Majority of Election Websites in Battleground States Failing in Cybersecurity

A large majority of election-related websites operated by local governments in battleground states lack a key feature that would help them be more cybersecure -- a site that ends in .gov as opposed to .com or other extensions.

Research by McAfee found that as many as 83.3 percent of county websites lacked .GOV validation across these states, and 88.9 percent and 90 percent of websites lacked such certification in Iowa and New Hampshire respectively. Such shortcomings could make it possible for malicious actors to establish false government websites and use them to spread false election information that could influence voter behavior and even impact final election results.

“Without a governing body validating whether websites truly belong to the government entities they claim, it’s possible to spoof legitimate government sites with fraudulent ones,” said Steve Grobman, McAfee Senior Vice President and Chief Technology Officer. “An adversary can use fake election websites for misinformation and voter suppression by targeting specific voters in swing states with misleading information on candidates, or inaccurate information on the voting process such as poll location and times. In this way, this malicious actor could impact election results without ever physically or digitally interacting with voting machines or systems.”

Government entities purchasing .GOV web domains have submitted evidence to the U.S. government that they truly are the legitimate local, county, or state governments they claimed to be, McAfee says. Websites using .COM, .NET, .ORG, and .US domain names can be purchased without such validation, meaning that there is no governing authority preventing malicious parties from using these names to set up and promote any number of fraudulent web domains mimicking legitimate county government domains.

The HTTPS encryption measure assures citizens that any voter registration information shared with the site is encrypted, and that they can give greater confidence in the entity with which they are sharing that information. Websites lacking .GOV and encryption cannot assure voters seeking election information that they are visiting legitimate county and county election websites, leaving malicious actors an opening to set up disinformation schemes.

January 2020 Survey Findings

McAfee’s January 2020 survey researched states projected by U.S. election prognosticators to be pivotal in determining the victor in the 2020 Presidential Elections. States surveyed include Arizona, Florida, Georgia, Iowa, Michigan, Minnesota, Nevada, New Hampshire, North Carolina, Ohio, Pennsylvania, Texas, and Wisconsin. Together, these states account for 201 of the 270 electoral votes required to win the U.S. presidential election.

State counties lacking .GOV validation. Of the 1,117 counties in the survey group, 83.3 percent of their websites lack .GOV validation. Minnesota ranked the lowest among the surveyed states in terms of .GOV website validation with 95.4 percent of counties lacking U.S. government certification. Other states severely lacking in .GOV coverage included Texas (94.9 percent), New Hampshire (90 percent), Michigan (89.2 percent), Iowa (88.9 percent), Nevada (87.5 percent), and Pennsylvania (83.6 percent).

Arizona had the highest percentage of main county websites validated by .GOV with 66.7 percent coverage, but even this percentage suggests that a third of the Grand Canyon State’s county websites are unvalidated and that hundreds of thousands of voters could still be subjected to disinformation schemes.

State counties lacking HTTPS protection. McAfee’s survey found that 46.6 percent of county websites lack HTTPS encryption. Texas ranked the lowest in terms of encryption, with 77.2 percent of its county websites failing to protect citizens visiting these web properties. Other states with counties lacking in encryption included Pennsylvania (46.3 percent), Minnesota (42.5 percent), and Georgia (38.4 percent).

Assessment of Iowa and New Hampshire. In Iowa, 88.9 percent of county websites lack .GOV validation, and as many as 29.3 percent lack HTTPS encryption. Ninety percent of New Hampshire’s county websites lack .GOV validation, and as many as 30 percent of the state’s counties lack encryption.

Inconsistent naming standards. McAfee’s research found that some states attempted to establish standard naming standards, such as www.co.[county name].[two-letter state abbreviation].us. Unfortunately, McAfee says, these formats were followed so inconsistently that a voter seeking election information from her county website cannot be confident that a web domain following such a standard is indeed a legitimate site.

Easy-to-remember naming formats. McAfee found 103 cases in which counties set up easy-to-remember, user-friendly domain names to make their election information easier to remember and access for the broadest possible audience of citizens. Examples include www.votedenton.com, www.votestanlycounty.com, www.carrollcountyohioelections.gov, www.voteseminole.org, and www.worthelections.com. According to McAfee, while 93 of these counties (90.2 percent) protected voters visiting these sites with encryption, only two validated these special domains and websites with .GOV. This suggests that malicious parties could easily set up numerous websites with similarly named domains to spoof these legitimate sites.

Strategies for transitioning to .GOV. While only 19.3 percent of Ohio’s 88 county main websites have .GOV validation, the state leads McAfee’s survey with 75 percent of county election websites and webpages validated by .GOV certification. This leadership position appears to be the result of a state-led initiative to transition county election-related content to .GOV validated web properties. A majority of counties have subsequently transitioned their main county websites to .GOV domains, their election-specific websites to .GOV domains, or their election-specific webpages to Ohio’s own .GOV-validated https://ohio.gov/ domain (i.e. https://www.boe.ohio.gov/vanwert/).

Such a .GOV transition strategy constitutes an interim solution until more comprehensive efforts are made at the state and federal government level through initiatives such as The DOTGOV Act of 2020, McAfee says. This legislation would require the Department of Homeland Security (DHS) to support .GOV adoption for local governments with technical guidance and financial support.

“Ohio has made a commendable effort to lead in driving election websites to .GOV, either directly or by using the state run ohio.gov domain,” said Grobman. “While main county websites still largely lack .GOV validation, Ohio does provide a mechanism for voters to quickly assess if the main election website is real or potentially fake. Other states should consider such interim strategies until all county and local websites with election functions can be fully transitioned to .GOV.”

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.