As we head towards one of the most anticipated and important elections of the modern world, US election cybersecurity as a whole is at the forefront of mainstream global interest. Nation-states and hacker groups have set their sights set on the U.S., aiming to cause chaos and influence the outcome of the election results in the hopes of economic and political gain.
We wanted to hear what top cyber leaders thought about election security heading into this season. We’ve compiled some of their expert insights on the dangers to election security this go around and how organizations should be thinking about security and preparing for the worst-case scenario.
Scott M. Giordano, Esq., V.P. and Sr. Counsel, Privacy and Compliance, Spirion
"The top dangers to election security, both to political campaigns and to voting mechanisms, are found within their respective supply chains. A common means for state actors to attack election integrity is to compromise a relatively small supply chain member without the resources to defend itself, then to use that member as a launching point for the next stage of the attack. By this point, campaign leaders and public officials should have reviewed every supply chain member’s security plan and determined whether it was adequate.
The most effective cybersecurity measure ever invented is an alert employee. Campaign staff should assume that state actors and other hostile parties will attempt to subvert the election process and actively monitor their email and mobile devices for phishing and other attacks. They should also be wary of anything out of the ordinary, like urgent demands made via email that really would be done by phone. Finally, everyone should read David Sanger’s The Perfect Weapon, which chronicled the many cybersecurity failures that took place during the 2016 election – the bad guys no doubt will attempt to re-use what worked last time."
Jonn Callahan, Principal Application Security Consultant, nVisium
"For the last several years, the infamous DefCon security conference has included a Voting Village. This is an open section of the conference dedicated to allowing professionals to hunt for vulnerabilities within real voting machines. A report is always published afterwards and it is never empty. Election hardware and software will never be secure and, even more importantly, trusted until the government commits to hiring top tier firms to both build and open source the solutions. Closed-source, proprietary solutions will forever be the bane of a trusted electronic voting platform. If a handful of Vegas-bound hackers can find issues with a system in a single weekend, imagine what a motivated team of nation-state sponsored hackers could do."
Drew Porter, president, Red Mesa
"The biggest danger in election security no one is talking about is the ongoing blame game being played between the federal and state governments,” said Drew Porter, president, Red Mesa. “Earlier this year, I brought up election security to a senator and was told ‘that is a state problem.’ When I pointed out that DHS is supposed to be helping (indicating the federal government bears some responsibility), I was met with an evasive ‘no one wants to dive right into it’ response.”
Chris Hauk, Consumer Privacy Champion, Pixel Privacy
“This year's election faces more perils, both online and offline, than ever before. While much of the recent media focus has been on voting by mail (which comes with its own issues, including the possibilities of fraud and genuine human error), the true problems this year will be that of electronic voting and internet voting.
Electronic voting has been the subject of attacks in the past. In the 2016 U.S. presidential election there were claims of tampering by Russian state actors. This will likely be an issue we'll face this November. Electronic voting is still subject to tampering on both the local and international levels. This means systems need to be put into place to ensure an accurate vote count.
Perhaps a parallel electronic vote/paper vote system should be in place to ensure that a proper audit of each vote can be obtained. While this will delay knowing the final outcome of the vote, it will ensure an accurate count. Local and national election officials should also enlist white hat hackers to attempt to crack the security of voting systems, allowing them to detect and plug possible security holes before election day.
As for internet voting, this raises other questions as to how to certify votes made in this matter. It is certainly an attractive method of voting, allowing everyone access to a virtual polling place, ensuring shut-ins and others that might not be able to physically make it to the polls have an opportunity to vote. However, it also introduces new possibilities for illegal actions, making it tougher to detect voter fraud.
To confirm the accuracy of any election, an auditing system needs to be in place, led by a neutral party that will verify the code used in electronic voting machines as well as online voting. Certification programs need to be standardized across the board. This will ensure that the old Chicagoland political saying, "vote early, vote often" will remain a bit of historic humor and not a sad reality.”
Eyal Benishti, CEO, IRONSCALES
"Like 2016, this election season is expected to be loaded with disinformation, hacking, and controversy -- some of which have already begun. At a time when opinions are formed online, hackers, nation states and other bad actors are ready to use social media, phishing emails and other creative strategies to incite distrust in candidates for all offices and the electoral process in general.
What’s most different now than four years ago is the mainstream awareness that elections are vulnerable to cyberattacks. But while the elevated awareness is helpful at reducing some risk, the absence of a well-funded national strategy composed of both human and advanced technical controls means that the U.S. response has not met the magnitude of the threat. As evidence, a recent survey by ProPublica published just before the 2018 midterm election found a third of counties overseeing toss-up congressional elections have email systems that could be vulnerable to hacking.
Today, email remains the number one threat vector - accounting for roughly 90% of all cyberattacks worldwide. In fact, local, state and federal campaigns, secretaries of state offices and the ordinary voter continue to be susceptible to the same type of social engineering message that victimized Hillary Clinton campaign chairman John Podesta back in 2016. The only difference is that such messages have become even more difficult to identify and can easily defeat common email security controls.
Remarkably in 2020, the vast majority of campaigns and government agencies involved in elections have chosen to put their email security in the hands of either secure email gateways, the DMARC authentication protocol and greater phishing awareness training, or a combination thereof. This strategy is akin to fighting a five alarm fire with just one fire truck. While it can handle some of the flames, the fire will keep burning until greater reinforcements are brought in.
The reality is that today’s email phishing threats are extremely sophisticated - many of which are purposefully built without payloads (attachments, URLs, etc.) so to defeat all of the most common technical controls and the human eye. Further, all of the technical controls are focused primarily on sender identification or the “who” is sending the email. While this is important, spoofing the “who” to make it appear legitimate is easier than ever.
Thus much like businesses, the election ecosystem requires advanced email security measures that seek to uncover the intent and content of messages as much as the sender. To do so requires email security with a mix of AI, computer vision and natural language processing to help discover and analyze both visual and contextual anomalies, such as altered logos and calls-to-action, that could easily prompt deception.
It’s important to know that adopting such technology doesn’t have to be a daunting and expensive task for campaigns and government agencies. In fact, such email security is often available at similar price points to legacy tools -- we simply need to make it more well known that such options exist, can be easily implemented and won’t require massive security teams to implement.
In 2020, relying on DMARC or Office 365 ATP or a session or two of phishing awareness training isn’t enough to significantly reduce risk. Far too many bad actors want to see chaos and disruption tear this country apart. Stronger email security can prevent this from happening, and it’s not too late to begin bolstering your mailbox protections today."
###