Researchers with Area 1 Security have published findings in “Phishing Election Administrators” assessing the depth of email security controls used by more than 10,000 U.S. state and local election administrators. Among key findings: The majority of state and local election administrators have only rudimentary or non-standard technologies to protect themselves from phishing; less than 3 out of 10 have basic controls to prevent phishing, and fewer than 2 out of 10 have implemented advanced anti-phishing cybersecurity controls.
With the stakes so high in the 2020 Election season, it is not a matter of \”If\” the election system will be attacked, but how often and by how many adversaries. The US can expect to see interference by activists, criminals, and rival state actors, each trying to forward their own agenda.
The report by Area 1 on the number of local election officials using substandard email defenses should be shocking. Unfortunately, given the lack of investment in IT infrastructure and basic IT security in many areas, it\’s a sad reality.
User education can help here, but election officials at all levels should be following best practices across the board and using industry-standard email systems that include basic defenses against attack at the very least.
Election officials in every state need to remain vigilant and spend their limited resources wisely to protect each step of the voting process, from registration to voting, to counting and publication. This includes the email systems they use, which this report shows may be vulnerable, to security within their production environments.
It is hard for under-funded counties to run their own email server and services – I recommend they not use a bespoke infrastructure because it requires administrators to be on point, 100 percent of the times, 365 days a year. Most counties don’t have that level of staffing budget. We’ve seen the same thing with nonprofits as with public sectors – they want to use their own infrastructure but they just don’t have the funds or the tools to be sure they’re on top of everything.
Larger services such as Microsoft Office and Google G Suite are better alternatives, that let counties focus their attention and budget on the larger issues at hand. G Suite filters emails that have been identified as malicious or spam, which is certainly needed and most larger email services let organizations invoke warnings that prominently flag when an email is from an outside address. Organizations can have a great set of tools, but if the recipients aren’t checking who their senders are, those tools can easily be rendered useless.
County election boards and agencies can have all the tools in the world to help prevent phishing, but the human element is the pivotal factor, and this report didn’t address training and the role of the human element. Everyone involved needs to be trained: Don’t trust outside sources, and question everything.
Additionally, anyone working on an election absolutely must not use their personal email address for anything related to their official capacity. If anyone does, that needs to be flagged and quickly stopped.
We’ve seen the same thing with nonprofits as with public sectors – they want to use their own infrastructure but they don’t have the funds or the tools to be sure they’re on top of everything. Also, counties often don’t update their software and even if they have good infrastructure, other county organizations (school districts, etc.) provide conduits in. Who’s \”Public perception matters a lot – all it takes is for someone to question the legitimacy of results for conspiracy theories on election rigging to steamroll, esp. in this environment where politicians are claiming mail-in voting makes us more susceptible to fraud, and passions are running high. This election matters so much to so many, in the middle of a surreal pandemic, and in the wake of foreign players’ involvement – it’s potentially a political petri dish for conjecture and unrest. As security professionals, we must ensure that the election is safe and understood to be trustworthy. That means that election employees – from those running the voting machines to those at the top – must protect the trust that the public holds that the election is safe and valid.