on the project timeline given in the accepted proposal, three main tasks/outcomes were defined in the first year of the project primarily supporting Project Goal 1, as follows:

1. A comprehensive, updated attack tree and mitigation analysis for critical infrastructure equipment and processes. 
2. A scenario analysis to categorize threat scenarios as cyber, physical, or insider with an adversarial or insider source. 
3. A risk assessment of threat scenarios on the updated attack tree that considers insider / adversarial attack costs and technical difficulties as well as information assurance assessments of the difficulties to discover an attack.

Regarding task/outcome 1, our team has conducted a comprehensive literature review to identify new threats for the precinct central optical scanner (PCOS), the critical infrastructure equipment we identified as a case study for this project. Identified threats are being analyzed, compared/added to the prior Elections Assistance Commission PCOS threat tree (dated 2009), and are in the process of being categorized (e.g., cyber, physical, and/or insider threat; phase of voting process, etc.). As such, this task/outcome is ongoing and proceeding according to the timeline given in the accepted proposal. 

Regarding task/outcome 2, our team is examining existing, open-source threat tree / fault tree analysis tools to adapt/modify, as needed, to be able to model and analyze the cyber, physical, and insider threat scenarios arising from the newly updated PCOS threat tree developed through task/outcome 1. We have identified several candidate tools and are in the process of validating their functionality and determining the difficulty of modifying tools to meet the project’s needs. As such, this task/outcome is ongoing and proceeding according to the timeline given in the accepted proposal. 

Regarding task/outcome 3, our team is starting to research alternative methods/approaches to evaluate threat attack and mitigation costs. In prior work (Scala et al., 2022), our team utilized Du and Zhu’s (2013) security assessment approach to assess the associated attack, technical difficulty, and discovery costs; in this work, we are examining any alternative security assessment approaches that may better incorporate insider threats and mitigation costs/effectiveness. As such, this task/outcome is recently initiated and proceeding according to the timeline given in the accepted proposal. 

The culmination of these three detailed tasks/outcomes, to be completed in the project’s first year, leads towards achieving project goal 1, and partially contributes towards project goal 2. 
 

• How does the current goal factor into the long-term goal of the project?

The long-term goal/vision of the project, as detailed in the accepted proposal, is to “model the relative risks of adversaries and trusted insiders exploiting threat scenarios in developed attack trees, using critical infrastructure precinct count optical scanner (PCOS), in-person voting machines as a case study”. Project goal 1 analyzes the existing, 2009 Elections Assistance Commission’s threat tree for the PCOS voting system (the critical national infrastructure system selected as a case study for this project) and develops a comprehensive, updated threat tree (and other security analysis artifacts) reflecting new threats and the adaptive adversaries to be able to develop threat scenarios and mitigation strategies, project goals 2 and 3. 

Accomplishments

• Address whether project milestones were met. If milestones were not met, explain why, and what are the next steps.

The project tasks/outcomes 1-3, as described in the prior sections, remain the targeted milestones for project year 1, as defined in the accepted proposal. Each of these tasks/outcomes are ongoing and proceeding according to the timeline given in the accepted proposal. Given this is the initial quarterly report, over a 3-year project, significant time was spent hiring and getting the project team familiar with election security, threat analysis, etc. Thus, the planned next steps are to follow the original project timeline, described in prior sections, and continue working towards completing tasks/outcomes 1-3.  
 

• What is the contribution to foundational cybersecurity research? Was there something discovered or confirmed?

This project is in the initial stages and, thus, has not yet made a significant contribution to foundational cybersecurity research literature. It is anticipated that upon the completion of project tasks/outcomes 1-3, contributing towards project goal 1, an updated, security threat tree analysis of the PCOS voting equipment will provide a contribution to election security research.  Furthermore, the security assessment method used (i.e., incorporating a holistic, cyber, physical, and insider threat analysis and threat/mitigation cost assessment) will serve as a contribution to how critical infrastructure socio-technical systems could be assessed in the context of system security/integrity. 
 

• Impact of research
  • Internal to the university (coursework/curriculum)

Thus far, the project has made impact internal to Towson University. Project PI Scala was named as a Towson University Cyber Fellow to the newly established Center for Interdisciplinary & Innovative Cybersecurity. This has allowed the Empowering Secure Elections Research Lab, the project team for this project, to establish a permanent student and faculty research lab space within the center and provided significant computing equipment for the student research team. 

Secondly, although not directly related (and not funded) to activities proposed in the accepted proposal, this project has synergistically allowed the PIs to propose and develop a graduate concentration in Election Security and Democracy (within the Professional Studies program).  The concentration enrolled an initial student during fall 2023 (Hao Nguyen, Graduate Student Researcher on this project team). 

Finally, this project has impacted 6 Towson University undergraduate and graduate students involved in this project. The current project team consists of undergraduate and graduate students, pursuing degrees in Computer Science, Supply Chain Management, Business Administration, Accounting, etc. who, if not for involvement in this project, would not otherwise have gained experience in authentic cybersecurity assessment research or, more specifically, election security research. 

• External to the university (transition to industry/government (local/federal); patents, start-ups, software, etc.)

As this project is in it’s initial year, there have not been any research impacts external to the university to currently report. 

• Any acknowledgements, awards, or references in media?

While not directly related to the proposed, funded project, the Empowering Secure Election Research Lab and project team has been recognized in university media for ongoing, synergistic work in election security through an existing, ongoing partnership with Anne Arundel County, Maryland Board of Elections (see https://www.towson.edu/news/2024/voting-survey-anne-arundel-county.html) as well as on local, Baltimore television media (see https://www.wbaltv.com/article/election-survey-voting-process-anne-arundel-county-towson-university/46822355). 

We are interested in promoting the overall research but were previously asked by SoS to wait.  If that status has changed, please advise.  We will then work with University Marketing and Communications on a media plan.

Publications and presentations

• Add publication reference in the publications section below. An authors copy or final should be added in the report file(s) section. This is for NSA's review only.

Publications/presentations directly related to the project during the current reporting quarter:

• N. M. Scala and J. Dehlinger. “Quantitative Threat Modeling and Risk Assessment in the Socio-Technical Critical Infrastructure Systems”. Presented at SoS Virtual Institute (VI) Kick-off Meeting, January 2024. 

Synergistic publications/presentations not directly related (or funded by) to the accepted project proposal during the current reporting quarter:

• V. Gregorio, J. Dehlinger, and N. M. Scala. “Protecting Maryland’s Mail Voting Processes through Poll Worker Training”. In Baltimore Business Review, January 2024. 
• A. Kassel, I. Bloomquist, N. M. Scala, and J. Dehlinger. “Analysis of Poll Worker Security Behaviors to Secure U.S. Elections”. Presented at American Society for Engineering Management 2023 International Annual Conference and 44th Annual Meeting, October 2023.
• N. M. Scala, J. Dehlinger, and L. Black. “Preparing Poll Workers to Secure U.S. Elections”. Presented at American Society for Engineering Management 2023 International Annual Conference and 44th Annual Meeting, October 2023. 

• J. Riley, V. Gregorio, N. M. Scala, and J. Dehlinger. “Voting Perceptions and Impact of Misinformation”. Presented at NATO Operations Research and Analysis Conference, October 2023. 

   

• Optionally, upload technical presentation slides that may go into greater detail. For NSA's review only.