Are Vulnerabilities in our U.S. Elections Insurmountable? Part 1
Security around elections is a concern for the U.S. and the global community. From “fake news” to social engineering and ransomware, there are several areas across the election process that can be unsecure and open to attacks that shift public opinion or sow distrust among voters. In this two-part blog series, we’ll look at vulnerabilities in campaigns, the election process, and the voting system. In part one, we’ll explore the security challenges with our campaigns.
Limited IT resources put campaigns and voters at risk
Campaign teams play a critical role in the U.S. elections. Most campaigns are comprised of volunteers primarily tasked with persuading voters to support their candidates. Given limited IT budgets, many of these volunteers use their own personal devices and applications to communicate with campaign managers, other team members, and supporters. Staffers use mobile devices or laptops to access campaign systems such as the Voter Activation Network (NGP VAN) that includes voter information to support operations such as phone banking and door-to-door canvassing. Staffers also have access to campaign strategy documents, correspondence with the national party, as well as personal data about the candidates themselves including, in some cases, candidates’ passwords. As these are personal devices, device security may not be managed by the campaign security team.
Without proper security controls, adversaries can easily gain access to campaign and voter information by exploiting these personal devices through various social engineering techniques placing both the campaign and voters at risk. For example, through targeted spear-phishing or phishing, an unsuspecting staffer could click on an email containing a malicious link that would then infect the campaign systems. This was the case in a 2018 breach when Russian military intelligence sent spear-phishing emails to Illinois campaign staffers likely involved in the management of voter registration systems to infiltrate voting databases. More recently, topical issues such as the COVID-19 pandemic are being used to conduct phishing campaigns to gain access to personal data.
Once adversaries have access to the campaign network and machines, they can create havoc for the campaign, candidates, and voters in a number of different ways. Voters could be eliminated from voter rolls, as was the case in the Illinois breach noted above. Voters could also potentially find their driver’s license information being sold on the dark web. Adversaries could start a fake campaign fund by hosting a hidden section on the campaign’s website that ties back to their bank account. They may also spread fake news about the candidates themselves, as was the case with Hillary Clinton. Unfortunately, technology with this type of threat has evolved. Now deepfakes combine artificial intelligence (AI), video and audio to create media that appears to be authentic – but is not. This was the case of the deepfake video last June which appeared to show Nancy Pelosi stumbling through a speech when, in reality, she did not.
Even with security controls such as two-factor authentication (2FA), campaign and voters may still be at risk. For example, as Exabeam security engineer Abel Morales notes, “Adversaries can socially engineer staff to obtain 2FA access. We’ve witnessed instances of credential sharing where employees willingly provide others 2FA access, which circumvents policy and can lead to a security incident.” Morales recommends campaigns detect anomalous authentications using solutions such as user and entity behavior analysis (UEBA). “By monitoring staffers’ behaviors and detecting anomalies from their typical workflows, IT would be able to reduce the impact of threats introduced through social engineering, phishing, and other malicious techniques.”
The continuing threat of ransomware and nation-state attacks
U.S. government officials are worried about ransomware attacks on voter databases and systems that would allow adversaries to extract payment in exchange for voters’ private information such as driver’s license numbers. Ransomware encrypts data in vulnerable systems until a ransom is paid and could also be used to manipulate voting results. In addition, locking administrators out of critical data during an election could cause havoc to the confidence in the voting process.
Increasing attacks by nation states are another major concern. Microsoft has reported that its data shows Russia, Iran and North Korea are the most active nation states conducting recent cyberattacks against campaigns. In late 2019, Iran made 2,700 attempts to hack the emails of candidates, government officials, and even journalists in an attempt to influence the upcoming 2020 presidential election. While Iran was successful at breaking into four email accounts, none were linked to individuals with campaign ties. Some officials believe that foreign influence on our elections will more likely come through social media to shape public opinion towards whatever direction serves their specific goals. In particular, the FBI is worried that Russia will use social media to cause further division between the political parties or hack campaign websites to spread misinformation about the voting process.
As a result of attacks targeting campaigns and their systems, measures are being taken to educate campaign IT tech teams and staffers including training courses to detect and report suspicious emails. The Democratic National Committee has created a security checklist for campaigns with recommendations on topics such as password management and two-factor authentication which requires staffers to verify their identity before being granted access to voting systems. The Center for Internet Security has also developed a library of resources to help campaigns including a Handbook for Elections Infrastructure Security.
Being vigilant is key
Campaign security teams are at the forefront to notice anomalies that may be a result of phishing, ransomware attacks and nation-state exploits. One thing they can do is to be aware of normal system patterns and usage including, for example, the number of communications, downloads or logins from staff and volunteer staff on a daily or weekly basis and the surges that occur during events such as an election. With the level of attacks against campaigns expected to grow in the coming months leading up to the elections, identifying anomalies in campaign systems and user behavior will become even more critical.
For the elections, the same approach can be used as seen in this example of an IT staff member of the Illinois State Board of Elections who noticed that one of the voter registration systems was running extremely slow. It turned out that the system had been exploited through a vulnerability in the voting application, giving the adversary access to the voter database, which included voters’ names, addresses and driver’s license numbers. We’ll look at the election process in greater depth in our next post in this series, “Is Our U.S. Election Process Too Large and Complex to Secure?”