Can cybersecurity save the November elections?

Cyber pros weigh in on how to protect voter databases and the election process.

The Federal Bureau of Investigation’s disclosure earlier this month that foreign hackers had infiltrated voter registration systems in Illinois and Arizona came as no surprise to some cybersecurity experts.

“Given where cybercrime has gone, it’s not too surprising to think about how information risks might manifest themselves during the election season to cause some level of either potential disruption, change in voting, or even just political fodder to add the hype cycle,” says Malcolm Harkins, global chief information security officer at network security firm Cylance.

Growing concern that hackers sponsored by Russia or other countries may be attempting to disrupt the presidential election is certainly not far-fetched, given the recent data breach at the Democratic National Committee headquarters. In fact, hacking an election is shockingly easy, according to a report by the Institute for Critical Infrastructure Technology, a cybersecurity think tank.

In most cases, electronic voting systems “are nothing but bare-bone, decade old computer systems that lack even rudimentary endpoint security,” according to the report. Security vulnerabilities are discussed every four years, but little attention is given to the problem. “It’s time for a complete overhaul in the electoral process’ cyber, technical and physical security,” the report concludes.

Earlier this month the FBI reported its most recent findings to election officials across the country and urged them to take new steps to enhance the security of their computer systems.

Illinois Board of Elections officials report that information from almost 200,000 voters were hacked beginning June 23. The breach was discovered two weeks later. No files were erased or modified, nor were voting history information or digital signature images captured, officials said. Hackers did, however, have access to voters’ drivers’ license numbers and the last four digits of Social Security numbers. In Arizona, the attack affected fewer voter files, and officials said last week that no data was removed in the attack.

While voter databases are separate from voting systems, cybersecurity pros say the voter database hack speaks to a larger vulnerability. "A hack of state election systems raises the stakes in this battle and is a dangerous sign that traditional defenses aren't cutting it,” says Paul Hooper, CEO of Gigamon. “These systems must be impenetrable to hackers so that we have complete trust come this fall.” 

Election systems remain vulnerable, in part, because the system depends on federal, state, and local authorities, who each possess their own systems, software, hardware, and security protocols.

Finding the vulnerabilities

The FBI reported that hackers identified an SQL injection vulnerability and used SQLmap to target the Illinois voter registration website and gain access to data. Seven suspicious IP addresses were used by the hackers, and election boards were urged to check for similar activity to their logs.

“In these cases, they were attacked through old Web application vulnerabilities,” says Alex Heid, chief research officer at Security Scorecard. “Web apps that were written in the early to mid-2000s and are still online and often still have the vulnerabilities that were carried over from that era. States that have an online portal for any type of registration will want to make sure their web apps are up to current [security] standards.”

Ray Rothrock, CEO of RedSeal, suggests that those vulnerable assets should be taken offline. “Nobody says that the computer in Town Hall needs to be on an internet,” he says. Just as outdated IRS systems have already been compromised, “You can’t keep patching old systems for security, you actually have to architect something and think about it strategically,” Rothrock says.

The government has offered to help states protect its voter databases and election systems by dispersing, on request, federal cyber security experts could scan for vulnerabilities in voting systems and provide other resources to help protect them.

“I don’t think that will necessarily help things, Heid says. “If the government is doing an assessment on themselves – there’s always the risk of a small group of individuals in the program, even with legitimate intentions, to cause issues.”

The lesser of two evils: confidentiality or integrity/availability

Harkins believes that election security risks go far beyond the recent voter database attacks and end-point security solutions.

“The confidentiality of your vote is important, but it’s not going to change the election. Integrity and availability risk [however] could alter the outcome of an election,” Harkins says, and not by manipulating votes, but by influencing the ability to vote. For instance, in municipalities with voter databases and no paper backup, cyber thieves possibly could cryptolock files and hold voting rights for Bitcoin ransom, he says.

There are simpler ways to disrupt voting at the height of election day, Harkins adds. Cutting power to a school where electronic voting is taking place, and without paper backup, could halt voting for hours, and many voters would turn away.

There is also the threat of tampering with electronic voting machines themselves. Georgia, Delaware, Louisiana, South Carolina and New Jersey use electronic voting machines that leave no way to audit results after the fact, according to the ICIT report. Swing states, such as Pennsylvania and Virginia, do not rely on machines that generate a paper trail. According to Verified Voting, which advocates for transparency of voting machines, 47 of Pennsylvania’s 67 counties rely on digital voting machines without a verifiable paper auditing trail.

“You would have to harden those systems from intrusions or attacks that would affect the availability of the system, then you would have to look at the redundancy of those systems,” Harkins says.

The integrity of votes must also be examined. Does the name a voter chooses on the ballot match the paper print-out? Does it match the electronic version stored in the voting machine? Even the voting controversies in the Florida election recount of 2000 had rules, processes and oversight of paper voting, Harkins says. Remember the hanging chads? “What’s the logical equivalent of that” for digital voting?”

Optics vs. reality

The optics of the voter database breaches may be worse than the hacks themselves, says Dimitri Sirota, CEO of BigID. “Today, a foreign agent can't completely alter elections because of how the vote count is fragmented across states and polls,” he says. However, “they can certainly subvert confidence in the election.” In fact, the discoveries may be a deliberate attempt to get discovered, he adds.

Illinois has perhaps the simplest solution for diverting future election hacking. The state’s voting machines aren’t connected to the internet, said Ken Menzel, general counsel for the elections board, in a television interview. “By keeping that system off the internet, you go a long way to protect it from internet hackers.”

Join the CSO newsletter!

Error: Please check your email address.

More about CSOCylanceFBIFederal Bureau of InvestigationGigamonIRSTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts