Election security is about cybersecurity
In 2020, securing elections is chiefly a matter of cybersecurity. Since I founded Data Connectors in 1999, we have been fueling the collaboration of government agencies with cybersecurity professionals and solution providers. As a voter, I set out to see what they know that could help us understand more about the security of our electoral process.
“There are three ways to hack an election,” said EJ Hilbert, a former FBI Agent turned CISO-for-hire:
- The machines – hack the tech
- The candidates – steal and publicize their secrets
- The people – manipulate the data to stoke their fears
His thoughts provide a useful paradigm for categorizing cyberthreats around elections. Looking back from the infamous DNC hack of 2016 until now, these have all been in play.
The Machines
Responding to reports of the CIA’s analysis, the US Senate Committee on Armed Services stated: “For years, foreign adversaries have directed cyberattacks at America’s physical, economic, and military infrastructure, while stealing our intellectual property.” As early as July 2018, at least eight states, including some of the tightest battleground states, were under assault from various types of malware: adware, trojans, backdoor attacks, and ransomware.
Think paper ballots are safe from cyber-meddling? Think again. Multiple “attack vectors” used against optically scanned ballots, direct electronic recorded ballots. This is in addition to e-polling and signature registration systems. A successful attack on voter registration systems could allow millions of illegal votes to be cast.
Part of the challenge of securing a general election in the United States is the decentralized election infrastructure, which The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Agency [CISA] defines as an “assembly of systems and networks” ranging from voter registration databases and associated IT systems, to storage facilities for election and voting system infrastructure and polling places to include early voting locations.
The Candidates
Bad actors, Nation States as well as political rivals, can infiltrate the IT systems managing the individual campaigns to steal strategies or to send out false campaign missives. Ransomware transmitted via phishing attack could shut down candidate’s and election official’s websites or hijack them to change critical information. They could also irreversibly encrypt databases or simply delete them.
Election officials have been actively seeking to identify and minimize threats. “All federal intelligence agencies acknowledge that nation-states will attempt to influence our general election,” said Lester Godsey, Chief Information Security Officer for Maricopa County, the fourth most-populous county in the U.S. with nearly 4.5 million people. “We are also preparing for attempts by national and localized groups and individuals using a variety of Tactics, Techniques, and Procedures, including but not limited to social media.”
In these attacks, threat actors target less-than-savvy users of common applications like email and collaboration tools. The attackers leverage tried-and-true vectors like phishing, malware, and trojans on those targets.
The People
“Hacking the people is the most effective attack in terms of ease for the attackers, greatest impact and hardest to stop.” This is where stealing data goes beyond the normal financially-motivated targets—names, addresses, banking information. “These hackers look for likes, dislikes, fears and religious leanings that are said in private chats—not public spaces. They then use that data to tailor stories that entice those people to share with their friends and build a groundswell of fear and distrust. These are things like telling Muslims Trump will close mosques or telling Christians Biden will tax churches,” according to Hilbert.
Social media “bots” and stolen online identities can influence multitudes with a message having no basis. For hackers, expert in data exfiltration, this presents a challenge with which they are accustomed. But technical threats are only half the equation. A recent survey found that 55% of people in the U.S. lack confidence that the election will be conducted in a fair and equal way.
Summary
Securing election infrastructure from new and evolving threats is a vital national interest that requires a whole-of-society approach. We not only have to protect against active cybersecurity attacks leading up to the election, but against the perception that the voting process has been interfered with, and that each vote counts.
Even if system as a whole is not optimized to for today’s attacks, each state has its strengths and weaknesses to combat. Congress authorized $380 million in 2018, with another $425 million granted this year, in response to individual states’ requests. They will likely rely on CISA’s Cyber Resource Hub , comprehensive guide to securing an election. Tools, such as the malware-scanning Albert sensor, have been employed by a majority of states to test their cyber systems. DHS designated election systems as critical infrastructure in 2017; fueling an ensuing collaboration with the National Institute of Standards and Technology and the Election Assistance Commission.
I’m excited to work closely with those agencies and the professionals via our Summits, who make us safe from all kinds of attacks. From that interaction, I know that smart people are protecting our nation’s infrastructure. I’ll see you at the polls on (or before) November 3rd.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.