The US midterm elections are fast approaching, and with all the controversy surrounding the claims of Russian interference during the 2016 elections, election officials, IT managers, and other relevant personnel are scrambling to keep their systems secure. However, due to the very wide attack surface associated with Government elections, it’s fair to say, they’re going to have a fight on their hands.
Elections are made up of lots of different entities, with no single trusted authority. Voting infrastructure is typically out-of-date, including voting machines and voter registration databases. They often lack even the most basic level of encryption. For example, Government websites often fail to secure their websites using SSL security certificates, according to a recent report by McAfee. The wide attack surface opens the door to a multitude of different attack vectors, such as spear-phishing attacks, DDoS, man-in-the-middle [MitM] attacks, SQL injection and anything else that could disrupt the election process. And it only takes one security incident to be made public (whether true or not) to derail the election process or spark a public outcry.
Currently, five US states are experimenting with electronic voting systems, yet, according to Jeff Williams – a consultant for a major US voting machine vendor – “nobody has any insight into what’s going on in the software they use”. If the voting records are altered in some way, either by an intruder or malicious insider, they may have no way of knowing. Of course, the above problems are the reason why so many elections still rely on paper balloting – despite how archaic and inefficient this method is. For the time being, using paper balloting is probably the safest bet. However, with the advent of Blockchain technologies – which provide unrivalled security through the use of a decentralized, immutable, transparent, cryptographically secured ledger – it won’t be long until many of the issues associated with electronic voting are resolved. In the meantime, what else can be done to protect elections from cyber-crime?
Firstly, there needs to be greater harmonization of security standards across all electoral systems. According to the above report, a large percentage of county websites are using top level domain names such as .com, .net and .us. However, they should be using a .gov domain. The reason for this is because websites using a .gov domain must validated by the U.S. federal government, to ensure that the website belongs to an official Government organization. Secondly, county websites need to purchase an SSL certificate to ensure that all communications with their website are encrypted. Citizens should be encouraged to check the address bar to make sure that the website uses the “HTTPS” protocol. Alternatively, some browsers display a lock icon in the address bar.
Ahead of this month’s midterm elections, Security Firm Carbon Black reported that 20 different state voter databases containing more than 81.5 million voter records were for sale on the dark web. These records contained personally identifiable information including names, genders, voter IDs, addresses and much more.
Congress set aside a whopping $380 million in March to help states improve their election security measures. California, for example, planned to use the money to protect voter rolls, whereas Hawaii was focussed on cybersecurity training and system upgrades. It would seem that a combination of education and system/computer upgrades may be the best way to tackle the rise of election cyber-crime. Both officials and voters need to be aware of the risks and take measures to ensure their accounts are secure (using a stronger password and enabling two factor authentication are good places to start). Make sure you’re on the lookout for phishing emails as well and never click on suspicious links or download documents from people you don’t know.
Every single citizen of the USA, regardless of what side you fall on the political spectrum, has a part to play in helping to defend democracy and increase the security of citizen data.