Research Team Status

Names of researchers and position 

• Dr. Natalie M. Scala, PI
• Dr. Josh Dehlinger, co-PI
• Skylar Gayhart, Research Student (funded by this project - Summer 2024)
• Vanessa Gregorio, Research Student (funded by this project - Summer 2024)
• Navya Gautam, Graduate Research Student (funded by this project - Fall2024)
• Noah Hibbler, Undergraduate Research Student (funded by this project - Summer 2024; unfunded, for credit - Fall 2024)
• Abigail Kassel, Graduate Research Student (unfunded, for credit - Fall 2024)
• Audrey Knight, Undergraduate Research Student (funded by this project  - Fall 2024)
• Marie Kouassi, Graduate Research Student (funded by this project - Fall2024)
• Shreenidhi Ayinala, Graduate Research Student (funded by this project - Fall2024)
• Alisa Martin, Graduate Research Student (funded by this project - Fall2024)
• Andrew McNeill, Graduate Research Student (funded by this project - Fall2024)
• Silverline Amara Offor, Graduate Research Student (unfunded, for credit - Fall 2024) 
• Vince Schiavone, Research Specialist (funded by this project)
• Katherine Tan, Undergraduate Research Student (funded by this project - Fall2024)
• Sadie Barret, Graduate Research Students (unfunded, for credit - Fall 2024)

Any new collaborations with other universities/researchers?

Since the prior quarterly report (7/15/24), new collaborations with other universities/researchers related to this project have been established, including:

• Two of our student researchers (Navya Gautam and Shreenidhi Ayinala) are the result of a continuing collaboration between the Empowering Secure Elections Research Lab at Towson University PI (Scala) and the University of Maryland Advanced Cybersecurity Experience for Students program.   

New collaborations with other universities/researchers since the start of this funded project (9/1/23) includes:

• Two of our student researchers (Noah Hibbler and Aaryan Patel) are the result of a continuing collaboration between the Empowering Secure Elections Research Lab at Towson University PI (Scala) and the University of Maryland Advanced Cybersecurity Experience for Students program.  
• While not directly related to granted activities proposed in the current solicitation, new, synergistic collaborations with Dr. Thessalia Merivaki (Assistant Professor of American Politics in the Department of Political Science and Public Administration at Mississippi State University) and Anne Arundel County Board of Elections, existing partners of the Empowering Secure Elections Research Lab, to conduct a survey of registered voters in Anne Arundel County, Maryland about their election/voting concerns related to location, security/integrity, trust in the system, etc. Note, no NSA funding was/is used for this project.  

Project Goals

What is the current project goal?

The accepted proposal defined three main goals (cf. Table 1 in Technical Proposal) to achieve throughout the duration of the project, as follows:

1. To develop and disseminate a systematic threat and mitigation analysis approach for cyber, physical, and insider risks that addresses the actions of adversaries and trusted insiders and is applicable to national critical infrastructure socio-technical systems and processes.
2. To create a framework to model relative likelihood risk assessments, including the actions of adversaries and trusted insiders as contributors to cyber, physical, and insider threat scenarios.
3. To develop, model, and analyze policy implications and security mitigations (e.g., adversarial implications, human behavior interdictions) and their ability to reduce cyber, physical, and insider risks to socio-technical critical infrastructure.

Based on the project timeline given in the accepted proposal, three main tasks/outcomes (cf. Table 2 in Technical Proposal) were defined in the first and second years of the project primarily supporting Project Goals 1 and 2, as follows:

1. A comprehensive, updated attack tree and mitigation analysis for critical infrastructure equipment and processes. 
2. A scenario analysis to categorize threat scenarios as cyber, physical, or insider with an adversarial or insider source. 
3. A risk assessment of threat scenarios on the updated attack tree that considers insider / adversarial attack costs and technical difficulties as well as information assurance assessments of the difficulties to discover an attack.
4. The identification of risks of most concern within the process across temporal phases.

Regarding task/outcome 1, our team has conducted a comprehensive literature review to identify new threats for the precinct central optical scanner (PCOS), the critical infrastructure equipment we identified as a case study for this project. Identified threats have been analyzed and categorized (e.g., cyber, physical, and/or insider threat; phase of voting process, etc.). We have completed the process of being compared/added to the prior Elections Assistance Commission PCOS threat tree and have leveraged the tool we are extending to be able to start generating threat scenarios from the threat tree. As such, this task/outcome is mostly complete, except for some bug fixes in the tool, according to the timeline given in the accepted proposal. 

Regarding task/outcome 2, our team has examined existing, open-source threat tree / fault tree analysis tools to adapt/modify, as needed, to be able to model and analyze the cyber, physical, and insider threat scenarios arising from the newly updated PCOS threat tree developed through task/outcome 1. We have identified and evaluated several candidate tools to validate their functionality and to determine the difficulty of modification to meet the project’s needs. Our team arrived at using AT-AT (Attack Tree Analysis Tool), an open-source tool that provides some of the desired functionality and is amenable to the modifications required for this work. We have, and will continue to, make these updates and add new features to better analyze the threat trees/scenarios we developed prior to this funded project. As such, this task/outcome is mostly complete, except for some continued enhancements to the tool, according to the timeline given in the accepted proposal.

Regarding task/outcome 3, our team has investigated alternative methods/approaches to evaluate threat attack and mitigation costs. In prior work (Scala et al., 2022), our team utilized Du and Zhu’s (2013) security assessment approach to assess the associated attack, technical difficulty, and discovery costs; in this work, we are examining any alternative security assessment approaches that better incorporates insider threats and mitigation costs/effectiveness, but, thus far, have concluded that the Du and Zhu (2013) approach to be best suited. Thus, we are continuing to integrate this approach into the tool under development. As such, this task/outcome is mostly complete, except for some continued enhancements to the tool, according to the timeline given in the accepted proposal.   

Regarding task/outcome 4 (i.e., the identification of risks of most concern within the process across temporal phases), we have utilized the developed tool to generate the 70,000+ threat scenarios to be able to identify the risks/threats of most concern. To do so, we leveraged the Delphi utility assessment of Du and Zhu (2013), see outcome 3, and performed a sensitivity analysis to ensure that the utility assessment is robust, to develop the relative likelihoods of the threat scenarios. This allows for the prioritization and analysis of the risks of most concern. To facilitate the analysis across temporal phases, we are enhancing the tool to also include temporal phases of the voting process, as defined by EAC Voluntary Voting. System Guidelines (VVSG). As such, this task/outcome is ongoing and proceeding according to the timeline given in the accepted proposal.  

The culmination of these four detailed tasks/outcomes, to be completed in the project’s first (outcomes 1 & 2) and second (outcomes 3 & 4), leads towards achieving project goals 1 and 2. 

How does the current goal factor into the long-term goal of the project?

The long-term goal/vision of the project, as detailed in the accepted proposal, is to “model the relative risks of adversaries and trusted insiders exploiting threat scenarios in developed attack trees, using critical infrastructure precinct count optical scanner (PCOS), in-person voting machines as a case study”. Project goal 1 analyzes the existing, 2009 Elections Assistance Commission’s threat tree for the PCOS voting system, the critical national infrastructure system selected as a case study for this project, and develops a comprehensive, updated threat tree (and other security analysis artifacts) reflecting new threats and the adaptive adversaries to be able to develop threat scenarios and mitigation strategies, project goals 2 and 3. 

Accomplishments

Address whether project milestones were met. If milestones were not met, explain why, and what are the next steps.

The project tasks/outcomes 1-4, as described in the prior sections, remain the targeted milestones for project years 1 and, as defined in the accepted proposal. Each of these tasks/outcomes are ongoing and proceeding according to the timeline given in the accepted proposal. Given this is the fourth quarterly report culminating the first year, over a 3-year project, we are completing the milestones set for year 1 and have started working towards the milestones of year 2. Further, because Towson University is primarily an undergraduate university, a significant time during late summer and early fall was spent hiring and getting the seven new students of the project team familiar with election security, threat analysis, etc. Thus, the planned next steps are to follow the original project timeline, described in prior sections, and continue working towards completing tasks/outcomes 1-4.  

What is the contribution to foundational cybersecurity research? Was there something discovered or confirmed?

This project is completing its first year and, thus, has not made a significant contribution to foundational cybersecurity research literature. It is anticipated that upon the completion of project tasks/outcomes 1-4, contributing towards project goal 1, an updated, security threat tree analysis of the PCOS voting equipment will provide a contribution to election security research and the security assessment method used (i.e., incorporating a holistic, cyber, physical, and insider threat analysis and threat/mitigation cost assessment) will serve as a contribution to how critical infrastructure socio-technical systems could be assessed in the context of system security/integrity.

The first contribution to cybersecurity research, still in progress, may be the improved attack/threat tree tool (described previously and aligned with tasks/outcomes 2-4) that is currently being developed/modified from an existing, open-source fault tree tool. When completed, this tool contribution will be publicly available at our lab’s repository (see https://github.com/Empowering-Secure-Elections/). We anticipate this initial version to be available during year 1 of this project and will be reported on in future quarterly reports.   

Impact of research

Internal to the university (coursework/curriculum)

The following impacts of research reflect all those internal to Towson University made during the first year of this funded project. 

Thus far, the project has made some impact internal to Towson University. Project PI Scala was named as a Towson University Cyber Fellow to the newly established Center for Interdisciplinary & Innovative Cybersecurity. This has allowed the Empowering Secure Elections Research Lab, the project team for this project, to establish a permanent student and faculty research lab space within the center and provided significant computing equipment for the student research team. 

Secondly, although not directly related (and not funded) to activities proposed in the accepted proposal, this project has synergistically allowed the PIs to propose and develop a Security Assessment & Management Graduate Certificate (see https://www.towson.edu/cla/departments/interdisciplinary/grad/security-assessment-management-certificate/) in Fall 2023 and enrolled an initial student (Hao Nguyen, Graduate Student Researcher on this project team). 

Finally, this project has impacted 15 Towson University undergraduate and graduate students involved in this project pursuing degrees in Computer Science, Supply Chain Management, Business Administration, Accounting, etc. who, if not for involvement in this project, would not otherwise have gained experience in authentic cybersecurity assessment research or, more specifically, election security research. 

External to the university (transition to industry/government (local/federal); patents, start-ups, software, etc.)

As this project is just completing the first year, there have not been any research impacts external to the university to currently report. 

Any acknowledgements, awards, or references in media?

The following acknowledgements, awards, and/or references in media reflect all those occurring during the first year, and the very beginning of  the second year, of this funded project. 

While not directly related to the proposed, funded project, the Empowering Secure Election Research Lab and project team has been recognized in university media for ongoing, synergistic work in election security through an existing, ongoing partnership with Anne Arundel County, Maryland Board of Elections (see https://www.towson.edu/news/2024/voting-survey-anne-arundel-county.html) as well as on local, Baltimore new media (see https://www.wbaltv.com/article/election-survey-voting-process-anne-arundel-county-towson-university/46822355). Note, no NSA funding was/is used for this project.  

The synergistic work also appeared on page 2 on the special Education section of the April 14, 2024 Baltimore Sun. 

On October 11, 2024 Maryland Public Television’s State Circle program featured a story on the work done within the Empowering Secure Elections Research Lab, which can be found at https://video.mpt.tv/video/friday-october-11-2024-rrhlxm/. 

Publications and Presentations

Synergistic publications/presentations not directly related (or funded by) to the accepted project proposal during the current reporting quarter:

• N. M. Scala, J. Rajgopal and J. Dehlinger. “An Information-Theoretic Analysis of Security Behavior Intentions Amongst United States Poll Workers”. Accepted to Risk Analysis, 2024.
• V. Gregorio, N. M. Scala and J. Dehlinger. “Securing Democracy: Threat Mitigation for the Mail Voting Process”. ISE Magazine, August 2024.  
• H. Nguyen. “Cybersecurity and Insider Risk: Analyzing Security Behaviors and Proposing Mitigations”. To appear American Society for Engineering Management 2024 International Annual Conference and 45th Annual Meeting, November 2024. 
• J. Dehlinger and N. M. Scala. “From Misinformation to Trust: Safeguarding the 2024 U.S. Presidential Election”. In ORMS Today, August 2024.  https://pubsonline.informs.org/do/10.1287/orms.2024.03.03/full/