Complex voting system is being subjected to the ultimate stress test
ANALYSIS US presidential elections are always keenly contested, but the 2020 edition is shaping up to be the most contentious and acrimonious within living memory, with technological mischief brought to the fore.
The 2016 election that handed Donald Trump power remains clouded by allegations of hacking against the Democratic National Committee (DNC) and subsequent leaks of sensitive documents, as well as disinformation campaigns on Facebook and other social media sites.
Allegedly foreign-backed election interference campaigns have also been a feature in the run-up to next Tuesday’s vote, while issues such as voting machine security and vulnerability disclosure, election system cyber resilience, and more have bubbled away in the background.
Trust but verify
In the US, election systems are managed within a decentralized structure, with states administering the counting of mail-in ballots, deciding when to start early voting, how votes are tallied, what systems are used, where they are allowed to be stored, and much more.
Voting machine security, the primary focus of much reporting in the media, is an important but small subset of the overall election security picture.
In conversation with The Daily Swig, a number of security experts were primarily concerned about the disruption of the electoral process through technical or other means in order to delay results or otherwise undermine public confidence.
Tod Beardsley, director of research at Rapid7, the firm behind the Metasploit penetration testing tool, told The Daily Swig: “I think a voting machine-based attack is the least likely cybersecurity attack we should expect – there are plenty of exposures among the websites and databases that run critical election infrastructure. At this point, my advice for municipality IT operators is to check and double check your disaster recovery procedures.”
Catch up on the latest election security news
US elections are among the most operationally and logistically complex in the world, with technology integral to knitting the whole system together.
This means voter registration systems and databases, verification services, infrastructure that tabulates and distributes results, and web services used to publish polling information are all potential targets for attack.
Rob Bathurst, CTO of cybersecurity vendor Digitalware, a former US Air Force vulnerability assessment specialist, and an expert in embedded system security, said that vote tallying devices tend to be kept isolated from the internet.
Electronic support systems and – in particular – electronic poll books (the apps, and services used by precinct polling station workers to verify voting eligibility), present a “greater attack surface”, Bathurst told The Daily Swig.
Getting out the vote
Ron Bushar, senior vice president and government CTO at FireEye (Mandiant), told The Daily Swig that there had been a huge investment in improving the resilience of voting infrastructures since President George Bush Junior’s 2000 election win hinged on a controversial Florida recount.
These efforts have stepped up more recently with validation and testing of voting machines that Bushar characterised as already “fairly rigorous”.
Most voting authorities have redundancies and backups built into the system. Although the integrity of the vote is safeguarded, problems may arise if voting authorities are obliged to fall back onto manual systems, inevitably resulting in delays to the announcement of the final vote tally.
Tony Cole, CTO at Attivo Networks, struck a more optimistic note and said that many improvements to election systems have been made in the four years since the 2016 presidential election.
“Some of the improvements since then have been led in the USA by the US DHS CISA organization with one of the most important, a ‘Guide to Vulnerability Reporting for America’s Election Administrators’ (PDF). This is an important step since many election officials didn’t know where to go for help, or that they even needed help,” he explained.
The document outlines the process for setting up election security research into vulnerable systems and how to report the issues found.
“This has led to the start of vulnerability disclosure programs in US states including Ohio and Iowa and hopefully more in the near future,” he added.
Security research into election system vulnerabilities, as charted by a recent paper (PDF) from Georgetown University’s Matt Blaze, has also progressed even though it remains a work in progress.
READ Spoiling the ballot: cyber fears cloud US midterm elections
Voting machine vendors that were previously uncooperative towards security researchers are coming around in both building better engagement – not least through participation at events at such as Black Hat and DEFCON – and in developing vulnerability disclosure programs.
Two leading voting machine vendors, ES&S (PDF) and Dominion, have each announced vulnerability disclosure policies and processes.
And, on the law enforcement front, the US government recently offered rewards of up to $10 million for information related to foreign agents looking to disrupt elections, as previously reported.
Propaganda, disinformation, and mass media manipulation are the most prominent threats to the election security ecosystem as a whole, according to Greg Foss, senior cybersecurity strategist at VMware Carbon Black.
“These types of attacks have been tried and tested by nation state adversaries across the world, affecting the outcomes of numerous elections, and have never stopped following the last election in the United States,” he told The Daily Swig.
“It’s much easier to manipulate the minds of the population at large than it is to directly hack election infrastructure, even considering the vastly outdated systems and processes that are in use,” he added.
None of this is lost on the US’s foreign adversaries who have been blamed for an ongoing string of multiple campaigns, as summarised by threat intel agency Digital Shadows.
For example, Microsoft recently disclosed attempts by Russia, China, and Iran to breach email accounts associated with the Biden and Trump campaigns using phishing and similar tactics.
More insidiously, Iran was recently accused of sending spoofed emails purporting to be from alt-right group the Proud Boys that attempted to intimidate recipients into voting for Trump. US national security officials have publicly said that both Iran and Russia have both obtained US voter registration details, probably from publicly available sources.
As election day approaches, tactics to influence the poll may shift from disinformation campaigns broadly designed to favor one candidate or another, to campaigns designed to sow disruption and chaos.
Given the changes made to the election process in response to the coronavirus pandemic, in particular greater reliance of mail-in ballots that will only be counted in many cases after the polls close, the whole process will take longer.
This means that denial-of-service (DoS) and – worse – ransomware attacks have even greater window of opportunity to cause disruption. These concerns are heightened as nation-state attackers have already carried out reconnaissance attacks on infrastructure that supports elections.
More Americans are voting via mail-in and absentee ballots than ever before. As a result, the election results may remain unknown for days or even weeks following election night, even if everything runs relatively smoothly.
Rapid7’s Beardsley, author of a comprehensive and recently updated introductory brief on US election security, warned: “As for election night, I cannot imagine a reasonable calling of the election on November 3. There are going to be normal technical snafus that will raise suspicions of a cyber-attack, such as a website going down just because it wasn't provisioned for sudden popularity.”
“On top of this heightened sensitivity to cyber-attacks, there are millions of new mail-in voters and their millions of mail-in ballots that need to be counted. So, even without getting into the political or legal issues of which ballots count and when, the physical act of validating and counting the mail-in vote is going to take much, much longer this year than any other year,” he added.
The FBI and US Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) last month jointly warned that threat actors could exploit incomplete results on the evening of the election by spreading false information “in an attempt to discredit the electoral process and undermine confidence in US democratic institutions”.
“Foreign actors and cybercriminals could exploit the time required to certify and announce elections’ results by disseminating disinformation that includes reports of voter suppression, cyber-attacks targeting election infrastructure, voter or ballot fraud, and other problems intended to convince the public of the elections’ illegitimacy,” the FBI and CISA warn.
This might be accompanied by attacks targeting election infrastructure that slow down the count or the release of results.
A blog post by Mandiant about “late game and lingering election threats” offers a different perspective on the same set of potential problems.
“The circumstances of this election will provide a unique opportunity for interference,” Mandiant concludes.
“However, information operations no longer enjoy the obscurity they once did, and a clear recognition of their mechanics and their limitations may well inoculate us to their effects.”