Potentially disruptive, and possibly violent, protests are likely in multiple U.S. cities amid the presidential election slated for today regardless of the outcome, according to WorldAware, a GardaWorld company. Due to the complexity of the electoral system and the consequences of the coronavirus disease (COVID-19) pandemic, it is highly likely that the winner of the election will not be legally recognized on election night and that major protests by activists supportive of both major parties will occur for an indeterminate period, with the possibility of clashes, arson, looting, and other violence, reaching unprecedented levels, says WorldAware.
Besides civil unrest and other physical security threats, the 2020 election also faces significant digital threats that could wreak havoc on U.S. election infrastructure and the legitimacy of the results.
Recently, for example, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory confirming that an Iranian advanced persistent threat (APT) actor targeting U.S. state websites, including elections websites, were successful in obtaining voter registration data for at least one state. Analysis by CISA and the FBI indicates this actor scanned state websites, to include state election websites, between September 20 and September 28, 2020, with the Acunetix vulnerability scanner. Additionally, CISA and the FBI observed this actor attempting to exploit websites to obtain copies of voter registration data between September 29 and October 17, 2020. This includes attempted exploitation of known vulnerabilities, directory traversal, Structured Query Language (SQL) injection, web shell uploads, and leveraging unique flaws in websites.
To get some perspective, we talked to cybersecurity professionals about the biggest cybersecurity threats to the election. Below are their responses:
Joseph Carson, chief security scientist and Advisory CISO at Thycotic, a Washington D.C. based provider of privileged access management (PAM) solutions: “At this stage in the election process, the only significant cyber risk is disinformation with the confidence on the actual result of the election. Hacking an election is not about influencing the outcome, it is about hacking democracy. It is always important to determine the ultimate motive and that is about dividing people to create distrust in both government and your fellow citizens. The right direction is to be honest with the citizens. Inform them on the overall security of the election, which voting methods are the most secure, and whether or not their vote counted. Right now, it is about regaining trust in democracy and confidence in voting.”
Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyberattackers: “The biggest cyber-risk to the election is digital disinformation, distributed by hostile actors whose ambitions exceed the scope of single administrations, with outcomes designed to destroy and diminish the essential social fabrics of trust, empathy, and dialogue that are required for free and open societies to function. This is not a new problem, nor a problem unique to the domain of cyber – just a problem whose impact is amplified by our hyper-connected, hyper-converged digital world.”
Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions: “Mobile phishing is the biggest threat leading up to Election Day. As the day draws closer, campaign staffers are on the clock and on the move 24/7. But in order to keep the momentum going, they’re relying heavily on their smartphones and tablets. Campaign workers communicate directly with reporters and coordinate with other staffers over messaging apps and SMS. They also need to run their candidates’ social media accounts. SMS, social media, and third-party messaging platforms are three of the most popular platforms threat actors use to socially engineer targets into falling for phishing attempts. It’s gone so far as the DNC warning campaign workers against social engineering through dating apps in a statement issued earlier this year.
"Fatigue is also an important factor to consider. It’s already hard enough to spot a well-crafted phishing page on smartphones and tablets with smaller screens and simplified UI. Working long days means employees aren’t as alert and could overlook a red flag that indicates a phishing attack. The good thing is that campaign cybersecurity is widely reported on and acknowledged as a threat to our democratic system. This is leading to candidates actively recruiting cybersecurity teams. The more people hear about cyber threats, the more likely they are to exercise caution and think twice about a suspicious text or WhatsApp message. This also draws attention to the fact that cybercriminals are more active around times of social change. People are gaining a better understanding of how threat actors leverage these situations to their advantage, which will in turn make them more careful and reduce the success rates of mobile attacks. We’ve also seen the emergence of organizations like Defending Digital Campaigns, a non-profit with the goal of ensuring that campaigns are secure, offer free or low-cost security solutions and training to campaigns.”
Mike Kiser, SailPoint: As the wave of technology breaks into both voting systems and campaigning, cybersecurity is guarding more than just data—it is defending the truth in elections. The privacy of our data and voter data is instrumental in ensuring the system is viewed as fair and safe to encourage democracy among U.S. citizens. The most recent example of this was the threating email messages sent to Democratic party-affiliated voters in Florida, recently attributed by the U.S. Government to action by Iran. Many voter databases are publicly available on a state by state basis . Keeping as much information private as possible about voters ensures that they are adequately protected from malicious actors who might seek to target or exploit them to sow seeds of mistrust in the process or to confuse them about how and when to cast their vote.
"A report from last September found that 85% of the primaries' top candidates were susceptible to phishing attacks. These attacks are ongoing; Google announced recent phishing attacks on Presidential campaigns by similar nation-state groups from China and Iran. As recently as October 28th, a mere six days before the election, President Trump's website was defaced by hackers. While these are the headline grabbing stats about candidates and their campaigns, the fact that they are under attack means that the voter registration data that they have collected is in the same line-of-fire. How many times has a “get out the vote” worker texted, emailed, or otherwise tried to contact you in the last month? That should give an idea as to how much data each political group has on you and what the overall risk is."
"By hacking a campaign and distributing internal strategy or by fostering doubt about the security of the voting systems in use, hackers seek to engender the idea that the election is unfair—that it is rigged rather than being free and accurate. In short, hackers seek to make individuals question the truth of elections. Without election security, individuals are driven to question the veracity of elections and the validity of the governments they bring to power. Cybersecurity is essential in protecting elections because malicious actors' goal is to undermine the credibility of the process. They seek to devalue the system; they strive to weaken the trust fabric that citizens have in elections."
Matthew Gardiner, Mimecast: Voter registration data is obviously particularly critical leading up to and during an election cycle. This data is what helps officials determine who is a legitimate voter and whether they have voted or not. Different sorts of cybercriminals have different motivations. While most cybercriminals are money oriented, when it comes to election-related data and systems, it is logical to expect the interest from adversarial nation-states as well. Voter registration databases can have many malicious uses. The information itself, if stolen, can be used to confuse or suppress likely voters via phishing, social media or other techniques. The malicious encryption of voter registration databases via ransomware can make the systems or the data unusable, thus disrupting the voting precincts that depend on that information. This, of course, could suppress voting and could create doubt in the results, which would benefit the adversarial nation state actor. And of course, money-oriented cybercriminals love to take control of time-sensitive systems or data, as this dramatically increases the likelihood of them getting paid."
"A straightforward approach would be to encrypt all voter data when it is at rest or in transit. This way, if it falls into the wrong hands, it is essentially useless. There are many security techniques that should be used to protect against ransomware and protect really any other sorts of data and systems. But, in addition to security controls, having independent backups that can be quickly recovered is a great way to make sure the election process is not disrupted if ransomware, or really any other form of technical disruption occurs."
Alan Brill, Senior Managing Director, Cyber-Risk Practice at Kroll, a Division of Duff & Phelps: "There’s little doubt that foreign and nation-state actors have been trying to hack the election, according to government cybersecurity reports and information provided by law enforcement and intelligence organizations. The activity over the past couple of years, while more funding would have certainly helped, has had government agencies focus on the importance of defending election systems. Because there are multiple systems in place in many localities ranging from printed backup registration files at polling places to the availability of alternative affidavit ballots should machines fail (and some will for mechanical or electronic problems) and even having extra scanners available, the chance of significant and widespread interference with the voting process through a cyberattack is limited. Particularly since about 100,000,000 voters have already voted through absentee voting or early in-person voting, the number of voters who could be affected at any particular place is more limited than in previous campaigns. However, cyberattacks using social media to affect behavior can be significant. So-called “unofficial poll watchers” or others at polling sites can interfere with the voting process or intimidate voters, as could deliberate damage to voting or tabulating equipment. The same is true for tabulation centers where mail-in or hand-delivered ballots are processed have to maintain their physical security to prevent unauthorized access or damage to both ballots and processing equipment.
"My assumption is that putting out false and misleading information on social media is going to be the concentration of nation-states. It is a proven technique that has been successful in the past, and is one they have focused on and on which they’ve improved their capabilities."
Brill explains that election officials should implement the following privacy techniques that can protect voter data in the event of an attack or breach: "There are several dimensions of the problem that are unique to the problem of protecting voter data. First, and probably foremost is that under various state laws, quite detailed voter information is available for free or paid access. In many cases, the laws require that the state supply voter data – which will generally provide a name, address, phone number, party enrollment and perhaps other data (like whether a voter actually voted in prior elections) – on a paid basis. So using a front company, adversaries can simply buy the voter data. There are also companies that buy the data and which then make it available to others in various formats and often online. Adversaries can also either pay for access through an intermediary or can target these commercial sources of the data that they are looking for. Additionally, the major political parties have organizations that provide them with access to voter data for use in various state and local campaigns.
"What this means is that data that people certainly think of as being private really isn’t treated that way by election authorities. After all, the people who send you all of the candidate ads through the mail have to get the addresses from somewhere! Data on how anyone voted, however, is not made available. Virtually all votes are, at some level, tabulated on computers, whether they are directly entered on touch-screen voting machines or scanned from paper ballots. But those systems are probably less connected to the Internet that previously, precisely because it’s become apparent that the major source of risk involves Internet connections. So to look at the problem facing an election authority, they have to start by making voter data available to whoever is entitled to access or buy it in compliance with all applicable laws and regulations. Beyond that, there are likely elements of voter data – like digital images of voter signatures that are used to verify voter identities – that are not subject to public review or to being sold that have to be protected.
"What we’ve seen recently is that to the extent that an election authority is connected to a municipality or state’s computer network it may be at risk for ransomware attacks. These are usually thought of as attacks in which an attacker encrypts files and demands a ransom to provide a decryption key. But in many recent cases, we’ve seen that prior to carrying out the encryption, the threat-actors steal data, and then use the encryption to cover up the theft. So where an election authority is victimized by ransomware, a forensic examination is required to determine whether data was stolen as part of the attack. Even where an attack isn’t directed at the election authority, it may be encrypted because it was attached to the network is a way that made election-related data vulnerable.
"There are absolutely things that an election authority (or the vendors that provide computer services to those authorities) can do to mitigate the risks. There are basic things that every network administrator should be doing. For example, there needs to be a focus on keeping systems updated with the latest security patches provided by software vendors. Unpatched systems are one of the top targets of cybercriminals and state-sponsored attacks. There should also be effective controls over who can access data and over what data they can access. There is more need than ever to provide training and reminders to every employee to be careful not to click on suspicious links in email, because doing so can open a system to a potentially devastating intrusion.
"Additionally, given the concern about ransomware, to protect their data, they should have reliable backup that is not accessible through the system, and would thus be unlikely to be affected by a ransomware attack. Equally important is for the election authority to recognize that it is vital to have monitoring in place in the network to enable cybersecurity professionals to recognize that something bad may be happening so that they can take immediate action to blunt the attack. It’s very difficult to defend against an attack that you can’t see when it is happening, and attackers hope you’re not watching your network closely. That gives them time to explore the network to both find additional connections to increase the damage that can be done, and to identify data that would be particularly problematic if it became encrypted. That’s why we’re seeing the growth in attacks against hospitals. With the move to electronic medical records, the level of dependance on digital medical files has grown tremendously, and the bad guys know that motivates quick payment of ransoms, even if the ransom demanded is huge.
"Another issue facing many government agencies, including election authorities is that qualified cybersecurity experts are in short supply, and that governments are competing with the private sector for these resources. This has led to frequent outsourcing of network monitoring to third parties who can provide those resources, and which have substantial experience in rapidly recognizing what are called “Indicators of Compromise” and reacting quickly to mitigate damage."