4 Ways our Elections are Under Threat (And What We Can Do About It)

Fear of digital sabotage of the mid-term elections has become the biggest cybersecurity talking point of 2018. With the latest election security bill stalled in Congress and suspicions that Russia (and possibly others) are still seeking to sow divisions among the U.S. electorate, voters and political organizations are right to be worried.

Ironically, the month before the mid-terms is also Cyber Security Awareness Month, a collaborative effort between government and industry to raise awareness about the importance of cybersecurity.

With this in mind, we break down some of the top cyber interference concerns facing our nation and recommend best practices that can be implemented to protect the integrity of elections and reassure constituents that their vote is secure.

Boosting Security at the Ballot Box

A very big concern among voters is that the ballot can be hacked, and their vote altered. However, it’s worth noting that while these machines are susceptible to crashes and failure, they are extremely difficult to hack. Physical security such as locks, seals, video surveillance, and activity logs means they are hard to tamper with, reports The Washington Post. While there’s always a risk, physical access is required – a difficult feat in a polling station.

This doesn’t mean that voting machines aren’t in need of attention. A ProPublica analysis found that more than two-thirds of counties in the U.S. use voting machines that are over a decade old. Faulty or failing machines can lead to long lines, distrust of the electoral system, and even disenfranchised voters.

Phishing for Tidbits – Hacking for Malicious Political Intent

The 2016 election was a wake-up call for many political organizations who found themselves the target of malicious hacks designed to sow discord.

Simple phishing emails, designed for maximum political impact, easily upended the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) in 2016. Indictments by special counsel, Robert Mueller, included concrete evidence that Russian intelligence and Wikileaks cooperated to release a treasure trove of campaign emails prior to the Democratic National Convention in order to “engineer discord between the supporters of Bernie Sanders and Hillary Clinton”, writes Vox.

Tip: Phishing is common and frequently successful because it targets the weakest link in the chain – email users. The best way to combat phishing is to condition employees to recognize the signs such as checking URL legitimacy (hover over links to see if they look “phishy”). Organizations should also use a comprehensive security software to protect devices and personal data from any other threats that might result from a phishing scam. Options include McAfee Security for Email Servers and Symantec Email Security.cloud.

And check out this great piece from McAfee on How to Identify Three Common Phishing Campaigns which can impact cloud systems, email, and mobile applications.

“Fake News!” – Disseminating False Information

Fake news or digital propaganda disseminated by automated social bots across Facebook, Twitter, YouTube, and other channels, isn’t of itself a cyber threat. However, the explosion of false information and untruthful news designed to cause confusion and influence political views is increasingly making people wary of the information they read online. Social media companies are taking steps to eliminate fake news sites and efforts appear to be paying off. For example, in 2018, engagement with fake news on Facebook is on the decline compared to the 2016 election cycle, but with one-quarter of people saying they rarely trust the news they read on social media, there’s still a long way to go.

The Overlooked Link in Election Security

While much attention has been is focused on securing voting machines and halting the dissemination of digital propaganda, cyber attackers may have another avenue to disrupt the vote.

According to a survey by ProPublica, and reported here by GCN, 12 of the most contested congressional races are apparently wide-open to attack. Email vulnerabilities emerged in accounts used by 11 county election offices responsible for tallying votes, including large districts like Orange County, CA. These accounts could be breached with just a username and password.

With access to such accounts, malicious actors can exfiltrate confidential communications or even impersonate election officials. While many counties are putting in place multi-factor authentication more needs to be done. 81% of hacking-related breaches are the result of a weak or stolen password according to the Verizon 2017 Data Breach Investigation Report.

Tip: It’s important not to implement multi-factor authentication in silos. Security teams must consider all access points: including cloud and on-premise applications and resources, servers, endpoints, and privileged commands. Here are a couple of resources that can help your IT team secure access to email servers and other systems:

6 Best Practices for Multi-Factor Authentication
What Agencies Need to Consider When Updating Password Protocols in 2018

No Quick Fixes

Securing the vote is a marathon, not a sprint. With no quick answers and many stakeholders involved, government officials, political organizations, and voters must come together to play their part. As constituents, we must constantly question the information we read online and be alert to attempts to influence our thinking by unreliable sources. And political campaigns and government officials must learn from the lessons of 2016, assess their vulnerabilities, analyze their security tools, and insert a CISO into the process for a holistic approach to security.

Online interference is the new normal of cybersecurity and requires a coordinated, multi-pronged response that ensures we all get the open and transparent election process we deserve and trust.

Caron Beesley Government Writer

Caron is a technology writer and also serves as the editor of DLT Solutions’ Acronym Online magazine and blog.