The term "Kill Chain Methodology" or "Cyber Kill Chain" has been widely used in the world of cybersecurity to interpret the different stages involved in a cyberattack. This term was originally coined by the military to define the steps used by an attacker to reach the intended target (Spitzner, 2019). However, in 2011, Lockheed Martin released an insightful paper on Kill Chain about cybersecurity (Hutchins, Cloppert & Amin, 2011). This article addresses the need to understand each step an adversary takes so that attacks can be disrupted or stopped right in their tracks. In a nutshell, from a hacker's perspective, a kill chain is a way to illegally gain access to a network or network device via a series of progressive steps. Consequently, from a defender's perspective, every stage of this process presents an opportunity to prevent intrusions.
So, what kind of systems, networks or devices can hackers exploit by employing this methodology? The answer is simple: as far your imagination is willing to take you! A recent documentary called “Kill Chain” is predicting that even the 2020 U.S. elections are at risk of falling prey to this methodology.
How can voting processes be targeted?
Here are several ways that cyber attackers can execute Kill Chain target attacks on the voting process:
- Use baiting to install malicious ballot program: An attacker could easily use baiting techniques or replace legitimate devices with their own infected device (Green, 2019).
- Infect an election official's device: It is quite easy for an attacker to use a phishing technique to infect an election official's device, gain remote access and tamper with the election ballot program.
- Create fake election management systems: Election jurisdictions, both large and small, routinely hire privately-owned, small businesses to provide them with election management system technology (Green, 2019). Election jurisdiction budgetary constraints, typically, serve as the primary driver for choosing a small business. In many cases, the same budgetary constraints limit the jurisdiction's ability to perform their due diligence as it pertains to obtaining positive industry references. So, more often than not, these election jurisdictions are unable to attest to the fact that the service offerings or software providers are not hackers, or at a minimum have not been breached themselves. This particular scenario is a formidable kill chain tactic that hackers use to easily fool election jurisdictions into thinking they are buying a legitimate service.
- Send phishing emails to voters: Absentee and/or vote-by-mail (VBM) deadlines are always posted on elections jurisdiction websites. Immediately after VBM deadlines have passed, attackers could hack into the voter registration systems and send emails out to voters predicting long queues, announce changes in their voting center, or voting center closures (Green, 2019). This might discourage people from going out to vote.
Can voting machines be hacked?
There are two types of voting machines used in the U.S., namely the optical voting machines and direct recording electronic (DRE) machines. The former uses paper ballots, and the DRE records your votes electronically. Some of these machines provide a paper trail, whereas some do not. The good news is that at least 22 states have chosen to use paper ballots for security reasons (Córdova, McCadney, Howard & Norden, 2019). However, the rest of the states are using some semblance of either optical or DRE machines. The issue with these machines is that most of them are over a decade old. Designed in a period when cyberattacks were not so rampant, they carry outdated software and even their providers like Microsoft, are not issuing any updates. This presents a great risk of security vulnerabilities.
Ways in which malicious actors can exploit voting machines:
- Physically tamper with the device's hardware: This attack is unlikely as it is difficult to go unnoticed while physically tampering with a machine. However, at certain hacking events like DEFCON, voting machines were proven to be exploited by simulated hack attacks (Vicens, 2019). These kinds of machines can also be purchased over eBay, which gives attackers the freedom to study their underlying architecture.
- Design multiple-use election cards for DRE machines: Normally, one election card is used per voter, but attackers can create fake ones and use them infinitely if given a chance.
- Remotely access the machines: Most voting machines are not connected to the internet. However, some machines are internet accessible, making them susceptible to attackers who can insert malicious code through remote access (Green, 2019).
- Connect to the same Wi-Fi network: Since most voting machines have no firewalls or other technical security controls in place to prohibit unauthorized remote access, it can be easy for an attacker to sit in the same room, connect to the public Wi-Fi and run a targeted attack to take over the device.
How can cybersecurity help election jurisdictions limit their risk of exposure?
As the U.S. moves towards digitizing and modernizing its aging and outdated election infrastructure, there has been a growing need for a revolutionized approach to cybersecurity (Brewster, 2019).
The adoption of new technologies has become prevalent among election jurisdictions who have introduced a voter-centered approach to elections that put voters at the center and maximize stakeholder participation. New technologies featured in voter-centered environments include wireless, tablet-based, electronic poll books, and Q.R. code-based ballot-marking devices (Brewster, 2019). While these innovations improve voter experience and increase individual participation in the democratic process, digital-enabled networks and cloud-supported architectures introduce new and unique challenges, particularly in the area of cybersecurity.
Elections jurisdictions should seek out the expertise and advise of a cybersecurity and advisory consulting firm (CACF) to evaluate the staff, technology, processes, and policies involved in the elections process at the county level (Anderson, 2019). A CACF can help local election jurisdictions identify and remediate security vulnerabilities exposed in the nine major election infrastructure components required for a secure, accurate, fair, and accessible election. Assessment results would include feedback and insights that will point out areas where counties will need to fine-tune and enhance current security measures.
The nine major election infrastructure components include:
- Voter registration and database systems
- Electronic pollbook/onsite voter registration systems
- Vote capture devices
- Vote tally systems (Goldstein, 2019)
- Election night reporting systems
- Election officials’ communication mediums
- State and other county systems that process elections data
- Traditional and social media communication applications used for situational reporting
- Vendor election equipment/service architectures
Key benefits of assessing the aforementioned components include reinforcing the local election jurisdictions ability to:
- Understand the current state of readiness and ability to react to and recover from security events
- Receive prioritized recommendations toward the use of proper controls and measure needed to reduce attack surfaces
- Pinpoint crucial security issues and target for prompt remediation
Can the 2020 election be hacked? Yes, the U.S. 2020 elections can be compromised due to lack of funding or legislation, but by the same token, it is also preventable.
A prototypical election cybersecurity program should incorporate the following precepts:
- Empower an elections jurisdiction to identify and update obsolete operating systems on election business systems.
- Employ feasible cybersecurity controls and defensive measures based on the Center of Internet Security (CIS) and the National Institute of Standards and Technology (NIST) security framework.
- Utilize electronic ballot marking devices instead of DREs.
- Exclusively use paper ballots (Karan Gambhir & Karsten, 2019).
- Routinely conduct elections cyber-maturity assessments.
The lack of up-to-date software inventories, essential security controls, and other suitable defenses against known attack vectors make up an election jurisdiction's attack surface. Hence, implementing a comprehensive elections cybersecurity program that promotes the use of technical security controls combined with administrative and physical defensive measures can reduce a jurisdiction's attack surface.
Measurable reductions seen in a jurisdiction's attack surface are often parallel to its ability to mitigate vulnerabilities ahead of time, before an adversary (e.g., hostile nation-states, hacking groups, or malicious insiders) can attempt to gain access to their crown-jewel systems and disrupt an election. Therefore, an election jurisdiction's ability to considerably reduce their attack surface over time is synonymous with their security posture. The stronger and more resilient their security posture, the lower the risk is toward a prospective voter-centered approach.