Election security is an ever-increasing concern of cybersecurity and government officials. It used to be that voting infrastructure and database security was at the core of the conversation. But since the rise of social media, and now deep-fakes, the concern of powerful disinformation has moved into the spotlight. Add to that the uncertainty of a potential hybrid between in-person and mail-in voting and there's now multiple risks to security, and privacy, this election.
As we head towards one of the most anticipated and important elections of the modern world, US election cybersecurity as a whole is at the forefront of mainstream global interest. Nation-states and hacker groups have set their sights set on the U.S., aiming to cause chaos and influence the outcome of the election results in the hopes of economic and political gain.
The stakes are higher than ever.
We wanted to hear what top cyber leaders thought about election security heading into this season. We’ve compiled some of their expert insights on the dangers to election security this go around and how organizations should be thinking about security and preparing for the worst-case scenario.
JJ Thompson, Senior Director Managed Threat Response, Sophos
“From an infrastructure point of view, we’re in relatively the same position. But it’s tough to make sweeping statements because of the way elections are administered differently across each state and local district.
After years of discussion, the threat exposure is clear, and we have identified and are starting to talk about the potential problems with election security in a manner that is nearing the tipping point to effective actions. The primary changes needed are around the standards guiding election vendor recertification within each state, and ideally this would turn into a federal standard. This standard needs to include non-repudiation around audit trails (for the vote as well as for log and event data), hardening, integrity monitoring, and active monitoring and response. With the recertification process taking place over a number of years and transcending budget cycles, public interest shift, and legislative agendas, it is increasingly difficult to get Secretaries of State to issue orders to force changes outside of recertification windows. This results in the status quo going unchanged.”
Steve Moore, chief security strategist, Exabeam
“The pandemic has expanded mail-in ballot options to 46 states, with an estimated 70 percent of all ballots in the general elections expected to utilize this format. While there are some reports of mail-in voting fraud over the years, the numbers are so statistically miniscule that it will be nearly impossible to impact the 2020 Presidential election.
The Washington Post recently analyzed this issue and found that there was just a .00025 percent rate of mail-in voting fraud across five elections in 2016 and 2018. On top of this, over the last 20 years, 250 million+ votes have been cast via mail in the U.S., yet there have been just 143 criminal convictions for related election fraud. That comes out to a .00006 percent fraud rate.
That being said, we know that voting machines are vulnerable to foreign interference and manipulation -- it’s been proven time and time again. So shouldn’t that be the greater concern? The 2016 election, of course, saw Russian nation-state meddling. More recently, in 2019, cybersecurity researchers gathered to test the security of 100 voting machines, and every single device was compromised in some way. Some took minutes, some took hours, but they were all vulnerable, painting a potentially grim picture for this year’s elections.
In addition, there isn’t a consistent managed environment for election support -- it’s built up and torn down for each election. This should also be a major area of focus.
While Congressional funds are available for states to use to replace outdated, vulnerable machines, we’re seeing a long term underinvestment from the government. What we have now is too little way too late and should have started post-2016. These funds simply are not enough to cover the vast number of machines that need to be replaced.
So, maybe mail-in ballots are a reasonable, safe path forward in the short term. Longer term, a few things need to happen. Existing machines need to be replaced with more modern units that employ methods that allow the unit to be monitored when strange or likely adversary behavior occurs. Government entities must also standardize and improve their email security posture. While the voting machines are only around periodically, state and local email is often left unprotected and outdated consistently. They should be running adaptive authentication at minimum. We also think security audits on voting should be mandated -- whether at the state or national level -- and believe there should be traceability from the voter, the vote and the candidate/topic.”
Paul Bischoff, Privacy Advocate, Comparitech
“Election security faces more threats and more scrutiny this year than ever before. A huge portion of the population will vote by mail, which opens up new avenues for fraud. On top of that, many electronic voting machines are out of date and not properly secured. Local election officials often lack the resources to audit and secure their systems, many of which run on Windows 7, which is no longer supported by Microsoft.
As it stands, most of these election security vulnerabilities will not be addressed prior to the 2020 general election. There may well be some amount of fraud and cyberattacks that we can't defend against.
The most effective course of action is to keep a paper record of every vote, then use risk-limiting audits to check those records after election day. This involves checking a sample of paper ballots by hand for vote tampering. We should mandate audits in every constituency and not just use them when tampering is suspected. Unfortunately, only three states have audit mandates in place.”
Joseph Carson, Chief Security Scientist & Advisory CISO, Thycotic
“The threats will be very similar to the previous presidential election while everyone is focused on the actual systems, infrastructure and voting integrity the attackers will be engaged in disinformation, voter registrations compromise and the campaigns. The best way to change an election outcome is not to hack into the voting system but to convince voters to not participate, attackers will always take the cheapest and most stealthiest hacking technique. When you step back and take a look at what is actually happening this is not hacking of an election but hacking of democracy. What is at least a more positive approach this time is the acknowledgement of social media companies in their influence and efforts to label disinformation and political threads. The focus on mail fraud is not looking at the bigger problem which is gaining the citizens confidence on the election outcome. The priority getting citizens confidence in democracy back which means being transparent on the security of each voting method. Just like we do in password security that not all methods of authentication are equal.
The dangers have increased as the techniques have become more sophisticated such as deep fakes and disinformation but the security improvements to the elections have not especially in an election midst of a global pandemic.
Anyone involved in the election security while employees are still working remotely should have Privileged Access Security as a top priority as this helps a Principle of Least Privilege security strategy reducing the risks of credential compromise which still today is one of the biggest threats to organizations globally.”
###