Election protection: How cyber criminals could steal your vote

How much should we worry about the security of the upcoming US presidential election? Could a cyber criminal or nation-state actor influence the result?

Well, there’s good news and there’s bad news for election cybersecurity.

The good news is that The Cybersecurity and Infrastructure Security Agency and the FBI, in a joint statement, said they “have not seen cyber-attacks this year on voter registration databases or on any systems involving voting.” This doesn’t necessarily mean that cyber criminals don’t already have data from earlier cyber-attacks.

Congress provided $425 million in funding earmarked for election security in December 2019. They followed that with an additional $400 million after the pandemic started. Most of that funding has supported security for election infrastructure, including the systems used to register voters, generate ballots, and record, certify, and audit results.

Protecting the vote relies on people … avoiding the traps set by cyber-criminals

A free and fair election relies on more than just the back-end infrastructure, however. Protecting the vote also relies on people following good cyber behavior and avoiding the traps set by criminals.

This brings me to the bad news.

Russian, Chinese, and Iranian nation-state cyber criminals are continuing to attack people and organizations associated with the election.

On September 10, Microsoft warned that the Russian military intelligence unit that attacked the Democratic National Committee in 2016 has been actively trying to hack hundreds of organizations, including national and state parties and consultants who work for Republicans and Democrats. Microsoft also uncovered that Chinese cyber criminals have launched cyber-attacks targeting Vice President Joe Biden’s campaign and at least one person formerly associated with President Donald Trump’s administration. Iranian cyber criminals tried to access accounts of the Trump administration officials and campaign staff.

As we approach Election Day, let’s look at various attack vectors for election interference and explore how we can improve election security.

Social engineering, phishing emails, and malware

Imagine an election official in a swing state gets an email with the subject: New safety protocols for in-person voting. It seems legitimate, so the official opens the email and downloads an attachment. At that moment, malware is downloaded onto her computer. Because she uses a similar password for the local account and the organization’s cloud access, the cyber criminal can now infiltrate the network looking for privilege escalation or search for sensitive data.

To reduce the risk of a malware attack, proper endpoint privilege management ensures that local admin rights are removed from workstations. While cyber criminals may find a way into a single computer via phishing or other social engineering tactics, they wouldn’t be able to leverage that user’s credentials to easily move around the network and do further damage.

Brute-force attacks on databases

Cybercriminals are exploiting weaknesses in public-facing systems, applications, and campaign databases that include personal and sensitive information. Databases are consistently missing security updates or critical patches to shore up known vulnerabilities. A brute-force attack, in which an attacker uses a password dictionary that contains millions of possible words and phrases, could crack a password and provide a cyber criminal with privileged access. In other cases, poor security practices such as exposing or sharing credentials give cyber criminals an easy way in.

Security training and Privileged Access Management solutions are critical to ensure credentials are effectively managed and sensitive information isn’t exposed.

Disinformation via social media

With the help of automated bots, foreign adversaries and other interest groups could attempt to influence US elections using social media or well-crafted ads.  These posts try to reduce trust in democracy and dissuade citizens from voting.

Big tech is attempting to build controls to block bots and maintain information flow by labeling misinformation. For example, Facebook has pledged to combat misinformation by blocking all new political advertisements on its platform in the week before Election Day. After the election, they plan to redirect users to accurate election results, so neither candidate can prematurely claim victory.

Creating strong passwords, for example by using passphrases and password management tools, can help you keep your organization’s social media account secure.

Impact of Covid-19 on election protection

While the good news is that lessons learned during the 2016 and 2018 elections have helped strengthen cybersecurity controls, the Covid-19 pandemic presents a new set of challenges for election protection.

More sensitive information is flowing through election-related systems

Voters are now registering to vote, requesting absentee ballots, and renewing driver’s licenses remotely. More sensitive information is flowing through election office email systems, online voter registration databases, and ballot request forms. The risks and impact of a security breach on those systems have never been higher.

Every person involved in election operations—security and IT teams, campaign officials, and voters themselves—play a role in ensuring a free and fair election.