CSO Online’s discussion of election security issues focuses less on ballot systems themselves and more on the security of local governments. This is a widespread problem that has gone un-addressed for far too long. Many local and state government bodies, and even Federal agencies, are still running Windows XP on outdated legacy hardware that there is no budget for replacing or updating.
Such government systems, as CSO Online calls out, often fall victim to ransomware attacks – frequently because they are unpatched against known vulnerabilities, and being used by people who don’t really understand the systems that they are using and don’t recognize when something is not behaving as it should or is not what it pretends to be.
This is only part of the problem of election security, though. While we cannot afford to ignore vulnerabilities in the infrastructure that counts the votes, we also cannot afford to ignore vulnerabilities on the systems that record the votes in the first place. In this regard, DRE (Direct Recording Electronic) voting systems have over and over again proven to be shockingly easy to compromise. The manufacturers typically refuse to allow outside audits of their code, and their response to vulnerabilities found by election security researchers has all too often been to try to suppress disclosure of the vulnerabilities rather than fixing them.
In the event that a DRE system is compromised, all votes recorded by that system must be considered lost, because lacking any but the electronic record of the vote, there is no trustworthy way to reconstruct the votes as cast – there is no paper trail to go back to.
Election researchers have designed and proposed electronic voting systems that allow any voter to verify that their vote was recorded and counted exactly as they cast it, while still having deniability (which is to say, voters cannot be later forced to disclose which way they voted). However, no such systems have yet been put into use. When elections are performed using existing DRE voting machines, we are left in the position of simply trusting whatever the voting machine recorded; there is no way to check its counts against the actual ballots, because there is no physical ballot.
Ultimately, we have no way to verify that the votes counted are the same as the votes cast, whether the compromise occurs in the machines that record the votes, or in the government systems that count them. Without that guarantee, we have no way to verify that we can trust our own elections. That, in this day and age, is a very bad place to be.
We can never guarantee to prevent all attacks. But at the very least, we need to be able to know when an attack has happened.
- Phil Stracchino, Principal Architect
Attacks on the digital infrastructures of US state, local, tribal and territorial (SLTT) governments continue at a healthy clip, a chronic trend that does not bode well for election security as the nation moves into the crucial run-up to the 2020 presidential election. Although a lot of research has focused on the potential hacking of election equipment and related backend infrastructure, recent studies and exercises suggest that adversaries can disrupt the democratic process almost as well by simply targeting other local government and community systems.
In a report released today, cybersecurity firm Blue Voyant presents the results of a study that examined the local governments’ cybersecurity posture in 108 jurisdictions going back to 2017. They found a steep rise in ransomware attacks on SLTT governments from 2017 to 2019 and a jump in the amount of ransom demanded from $30,000 in 2017 to $380,000 in 2019, with some ransom amounts exceeding $1 million.
Lack of standardized online infrastructure hinders SLTT security
Although ransomware captures the lion’s share of attention when it comes to disabling local government operations, including elections, other attacks that can impair essential services include outright data breaches, typosquatting that leads to malware installation, and exploited weak VPN solutions. One big problem across the nearly 90,000 local governments in the US is the lack of standardization for online infrastructure and resources, Austin Berglas, global head of professional services at Blue Voyant tells CSO.
Berglas, who spent 22 years in the federal government, ultimately serving as the assistant special agent in charge of the FBI’s New York Office Cyber Branch, says that some state and local governments don’t even use .gov domains, where they would get the benefit of having US government oversight on those domains. The .gov domains also force the use of multi-factor authentication (MFA), HTTPs and other security features. It’s no surprise then that Blue Voyant has been able to track compromises of state and local government IT infrastructure back to bad actors, some of them nation-state actors.
Ransomware, other attacks can disrupt elections
When it comes to elections, the odds of threat actors changing votes are slim, but attackers can knock voter databases or other systems offline with ransomware or methods which could disrupt voting Berglas says. The potential for disruption in city services poses a threat to even mail-in voting. “If there were a state or municipality that took ballots and then imported them into a system and the next day that system was locked up with ransomware and they were unable to get at those results, that would disrupt the system. It wouldn’t necessarily change the vote tally but definitely put a damper on the system."
Lack of coordination among local governments and feds
Michael Hamilton, founder and CISO of CI Security and the former CISO of Seattle, worries about another form of standardization, namely the lack of real coordination among local governments and the federal government when it comes to system monitoring or detection of attacks. “I have no idea if they have analysts going through this stuff where it’s just kind of all automated…so that they can see how things are going across the country. There is no requirement for them to talk back to any of the jurisdictions where they’ve deployed the Albert sensor [a network monitoring system established by DHS’s CISA] and that’s a bit of a concern.”
Hamilton believes that local governments’ readiness to most effectively handle digital threats is contingent on “making information available every week [to the nation’s municipalities] so that everybody gets on the same page.” In terms of what last-minute efforts local governments can undertake to harden their infrastructure to bolster voting security given the likelihood of mass mail-in voting, Hamilton advises local CISOs to pay attention to computing systems that do signature-matching and bar-code reading. “I would focus on where there is actual ballot counting and handling being done…and when you’re talking about vote by mail, you’re talking about things like signature matching.”
Tabletop exercise provides insight into government security readiness
An annual tabletop exercise hosted by Cybereason called Operation Blackout: Protect the Vote conducted in August also provides some fresh insight into local government security readiness for the fall. The virtual edition of the exercise took place in the fictional city of Adversaria in the weeks leading up to a typical election day.
Like Blue Voyant’s analysis, the focus of Operation Blackout was not on election infrastructure itself; the exercise explicitly excluded targeting election equipment. The goal was to “examine and advance the organizational responsiveness of government entities to an anarchic group’s attempts to undermine democratic institutions and systems of governance in the republic.”
In this recent tabletop context, the local governments had to manage disinformation attacks. As a consequence, one of the key lessons learned from the exercise is that communications are the key battleground as cities gird for election season problems. To that end “[b]roadcast media is the bully pulpit. Make sure it's used effectively to help counteract the effects of misinformation through other channels,’ Cybereason said in its written Operation Blackout results.
Finally, another factor that could impact local governments’ ability to fend off attacks is the “defend forward” strategy of the US Cyber Command as spelled out this week by Cyber Command Chief Paul Nakasone and his Senior Advisor Michel Suhlmeyer in Foreign Policy magazine. Under this strategy, Cyber Command and the National Security Agency (NSA) joined forces during the 2018 elections to create what it called the Russia Small Group to share indicators of compromise with DHS to harden the security of election infrastructure. Nakasone and Suhlmeyer said they plan to do it again for the 2020 elections.
“The defend forward [part of Cyber Command’s election strategy] is ‘we know who is twisting our door knobs and we’re going to go smack ‘em,’” CI Security’s Hamilton says. “A lot of these are disinformation campaigns and I’ve heard a lot of them are run out of Africa and paid for by Russia.”
Still time for basic security hygiene to help
Even at this late stage, local governments can undertake some basic hygiene tasks to make their systems ready to withstand any challenges that the election throws at them. Reviewing the policies and procedures around the use of Remote Desktop Protocol (RDP) is job number one, Berglas says. “A lot of these smaller organizations are heavily reliant on outsourced IT and they need to use RDP to come into the network and do their work. The problem is they leave it open and the bad guys come in and compromise that.”
Secondly, “if there’s not two-factor authentication on significant account log-ins — from email to sensitive account log ins — that needs to be enforced as well. Third, if there is not a good enforceable password policy that is in place, that needs to be in place.” Blue Voyant’s report shows how easy it is to find compromised user names and passwords for state and local employees from the mounds of data breach reports out there.