Nota del editor:
El debate de CSO Online sobre los problemas relacionados con la seguridad electoral hace menos hincapié en los sistemas de boletas y más en la seguridad de los gobiernos locales. Este es un problema generalizado que nadie ha abordado durante mucho tiempo. Muchos organismos gubernamentales locales y estatales, e, incluso, las agencias federales, siguen ejecutando Windows XP en hardware heredado y obsoleto, ya que no cuentan con presupuesto para reemplazarlo o actualizarlo.
Dichos sistemas gubernamentales, como destaca CSO Online, suelen ser víctimas de ataques de ransomware, a menudo, porque no cuentan con parches de seguridad para vulnerabilidades conocidas y porque son utilizados por personas que, en realidad, no entienden los sistemas que manejan y no reconocen cuando algo no se comporta como debería o no es lo que pretende ser.
Sin embargo, esta es solo una parte del problema de la seguridad electoral. Si bien no podemos permitirnos ignorar las vulnerabilidades de la infraestructura que cuenta los votos, tampoco podemos darnos el lujo de ignorar aquellas de los sistemas que registran los votos en primer lugar. En este sentido, los sistemas de votación del Registro Electrónico Directo (DRE) han demostrado ser extremadamente fáciles de vulnerar y en repetidas oportunidades. Los fabricantes suelen negarse a aceptar auditorías externas de su código, y su respuesta a las vulnerabilidades que han encontrado los investigadores de seguridad electoral ha sido, muy a menudo, tratar de impedir que se divulguen dichas vulnerabilidades, en lugar de corregirlas.
En caso de que un sistema DRE se vea vulnerado, todos los votos registrados por ese sistema deben considerarse perdidos ya que, sin un registro electrónico de los votos, no hay una forma confiable de reconstruir los votos emitidos, pues no existe una prueba en papel a la cual remitirse.
Los investigadores electorales diseñaron y propusieron sistemas de votación electrónica que le permiten a cualquier votante verificar que su voto se registró y contabilizó tal y como lo emitió, sin perder la posibilidad de negarlo (lo que quiere decir que no se puede obligar a los votantes a revelar a quién votaron posteriormente). Sin embargo, aún no se ha puesto en marcha ningún sistema de este tipo. Cuando las elecciones se realizan con las máquinas de votación DRE existentes, no nos queda otra opción más que confiar en lo que sea que la máquina de votación haya registrado; no hay manera de cotejar los recuentos con boletas reales, porque estas no existen.
En definitiva, no tenemos forma de verificar que los votos contabilizados sean los mismos que los votos emitidos, ya sea que la vulnerabilidad se produzca en las máquinas que registran los votos o en los sistemas de gobierno que los cuentan. Sin esa garantía, no tenemos forma de verificar que podemos confiar en nuestras propias elecciones. En los tiempos que corren, es pésimo encontrarse en esta situación.
No podemos garantizar que se evitarán todos los ataques. Pero, al menos, necesitamos poder saber cuándo se ha producido uno.
- Phil Stracchino, arquitecto jefe
Attacks on the digital infrastructures of US state, local, tribal and territorial (SLTT) governments continue at a healthy clip, a chronic trend that does not bode well for election security as the nation moves into the crucial run-up to the 2020 presidential election. Although a lot of research has focused on the potential hacking of election equipment and related backend infrastructure, recent studies and exercises suggest that adversaries can disrupt the democratic process almost as well by simply targeting other local government and community systems.
In a report released today, cybersecurity firm Blue Voyant presents the results of a study that examined the local governments’ cybersecurity posture in 108 jurisdictions going back to 2017. They found a steep rise in ransomware attacks on SLTT governments from 2017 to 2019 and a jump in the amount of ransom demanded from $30,000 in 2017 to $380,000 in 2019, with some ransom amounts exceeding $1 million.
Lack of standardized online infrastructure hinders SLTT security
Although ransomware captures the lion’s share of attention when it comes to disabling local government operations, including elections, other attacks that can impair essential services include outright data breaches, typosquatting that leads to malware installation, and exploited weak VPN solutions. One big problem across the nearly 90,000 local governments in the US is the lack of standardization for online infrastructure and resources, Austin Berglas, global head of professional services at Blue Voyant tells CSO.
Berglas, who spent 22 years in the federal government, ultimately serving as the assistant special agent in charge of the FBI’s New York Office Cyber Branch, says that some state and local governments don’t even use .gov domains, where they would get the benefit of having US government oversight on those domains. The .gov domains also force the use of multi-factor authentication (MFA), HTTPs and other security features. It’s no surprise then that Blue Voyant has been able to track compromises of state and local government IT infrastructure back to bad actors, some of them nation-state actors.
Ransomware, other attacks can disrupt elections
When it comes to elections, the odds of threat actors changing votes are slim, but attackers can knock voter databases or other systems offline with ransomware or methods which could disrupt voting Berglas says. The potential for disruption in city services poses a threat to even mail-in voting. “If there were a state or municipality that took ballots and then imported them into a system and the next day that system was locked up with ransomware and they were unable to get at those results, that would disrupt the system. It wouldn’t necessarily change the vote tally but definitely put a damper on the system."
Lack of coordination among local governments and feds
Michael Hamilton, founder and CISO of CI Security and the former CISO of Seattle, worries about another form of standardization, namely the lack of real coordination among local governments and the federal government when it comes to system monitoring or detection of attacks. “I have no idea if they have analysts going through this stuff where it’s just kind of all automated…so that they can see how things are going across the country. There is no requirement for them to talk back to any of the jurisdictions where they’ve deployed the Albert sensor [a network monitoring system established by DHS’s CISA] and that’s a bit of a concern.”
Hamilton believes that local governments’ readiness to most effectively handle digital threats is contingent on “making information available every week [to the nation’s municipalities] so that everybody gets on the same page.” In terms of what last-minute efforts local governments can undertake to harden their infrastructure to bolster voting security given the likelihood of mass mail-in voting, Hamilton advises local CISOs to pay attention to computing systems that do signature-matching and bar-code reading. “I would focus on where there is actual ballot counting and handling being done…and when you’re talking about vote by mail, you’re talking about things like signature matching.”
Tabletop exercise provides insight into government security readiness
An annual tabletop exercise hosted by Cybereason called Operation Blackout: Protect the Vote conducted in August also provides some fresh insight into local government security readiness for the fall. The virtual edition of the exercise took place in the fictional city of Adversaria in the weeks leading up to a typical election day.
Like Blue Voyant’s analysis, the focus of Operation Blackout was not on election infrastructure itself; the exercise explicitly excluded targeting election equipment. The goal was to “examine and advance the organizational responsiveness of government entities to an anarchic group’s attempts to undermine democratic institutions and systems of governance in the republic.”
In this recent tabletop context, the local governments had to manage disinformation attacks. As a consequence, one of the key lessons learned from the exercise is that communications are the key battleground as cities gird for election season problems. To that end “[b]roadcast media is the bully pulpit. Make sure it's used effectively to help counteract the effects of misinformation through other channels,’ Cybereason said in its written Operation Blackout results.
Finally, another factor that could impact local governments’ ability to fend off attacks is the “defend forward” strategy of the US Cyber Command as spelled out this week by Cyber Command Chief Paul Nakasone and his Senior Advisor Michel Suhlmeyer in Foreign Policy magazine. Under this strategy, Cyber Command and the National Security Agency (NSA) joined forces during the 2018 elections to create what it called the Russia Small Group to share indicators of compromise with DHS to harden the security of election infrastructure. Nakasone and Suhlmeyer said they plan to do it again for the 2020 elections.
“The defend forward [part of Cyber Command’s election strategy] is ‘we know who is twisting our door knobs and we’re going to go smack ‘em,’” CI Security’s Hamilton says. “A lot of these are disinformation campaigns and I’ve heard a lot of them are run out of Africa and paid for by Russia.”
Still time for basic security hygiene to help
Even at this late stage, local governments can undertake some basic hygiene tasks to make their systems ready to withstand any challenges that the election throws at them. Reviewing the policies and procedures around the use of Remote Desktop Protocol (RDP) is job number one, Berglas says. “A lot of these smaller organizations are heavily reliant on outsourced IT and they need to use RDP to come into the network and do their work. The problem is they leave it open and the bad guys come in and compromise that.”
Secondly, “if there’s not two-factor authentication on significant account log-ins — from email to sensitive account log ins — that needs to be enforced as well. Third, if there is not a good enforceable password policy that is in place, that needs to be in place.” Blue Voyant’s report shows how easy it is to find compromised user names and passwords for state and local employees from the mounds of data breach reports out there.