Research Team Status

• Names of researchers and position 
  (e.g. Research Scientist, PostDoc, Student (Undergrad/Masters/PhD)
• Dr. Natalie M. Scala, PI
• Dr. Josh Dehlinger, co-PI
• Skylar Gayhart, Graduate Research Student (funded by this project)
• Vanessa Gregorio, Undergraduate Research Student (funded by this project)
• Yavor Gray, Undergraduate Research Student (funded by this project)
• Noah Hibbler, Undergraduate Research Student (unfunded, for credit)
• Hao Nguyen, Graduate Research Student (funded by this project)
• Silverline Amara Offor, Graduate Research Student (funded by university)
• Aaryan Patel, Undergraduate Research Student (unfunded, for credit)
• Vince Schiavone, Research Specialist (funded by this project)
   
• Any new collaborations with other universities/researchers?

Since the prior quarterly report (2/15/24), no new collaborations with other universities/researchers related to this project have been established. 

New collaborations with other universities/researchers since the start of this funded project (9/1/24) includes:

• Two of our student researchers (Noah Hibbler and Aaryan Patel) are the result of a continuing collaboration between the Empowering Secure Elections Research Lab at Towson University PI (Scala) and the University of Maryland Advanced Cybersecurity Experience for Students program.  
• While not directly related to granted activities proposed in the current solicitation, new, synergistic collaborations with Dr. Thessalia Merivaki (Assistant Professor of American Politics in the Department of Political Science and Public Administration at Mississippi State University) and Anne Arundel County Board of Elections, existing partners of the Empowering Secure Elections Research Lab, to conduct a survey of registered voters in Anne Arundel County, Maryland about their election/voting concerns related to location, security/integrity, trust in the system, etc. Note, no NSA funding was/is used for this project.  

Project Goals

• What is the current project goal?

  The accepted proposal defined three main goals (cf. Table 1 in Technical Proposal) to achieve throughout the duration of the project, as follows:

• To develop and disseminate a systematic threat and mitigation analysis approach for cyber, physical, and insider risks that addresses the actions of adversaries and trusted insiders and is applicable to national critical infrastructure socio-technical systems and processes.
• To create a framework to model relative likelihood risk assessments, including the actions of adversaries and trusted insiders as contributors to cyber, physical, and insider threat scenarios.

• To develop, model, and analyze policy implications and security mitigations (e.g., adversarial implications, human behavior interdictions) and their ability to reduce cyber, physical, and insider risks to socio-technical critical infrastructure.

  Based on the project timeline given in the accepted proposal, three main tasks/outcomes were defined in the first year of the project primarily supporting Project Goal 1, as follows:

• A comprehensive, updated attack tree and mitigation analysis for critical infrastructure equipment and processes. 
• A scenario analysis to categorize threat scenarios as cyber, physical, or insider with an adversarial or insider source. 

• A risk assessment of threat scenarios on the updated attack tree that considers insider / adversarial attack costs and technical difficulties as well as information assurance assessments of the difficulties to discover an attack.

  Regarding task/outcome 1, our team has conducted a comprehensive literature review to identify new threats for the precinct central optical scanner (PCOS), the critical infrastructure equipment we identified as a case study for this project. Identified threats have been analyzed and categorized (e.g., cyber, physical, and/or insider threat; phase of voting process, etc.). We are now in the process of being compared/added to the prior Elections Assistance Commission PCOS threat tree to be able to start generating threat scenarios from the threat tree. As such, this task/outcome is ongoing and proceeding according to the timeline given in the accepted proposal. 

  Regarding task/outcome 2, our team has examined existing, open-source threat tree / fault tree analysis tools to adapt/modify, as needed, to be able to model and analyze the cyber, physical, and insider threat scenarios arising from the newly updated PCOS threat tree developed through task/outcome 1. We have identified and evaluated several candidate tools to validate their functionality and to determine the difficulty of modification to meet the project’s needs. Our team arrived at using AT-AT (Attack Tree Analysis Tool), an open source tool that provides some of the desired functionality and is amenable to the modifications required for this work. We are now in the process of exploring/making these changes and testing it against prior threat trees/scenarios we developed prior to this funded project. As such, this task/outcome is ongoing and proceeding according to the timeline given in the accepted proposal.  

  Regarding task/outcome 3, our team is continuing to research alternative methods/approaches to evaluate threat attack and mitigation costs. In prior work (Scala et al., 2022), our team utilized Du and Zhu’s (2013) security assessment approach to assess the associated attack, technical difficulty, and discovery costs; in this work, we are examining any alternative security assessment approaches that better incorporates insider threats and mitigation costs/effectiveness. As such, this task/outcome is ongoing and proceeding according to the timeline given in the accepted proposal.   

  The culmination of these three detailed tasks/outcomes, to be completed in the project’s first year, leads towards achieving project goal 1, and partially contributes towards project goal 2. 
   

• How does the current goal factor into the long-term goal of the project?

  The long-term goal/vision of the project, as detailed in the accepted proposal, is to “model the relative risks of adversaries and trusted insiders exploiting threat scenarios in developed attack trees, using critical infrastructure precinct count optical scanner (PCOS), in-person voting machines as a case study”. Project goal 1 analyzes the existing, 2009 Elections Assistance Commission’s threat tree for the PCOS voting system, the critical national infrastructure system selected as a case study for this project, and develops a comprehensive, updated threat tree (and other security analysis artifacts) reflecting new threats and the adaptive adversaries to be able to develop threat scenarios and mitigation strategies, project goals 2 and 3. 

Accomplishments

• Address whether project milestones were met. If milestones were not met, explain why, and what are the next steps.

  The project tasks/outcomes 1-3, as described in the prior sections, remain the targeted milestones for project year 1, as defined in the accepted proposal. Each of these tasks/outcomes are ongoing and proceeding according to the timeline given in the accepted proposal. Given this is the second quarterly report, over a 3-year project, significant time was initially spent hiring and getting the project team familiar with election security, threat analysis, etc. Thus, the planned next steps are to follow the original project timeline, described in prior sections, and continue working towards completing tasks/outcomes 1-3.  

• What is the contribution to foundational cybersecurity research? Was there something discovered or confirmed?

  This project is still in its initial stages and, thus, has not made a significant contribution to foundational cybersecurity research literature. It is anticipated that upon the completion of project tasks/outcomes 1-3, contributing towards project goal 1, an updated, security threat tree analysis of the PCOS voting equipment will provide a contribution to election security research and the security assessment method used (i.e., incorporating a holistic, cyber, physical, and insider threat analysis and threat/mitigation cost assessment) will serve as a contribution to how critical infrastructure socio-technical systems could be assessed in the context of system security/integrity.

The first contribution to cybersecurity research, still in progress, may be the improved attack/threat tree tool (described previously and aligned with task/outcome 2) that is currently being developed/modified from an existing, open-source fault tree tool. When completed, this tool contribution will be publicly available at our lab’s repository (see https://github.com/Empowering-Secure-Elections/). We anticipate this initial version to be available during year 1 of this project and will be reported on in future quarterly reports.  
 

• Impact of research

  • Internal to the university (coursework/curriculum)

    The following impacts of research reflect all those internal to Towson University made during Year 1 of this funded project. 

    Thus far, the project has made some impact internal to Towson University. Project PI Scala was named as a Towson University Cyber Fellow to the newly established Center for Interdisciplinary & Innovative Cybersecurity. This has allowed the Empowering Secure Elections Research Lab, the project team for this project, to establish a permanent student and faculty research lab space within the center and provided significant computing equipment for the student research team. 

    Secondly, although not directly related (and not funded) to activities proposed in the accepted proposal, this project has synergistically allowed the PIs to propose and develop a Security Assessment & Management Graduate Certificate (see https://www.towson.edu/cla/departments/interdisciplinary/grad/security-assessment-management-certificate/) in Fall 2023 and enrolled an initial student (Hao Nguyen, Graduate Student Researcher on this project team). 

    Finally, this project has impacted 8 Towson University undergraduate and graduate students involved in this project. The current project team consists of four undergraduate and 4 graduate students, pursuing degrees in Computer Science, Supply Chain Management, Business Administration, Accounting, etc. who, if not for involvement in this project, would not otherwise have gained experience in authentic cybersecurity assessment research or, more specifically, election security research. 

  • External to the university (transition to industry/government (local/federal); patents, start-ups, software, etc.)

    As this project is in its initial year, there have not been any research impacts external to the university to currently report. 

  • Any acknowledgements, awards, or references in media?

    The following acknowledgements, awards, and/or references in media reflect all those occurring during Year 1 of this funded project. 

    While not directly related to the proposed, funded project, the Empowering Secure Election Research Lab and project team has been recognized in university media for ongoing, synergistic work in election security through an existing, ongoing partnership with Anne Arundel County, Maryland Board of Elections (see https://www.towson.edu/news/2024/voting-survey-anne-arundel-county.html) as well as on local, Baltimore new media (see https://www.wbaltv.com/article/election-survey-voting-process-anne-arundel-county-towson-university/46822355). Note, no NSA funding was/is used for this project.  

    The synergistic work also appeared on page 2 on the special Education section of the April 14, 2024 Baltimore Sun. 

Publications and presentations

• Add publication reference in the publications section below. An authors copy or final should be added in the report file(s) section. This is for NSA's review only.

  Publications/presentations directly related to the project during the current reporting quarter:

• N. M. Scala and J. Dehlinger. “Quantitative Threat Modeling and Risk Assessment in the Socio-Technical Critical Infrastructure Systems”. Invited virtual presentation / discussion session with DARPA and VotingWorks representatives, April 2024. 

Synergistic publications/presentations not directly related (or funded by) to the accepted project proposal during the current reporting quarter:

• A. Kassel, I. Bloomquist, N. M. Scala, and J. Dehlinger. “Understanding the Impact of Poll Worker Cybersecurity Behaviors on U.S. Election Integrity”. Accepted with minor revisions to the Proceedings of the Institute of Industrial and Systems Engineers (IISE) Annual Conference and Expo 2024, May 2024.

• H. Nguyen, N. M. Scala, and J. Dehlinger. “Analysis of Security Behaviors of Supply Chain Professionals”. Accepted with minor revisions to the Proceedings of the Institute of Industrial and Systems Engineers (IISE) Annual Conference and Expo 2024, May 2024.

   

• Optionally, upload technical presentation slides that may go into greater detail. For NSA's review only.

  Not applicable this reporting period.