What keeps researchers up at night leading up to Nov. 3 isn’t election-day winners and losers. Most cite possible attacks on local infrastructure, crippling ransomware incidents and disinformation campaigns.
There are also many concerned voters this year. Election-related cybersecurity attacks have been making headlines daily, keeping the U.S. electorate worried about possible late-stage cyberattacks.
So, heading into the homestretch weekend before Election Day, Threatpost asked researchers to weigh in on the state of play.
“The last weekend before the election is like the Super Bowl for malicious actors that want to disrupt or influence the election,” said Ray Kelly, principal security engineer at WhiteHat Security. “Authorities and election officials know this is the case and have taken precautions to try to ensure a safe election. These include election infrastructure assessment and securing voting registration systems. However, given the recent hack involving Hall County, Ga., where election data was released to public for failure to pay a ransom, it really brings into question how effective the measures will be in the final stretch of the election.”
That said, just to balance things out, researchers were also asked about what’s going right – it can’t all be a black cloud of worry after all.
Top Concerns
As Kelly intimated, one big area of dread for researchers is the threat to local municipalities and their elections infrastructure.
“The biggest cyber-risks to the election are most likely going to come in the form of disruption to local support services: e-pollbooks, municipal IT infrastructure, informational applications,” said Rob Bathurst, CTO at Digitalware.
Digitalware recently found that the average municipal computer contains more than 30 potential vulnerabilities or risk conditions at any time. And, in an average local government network, an attacker has over 15 ways to penetrate a typical computer and reach an intended target.
“The reason these services would be the most likely to be disrupted is that they are publicly accessible (voter registration/polling place lookup) and common targets of criminals/ransomware actors (municipal IT infrastructure/systems),” Bathurst explained. “The rest of the systems used to support the actual voting process (DRE, ballot markers, tallying) generally has a very limited connectivity timeframe and a small attack surface, meaning the odds of an incident involving them would be small compared to the aforementioned targets.”
Mike Hamilton, CISO at CI Security, also has local elections infrastructure on his radar screen.
“The biggest danger is the threat of counties being hit with ransomware on November 4th. Why? Because at that point in-person voting will have been completed and votes tabulated,” he said. “If ransomware hits a county (only counties conduct elections), the mail-in count will be thrown into question. Because Republicans are known to vote in person on election day and Democrats favor mail-in ballots, this is a danger.”
He added ominously, “It doesn’t matter whether ransomware can actually ‘change vote tallies,’ it’s that if there is enough access to a network to encrypt data, there’s enough access to change it.”
Hamilton isn’t alone in anticipating direct cyberattacks on election infrastructure that could cripple vote-tallying or vote-casting.
“Instead of hacking into voter-registration databases, which are better protected now than they were in 2016, we should be prepared for cyber-attacks that deny access to voter-registration lists on election day,” said Suzanne Spaulding, advisor to Nozomi Networks and former DHS undersecretary of cyber and infrastructure.
She added, “This might be through ransomware attacks that would lock up the data so poll workers could not access it. Or, cyber-activity could disrupt the tabulation or reporting of results. In addition, with a significant increase in mail-in voting expected, we should look for disinformation designed to undermine the public’s trust in that process. We are seeing it already in the Russian propaganda outlets.”
And indeed, another major area of concern for researchers lies in disinformation campaigns, which continue to rage on in the home stretch of the election season. Digital Shadows for instance recently found that China, Iran and Russia are all ramping up their attempts to spread fake news and misinformation about candidates and policies.
“Russia’s Internet Research Agency (IRA), which allegedly takes its direction from the Kremlin, has been primarily responsible for this interconnected ‘carousel of lies, as one former member of the IRA described it,” according to the firm’s report. “In many cases, the fake news stories they spread are more appealing to Americans due to pop culture references, pictures and cartoons.”
The tactic works, too: In September, Facebook took down groups and accounts that were affiliated with the deceptive news organization, Peace Data, but not before hundreds of stories were shared on Facebook.
“At this stage in the election process, the only significant cyber-risk is disinformation with the confidence on the actual result of the election,” opined Joseph Carson, chief security scientist and advisory CISO at Thycotic. “Hacking an election is not about influencing the outcome, it is about hacking democracy. It is always important to determine the ultimate motive and that is about dividing people to create distrust in both government and your fellow citizens.”
Brandon Hoffman, CISO at Netenrich, noted that while it’s important to boost awareness around these types of influence campaigns, the focus in the news on disinformation may also be an intentional distraction for something else.
“We may be creating the smokescreen the real adversaries need to perform the attacks they have been waiting to execute,” he said. “My hunch tells me that there is something waiting in the wings related to voting infrastructure or a major information bomb coming on either Monday or Tuesday. That information bomb may be real or fake, however, as long as it creates chaos and discontent, the effect will be the same.”
Bikash Barai, co-founder of FireCompass, warned that disinformation efforts stretch far beyond just posting or sharing fake news on social media.
“Based on FireCompass’ internet wide monitoring data, there are currently more than 5 million open, vulnerable databases, which include usernames, passwords, emails and personal details,” he said. “When this data gets in the hands of hackers, it can be used to send personalized and targeted misinformation to skew results.”
He added, “In addition, breaking into the ‘information supply chain’ is not a challenge for hackers. In fact, more than 90 percent of organizations have at least one major security vulnerability, which can be used to break in, steal and corrupt data.”
What’s Going Right?
After the hack-and-leak operation against the Democratic National Committee and widely publicized election meddling by foreign actors in 2016, the U.S. population is a bit nervous on the cyberattack front when it comes to ensuring a free and fair election.
And to be sure, there have been plenty of headlines: Iranian actors posing as the hate group “Proud Boys” launching email campaigns against registered Democrats; the aforementioned ransomware attack affecting a Georgia database of voter signatures; the Trump Campaign website defaced with a cryptocurrency scam; scammers bilking Wisconsin Republicans out of $2.3 million; and rampant mobile phishing issues – just to name a few.
But can we hope things will go smoothly in these last few days? Threatpost asked researchers what they consider to be the bright side of cyber for the remaining election season. Most pointed first and foremost to improvements overall in risk awareness.
“Local governments are now aware that their systems could be targeted, and most larger city/county governments have moved to try to shore up their security operations in the run-up to the election,” Digitalware’s Bathurst said. “Some have even taken the proactive approach of attempting to understand their attack surface and how things like misconfigured/unmanaged systems could impact their security.”
Also, so far it’s been pretty quiet in terms of any major bombshells, noted James McQuiggan, security awareness advocate at KnowBe4.
“We haven’t had any significant data breaches with the government or political party systems, like what happened in 2016 with the Democratic party,” he said. “More and more organizations are taking notice of the recent attacks and taking the necessary steps to educate their staff to make sure they can spot social engineering scams. These actions can help to reduce the risk of a cyberattack.”
CI Security’s Hamilton sees other reasons to be positive too. “The cooperation between Microsoft and the Department of Defense at taking down the TrickBot botnet, Microsoft giving Defender/ATP free to counties until the election is over, and the information-sharing that seems to have been stepped up with the FBI and DHS/CISA are all positive,” he said.
On the free protection service front, Spaulding added, “It’s hard to know all the things the political parties may be doing to better protect their data and information systems. I am on the board of an organization, called Defending Digital Campaigns, that got a ruling from the FEC that allows us to work with cybersecurity companies to provide their services to campaigns for free or at a discount. Campaigns have not traditionally focused on cybersecurity and they have a long way to go!”
Netenrich’s Hoffman had a tougher time being positive: “It’s hard to say what’s going right in this election,” he said. “From a place of false comfort, I would say there haven’t been any major cyber issues…but it feels like foreshadowing.”
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.