US elections remain vulnerable to attack despite security improvements
Days away from the Iowa caucuses, and less than 11 months from the general election, voting and election security continues to be a challenge for the US political system. Threats to a secure election appear to loom as large today as they did in 2016, when Russian state-backed hackers and social media trolls threw US political campaign and election efforts into chaos, turmoil that has only become clear after the fact.
Certainly, voting security has made great strides since 2016. State and local governments took advantage of a funding boost under the Help America Vote Act to improve their infrastructure and better coordinate among themselves to harden election systems. Congress allocated an additional $425 million (€383 million) as part of a spending compromise that was passed and enacted in late-December, giving election officials even more latitude to make improvements.
A spokesperson for the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) said that the agency has seen marked improvements in security over the past few years. “In our work with all 50 states and more than 2,400 local jurisdictions, we’ve seen a maturation in the risk management practices across the sector,” the spokesperson says. “Whether implementing controls like multifactor authentication and intrusion detection systems or exercising incident identification, communications, and response, the progress for election security is real.”
Even more improvements to how the country responds to election threats could flow from a decision announced by the FBI to alter its policy regarding how it informs state officials about local election security breaches. In the past, the FBI informed state officials of cybersecurity attacks on local election infrastructure after informing local officials, allowing state officials to proceed with vote tallies and other efforts without full information. Now the bureau plans to keep state officials informed in a timelier manner, hoping to improve federal and state cooperation on election security matters.
No quick fix for election infrastructure issues
However, the evidence of problems across America’s election infrastructure uncovered since 2016 indicate that fixing America’s voting and election infrastructure problems is a long-term proposition, one that won’t be fixed in time for the election in November. The report by Special Counsel Robert Mueller found that two Florida county systems were penetrated by Russian hackers in the run-up to election day in 2016. Mueller further found that an election software vendor, purportedly one of the industry’s top vendors, VR Systems, was the victim of a successful phishing campaign by the hackers, who implanted malware on the vendor’s network.
In an affidavit filed in Atlanta federal court, security expert Logan Lamb found evidence suggesting an election server in Georgia had been hacked in December 2014. He further found that access logs to the server were deleted in March 2017, shortly after one of his colleagues alerted officials at Kennesaw State University, which manages the servers, that the server was still vulnerable.
Because of widespread vulnerabilities across tens of thousands of voting districts, many experts fear a repeat of the same problems the nation experienced in 2016. According to a recent AP report, tremors of potential trouble are already being felt across the US voting landscape, with state election officials in at least two dozen states reporting recent suspicious cyber activity.
Permanent record of votes necessary
Earlier, the US Committee on House Administration held hearings on 2020 election security during which experts and three of the nation’s top election vendors testified about what they think some of the most important voting and election security solutions are. Election security expert Matt Blaze, McDevitt Professor of Computer Science and Law at Georgetown University said that an urgent step in securing elections is getting rid of paperless voting machines that leave no permanent records of votes. These machines should be replaced with optical scan ballots that leave an artefact of voters’ choices, enabling “risk liming audits” after every election to detect whether software failure or attacks have occurred.
The election software vendor company CEOs testifying before that committee were all in agreement that more resources are needed to shore up elections. They also indicated they could embrace some form of federal standards or oversight to ensure voting integrity.
More funds needed for election security
Tom Burt, president and CEO of Election Systems & Software, said his company supports “the increase in attention and dedicated resources coming from Congress, state and local officials, the EAC [Election Assistance Commission], and DHS.” Applauding the $450 million spending increase granted to local authorities in December, Burt, like his fellow CEOs, said that’s not enough. “We believe the federal government needs to devote even more financial resources to jurisdictions that manage elections as part of the critical infrastructure in our country.”
Julie Mathis, president and CEO, Hart InterCivic, Inc., was the most explicit in endorsing federal government involvement in overseeing election security. “We encourage Congress and the EAC to continue exploring ways to apply federal oversight on all election technology, including areas of high vulnerability — such as voter registration, electronic pollbooks, and election night results reporting.” John Poulos, president and CEO, Dominion Voting Systems, asked the lawmakers to free up more funds to remove barriers to modernizing election infrastructure and evaluating cyber risks surrounding voting technology.
DHS’ CISA says it is doing its part to help voting vendors improve their security postures. The newly formed government agency is working with the major election equipment vendors to conduct assessments of their products through its partnership with Idaho National Labs, said a CISA spokesperson.
Russian election interference still a threat
Aside from threat to the actual voting infrastructure is the separate concern over whether Russia or any other foreign adversaries might repeat the kind of hacking campaigns that targeted the DNC and other Democratic party players during the 2016 election. “We’ve made election security our top priority at CISA for the simple reason that American elections should be decided by American voters — without foreign interference,” the CISA spokesperson tells CSO.
Yet, a recent New York Times report indicates that Russia has taken steps to hide its tracks when it comes to hacking American political actors such as the DNC and are “refreshing” their operations to be less sloppy this go-around. One of the Russian intelligence units responsible for the DNC hack, Fancy Bear, has moved some of its servers to the US to thwart the NSA and other American intelligence agencies, according to some federal officials.
Trolls within Russia’s Internet Research Agency, which mounted massive disinformation attacks across social media accounts in 2016 that were designed to sow division in the American electorate, are purportedly using more secure, encrypted communications methods such as ProtonMail, to plot their 2020 campaigns, the Times report states, citing a government official and a security expert. They are also paying Americans to spread their message on Facebook to make their actions harder to trace.
Yet another concern not directly related to voting infrastructure security is the rising threat of ransomware against American municipalities, which could be deployed to strategically cripple voting systems on election day. High-profile attacks in New Orleans, Baltimore and a cluster of cities in Texas were among only some of the nearly 200 ransomware attacks that hit US municipalities in 2019.
Wherever the threats may arise, all Americans should be prepared to participate in defending elections from threats in 2020, CISA says. “Every American has a role to play in ensuring the 2020 elections are secure and resilient,” an agency spokesperson tells CSO.
Cynthia Brumfield is a cybersecurity specialist with CSO Magazine US
IDG News Service