Report: County Election Websites Lack Basic Security, Pose Disinformation Risk
According to cybersecurity leader McAfee, there's a big gap in website security at the county level. Many websites that provide pertinent election information like details on candidates and voting locations, were found to be lacking in basic security features that would ensure that visitors are in fact visiting the official website, and are receiving accurate information.
McAfee’s new report found that nearly 45% of county election board websites lack basic HTTPS encryption, and 80.2% lack a .gov domain name.
Hackers could take advantage of this lapse in security and attempt to launch disinformation campaigns to cause confusion on election day.
Voters already need to be careful about the websites they trust during this time – and these security lapses on real gov associated websites aren’t helping to give security experts any peace of mind.
Steve Grobman, SVP and CTO at McAfee weighed-in with additional insights on the importance of these basic security features via the McAfee blog:
"Using a .GOV web domain reinforces the legitimacy of the site. Government entities that purchase .GOV web domains have submitted evidence to the U.S. government that they truly are the legitimate local, county, or state governments they claimed to be. Websites using .COM, .NET, .ORG, and .US domain names can be purchased without such validation, meaning that there is no governing authority preventing malicious parties from using these names to set up and promote any number of fraudulent web domains mimicking legitimate county government domains.
An adversary could use fake election websites for disinformation and voter suppression by targeting specific citizens in swing states with misleading information on candidates or inaccurate information on the voting process such as poll location and times. In this way, a malicious actor could impact election results without ever physically or digitally interacting with voting machines or systems.
The HTTPS encryption measure assures citizens that any voter registration information shared with the site is encrypted, providing greater confidence in the entity with which they are sharing that information. Websites lacking the combination of .GOV and HTTPS cannot provide 100% assurance that voters seeking election information are visiting legitimate county and county election websites. This leaves an opening for malicious actors to steal information or set up disinformation schemes.
Malicious actors can pass off fake election websites and mislead large numbers of voters before detection by government organizations. A campaign close to election day could confuse voters and prevent votes from being cast, resulting in missing votes or overall loss of confidence in the democratic system."
Chris Howell, CTO, Wickr -- an expert on encryption -- shared his insights about why this is such an alarming discovery by McAfee:
“Verifiable domains and HTTPS encryption are table stakes features for all serious websites built in the past decade. Beyond the threat of exposing voter registration/PII or the potential of disinformation around polling hours and locations, sites that lack these protections today also pose a significant threat to visitors related to the proliferation of malware. With the right tools, attackers can drop malicious payloads into web traffic to siphon sensitive data from visitor computers or execute damaging ransomware or related attacks without having to compromise the website hosting infrastructure.
Election sites are attractive targets for more organized threat actors and nation-states as well, which increases the likelihood that weak sites will be exploited.
Perhaps even more concerning is if so many election sites haven’t done the most basic of things necessary to secure themselves, what else aren’t they doing? Verifiable domains and HTTPS are only the first steps; they don’t keep your servers patched or your application software free of security vulnerabilities, which is how most sites are compromised today. Our banking and e-commerce services know this. Our election system requires no less security; perhaps more.
The scary thing is if we add it all up - a low average security score across the board, a target that attracts the most highly motivated and capable attackers, and the likelihood that even a single attacker “victory” would produce broad chaos amongst the electorate - it’s a recipe for disaster. Those with the power to act should do so quickly and effectively.”