By Giovanni Vigna
In January 2017, the U.S. Department of Homeland Security (DHS) classified electoral systems as “critical infrastructure.” Then-DHS head Jeh Johnson promised the designation wouldn’t mean “a federal takeover, regulation, oversight or intrusion concerning elections in this country.” He said it would instead make electoral systems’ digital security a priority for the Department.
Now more than a year and a half after the DHS made its announcement, it’s clear that security weaknesses continue to plague the United States’ electoral infrastructure. This state of vulnerability became apparent at DEF CON 26 when security researchers uncovered a variety of security flaws in election-related infrastructure. For instance, one security researcher obtained full admin access to an Accuvote TSX voting machine after getting inside the device. Attendees to the security conference also found they could execute any file at the highest privilege level on an ES&S m650 if they named the file “update” and executed it from an inserted zip drive.
Granted, some of the exploits uncovered at DEF CON 26 involved security researchers first obtaining physical access to the target devices. But the attacks nonetheless demonstrated that polling machines and other election-related computer equipment are vulnerable to attacks. Those results beg the question: what does the infosec industry itself feel about malicious hacking attempts during the midterm elections?
To answer that question, Lastline surveyed 235 security professionals who attended Black Hat USA 2018 in Las Vegas, Nevada in August of this year. Their responses provide insight into the digital threats that U.S. political organizations and election campaigns may face during the 2018 election cycle.
On the one hand, security professionals affirmed that digital attackers won’t ignore this year’s elections. More than four-fifths (84.3 percent) of respondents said that there will be malicious hacking during the upcoming midterm elections. This concern stems from the belief that the United States has not done enough to protect itself against election-related security incidents. In fact, just 40 percent of security professionals said election security is better in 2018 than it was at the time the DHS classified electoral systems as critical infrastructure. Forty-three percent of respondents confessed they haven’t seen any improvement in that span of time.
On the other hand, information security personnel said they aren’t sure where these malicious hacking incidents will become known. Forty-seven percent of respondents predicted digital attackers will target state elections with the intention of influencing one or more state-level races. Just a few more Black Hat attendees (53 percent) felt that bad actors would go after organizations at the national level. At the same time, a third of security professionals said malefactors might use malicious hacking to spread propaganda but not to sway the outcome of an election, while 11 percent flat-out stated they were unsure what malicious hacking of the midterm elections would look like.
Confusion over where malicious hacking might take place in the 2018 midterm elections isn’t unfounded. By now, most everyone has heard of the sophisticated hacking offenses during the 2016 U.S. presidential election that led a grand jury to indict 12 Russian Intelligence Officers. Besides those wrongdoings, however, there have been documented malicious hacking incidents at all electoral levels, including:
- A National Security Agency (NSA) document provided to The Intercept revealed that Russian actors targeted at least one U.S. voting software supplier and sent spear-phishing emails to over 100 local elections officials just days before the 2016 presidential election.
- At the state level, there’s evidence that bad actors targeted candidates running for the U.S. Senate and the U.S. House of Republications in Missouri and California using spear-phishing and brute force attacks. These security incidents occurred in the Spring and early Summer of 2018.
- In May of this year, digital attackers leveraged a distributed denial-of-service (DDoS) attack to tie up space on a server hosting the Knox County’s election commission website. This campaign didn’t affect the election results; it contributed to what Knox News described as an “energetic and unpredictable night.” Several days later, election officials discovered that nefarious individuals had in fact used the DDoS attack to distract from another incident in which bad actors gained access to a county server and examined publicly available information like court dockets.
Political organizations and campaigns need to find a way to protect against these and other kinds of malicious hacking. As noted by The Washington Post, 100 election security experts feel the greatest difference would come from Congress approving time-sensitive matching funds to states in order to upgrade their voting technologies. This is easier said than done when federal dollars are involved, however. In July 2018, the U.S. House of Representatives failed to approve the appropriation of such funds to the Election Assistance Commission, a federal agency whose mission is to protect and secure U.S. elections. Just a few weeks later, the U.S. Senate voted against $250 million for state election security in the 2018-19 fiscal year.
Some legislation could help soften the blow of this lack of election security funding. For example, H.R.6188 could (if passed) empower the Department of Homeland Security to create bug bounty programs for the purpose of protecting electoral systems’ digital security. Absent those measures, it’s up to political organizations and campaigns to protect themselves.
Kenneth Geers, senior fellow at the Atlantic Council’s Cyber Statecraft Initiative, told Vox that a key element of this effort is IT decision-makers’ ability to recognize the “human” nature of many digital attacks that originate from Russia and other threat actors around the world:
This was at the root of our failure to see what the Russians were up to in our 2016 election. In fact, the Russians have argued for years that the West has been focused too narrowly on the technical aspects of computer security, and that we have not given enough attention to information security — so you can’t say they didn’t warn us.
To protect against election-themed phishing attacks, organizations need a solution that pairs with automated phishing response software and leverages in-depth behavioral observation for analyzing suspicious email payloads. Learn how Lastline Email Defender can do just that.