General security

Election security: Cybersecurity concerns for future elections

Howard Poston
November 26, 2019 by
Howard Poston

The election security landscape

APTs like Cozy Bear have a history of interfering with major elections in the U.S. and other countries. With the 2020 election season rapidly approaching, the possibility of interference by cyberthreat actors is a serious concern.

As a democracy, the United States’ electoral process can be influenced in a number of different ways. One common area of concern is the election infrastructure, since voting machines in active use have known cybersecurity vulnerabilities. Additionally, many of these voting machines lack paper trails, making it easier for attacks to go undetected.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

However, external threat actors can also influence the result of U.S. elections in other ways. Strategic ransomware attacks against voting machines or other election infrastructure could influence the results in certain “swing” states or districts. The use of bots on social media are another threat because they increase the scalability of influence operations, tweaking voters’ conceptions of the current political landscape and the platforms of various candidates.

Top cybersecurity concerns for 2020

The security of voting machines is a significant cybersecurity concern for the 2020 elections. However, it is not the only one. Other concerns include ransomware and social media-based influence operations.

Challenges with pentesting voting machines

The security of the United States election infrastructure is a gray area under hacking law. While most parties agree that the security of election machines and under infrastructure is a priority, there is a lot of disagreement on how to accomplish it.

The Library of Congress took an important step to enabling security testing of election infrastructure by providing a three-year exemption to DMCA, which makes such tests illegal otherwise. However, this exemption expires this year if it is not renewed.

Voting machine manufacturers have also acknowledged that penetration testing of their products could be valuable. However, they often allow this testing only under a non-disclosure agreement, citing concerns that vulnerabilities may be publicized before they are fixed, opening them up to exploitation. Modifications to election machines require them to undergo a lengthy recertification, which makes patching vulnerabilities a slow process.

However, there are also concerns that voting machine manufacturers could use these NDAs to hide known vulnerabilities and refuse to patch them. In the past, voting machine manufacturers have lied about the security of their systems, making this a potentially valid concern.

Election machine security

One of the most prevalent cybersecurity concerns about the 2020 election is the use of outdated and insecure voting systems. A survey performed by NormShield discovered that of 56 election commissions, over half of them used voting machines that ran Windows Server 2008 R2. Four of them used Windows Server 2003, which is no longer even supported by Microsoft.

Beyond the use of outdated systems, additional analysis has demonstrated that machines currently in use contain vulnerabilities that have been known for over a decade. 

At this year’s DEFCON conference, hackers tested the security of over 100 election machines that will be used in upcoming elections. Despite having no prior knowledge of the machines and being limited to equipment available on eBay, the hackers were able to compromise every voting machine present. In fact, all voting machines except one were hacked within the first day, and that one arrived an hour before closing and was hacked within the first hour of day two.

In general, the vulnerabilities discovered at the DEFCON voting village were pretty basic. Voting machines had weak default passwords, built-in backdoors and other intentional features that made them easy for a hacker to access and exploit.

This is troubling Voting machine manufacturers do claim that many of the vulnerabilities discovered at DEFCON are not realistic attacks, since they require physical access to the device. However, this access is easily gained, as voting machines are often left unsecured and unmonitored at polling locations. Other vulnerabilities can be remotely triggered due to voting machines’ internet connections. Failure to acknowledge the threats posed by these vulnerable machines means that they are unlikely to be patched.

Lack of paper trail

While the poor security of election machines is bad enough, it is exacerbated by the fact that many of these machines have no paper trail. Some vulnerabilities allow votes to be changed or added after the election is complete, making it vital that voters be able to generate and approve a paper record of their vote.

In 2016, 27.5 million people voted using completely paperless voting machines. In the 18 midterms, no paper trails existed in Delaware, Georgia, Louisiana, New Jersey or South Carolina. By the 2020 election, this number will drop to 16 million people, which is still significant.

The issue with paperless machines are well-known and publicized, but they are likely to persist for several reasons. In some cases, budgetary constraints may make replacement of machines difficult or impossible. In others, the refusal to replace machines is intentional, as in some Texas counties that will only replace 20-year-old paperless machines if mandated to do so by the state legislature.

Ransomware attacks

Anne Neuberger, the director of the NSA’s new Cybersecurity Directorate, has another concern regarding the 2020 elections: ransomware.

In the last few years, there has been an average of 4,000 ransomware attacks every day. Recently, attacks have become more targeted and designed to impact or deny access to valuable resources.

Since voting machines are computers and occasionally internet-connected, they are potential targets of ransomware attacks. Targeted attacks could have a significant impact on the result of the election if voters in critical regions of the country are denied the opportunity to cast their votes.

Influence operations

The use of social media to sway voters on certain topics is nothing new for elections. In 2016, the use of bots to create fake dialogues about key topics and otherwise influence voters was a common tactic.

Leading up to the 2020 election, bots will likely make another appearance on social media to help swing crucial votes. However, advances in bot technology are likely to make them much more convincing. By observing how real humans interact with and discuss election topics, bot developers have made them much more difficult for moderators to detect and block.

The rise of deepfake technology is another tool for attackers attempting to perform influence operations. The ability to make realistic-looking videos of public figures that say whatever the attacker wants can be used to influence voters in a variety of different ways.

Finally, poorly-secured voter registration databases can leak personally identifiable information that may be used for a variety of purposes. Voters can be sent to the wrong polling locations on election day, or the PII and data mining can be used to send highly-targeted advertisements to impact voters’ beliefs.

Conclusion: Ensuring election security

Solving election security issues is not easy. However, steps are being taken to address many of the major cybersecurity concerns around the 2020 elections.

The federal government has approved $250 million in election security funding designed to help state governments remediate some of the vulnerabilities identified in their voting machines. The effects of this funding can be amplified by taking simple steps like ensuring that voting machines do not have internet access and that they are properly secured when not in use in order to prevent tampering.

Social media is also taking steps to reduce the threats associated with cyberinfluence operations. Twitter has announced that it plans to stop accepting political ads, which can help to decrease the impact of cyberinfluence operations on social media.

While the cybersecurity threats to election security will not be fixed overnight, it seems that they are moving in the right direction. As the election community seems to be more open to security assessments of voting infrastructure and the public becomes more aware of influence attacks directed at them, the U.S. election system should grow more secure.

 

Sources

  1. Election Security Lessons from DEFCON 27, Brennan Center for Justice
  2. Exclusive: Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials, Vice
  3. Election Report, NormShield
  4. The Cybersecurity 202: Voting machine companies may throw their doors open to ethical hackers, The Washington Post
  5. Cyber Experts Warn Of Vulnerabilities Facing 2020 Election Machines, NPR
  6. Voting Machine Systems New & Old Contain 'Design' Flaws, Dark Reading
  7. DEFCON Voting Village Feed, Twitter
  8. Hacking 2020 voting systems is a ‘piece of cake’, Naked Security
  9. Voting Machine Security: Where We Stand a Few Months Before the New Hampshire Primary, Brennan Center for Justice
  10. Hackers were told to break into U.S. voting machines. They didn’t have much trouble., The Washington Post
  11. Top NSA cyber official points to ransomware attacks as key threat to 2020 elections, The Hill
  12. Bots evolving to better mimic humans during elections, Help Net Security
  13. Securing the 2020 Elections From Multifarious Threats, Security Week
  14. A Shim Made From a Soda Can Can Break Into Voting Machines, Popular Mechanics
  15. In turnaround, McConnell backs $250 million in election security funding, The Washington Post
  16. Twitter to stop accepting political ads, NBC News
Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at howard@howardposton.com or via his website at https://www.howardposton.com.