Election Hacking Threatens US Mid-Terms

In March, officials from 38 states packed into a conference hall in Cambridge, Massachusetts, for a two-day election simulation exercise that was run like a war game. More than 120 state and local election officials, communications directors, IT managers, and secretaries of state ran drills simulating security catastrophes that could happen on the worst Election Day imaginable.

The tabletop exercise began each simulation months before the Nov. 6 midterm elections, accelerating the timeline until states were countering attacks in real time as voters went to the polls. 

Organised by the Defending Digital Democracy (D3P) project at Harvard, a bipartisan effort to protect democratic processes from cyber and information attacks. 

The drills forced participants to respond to one nightmare scenario after another, voting machine and voter database hacks, distributed denial of service (DDoS) attacks taking down websites, leaked misinformation about candidates, fake polling information disseminated to suppress votes, and social media campaigns coordinated by nation-state attackers to sow distrust. As we've seen in recent elections around the world, multiple attacks often occur simultaneously.

"Think about a denial of service attack and the normal phishing and malware-type tactics [hackers] would use during an election," said Eric Rosenbach, D3P director and chief of staff to US Secretary of Defense Ashton Carter from 2015 to 2017.

"The part I would be most concerned about with a DDoS is an attack against a web page announcing results combined with a high-end information operation. Look at what happened in Ukraine in 2014

“The Russians DDoSed the web page Ukraine was using to announce election results, then steered everyone back to state-run Russia Today and put up bogus results. Ukrainians were left confused about who had actually been elected president."

Understanding modern election security means coming to grips with a daunting reality: especially in the United States, the infrastructure is too fragmented, outdated, and vulnerable to be completely secured.

There are also far too many different types of attacks across the threat landscape to ever stop them all. 

On both sides of the political aisle, at every level of government, and throughout the tech industry, the United States is grappling with fundamental cybersecurity threats to our elections. We're also planning for how to react when things go wrong, both during this crucial midterm election and in the 2020 general election.

Protecting the 'Attack Surface'
In cybersecurity, all the exposed systems and devices that could be attacked are called the "attack surface." The attack surface of a US election is enormous and can be divided into three key levels.
The first is voting infrastructure; think voting machines, voter registration databases, and all the state and local government websites that tell people where and how to vote.

Then there's the campaign security level. As 2016 showed, campaigns are easy targets for hackers. Stolen campaign data can then be used as a potent weapon for the third, more nebulous attack level: the nefarious world of weaponised misinformation and social influence campaigns. 

On this front, the troll armies of nation-state actors continue to operate across the web and invade social media platforms, which have become polarising battlegrounds of voter perception.

Trying to solve the myriad systemic issues plaguing each of these levels often leads to more questions than answers. 
Instead, many of the strategies to mitigate election security risks come down to common sense: paper balloting and vote auditing; giving state and local governments more resources; and providing tools and security training for campaigns and election officials.

A couple more complicated and divisive questions, for election administrators and campaign workers as well as voters: How do you approach the electoral process in the social media era replete with online misinformation? And when you harbor doubts about all the digital information that comes across your screen, what should you believe?

UK PCMag

You Might Also Read:

California Bans 'Secret' Election Bots:

An Election Interference Alert System:

 

« Realistic Fake Videos Threaten Democracy
The Pentagon Prepares A Cyber-Attack On Russia »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

HackLabs

HackLabs

HackLabs is a penetration testing company providing services for network security, web application security and social engineering testing.

ITC Secure Networking

ITC Secure Networking

ITC are a leading cloud-based MSSP delivering service innovation in cyber security analytics & cloud technology.

Blockchain Slovakia

Blockchain Slovakia

Blockchain Slovakia is a non-profit organization that brings together researchers, developers, entrepreneurs, regulators, investors and the public to support blockchain technology in Slovakia.

Cyber Resilient Energy Delivery Consortium (CREDC)

Cyber Resilient Energy Delivery Consortium (CREDC)

CREDC performs multidisciplinary R&D in support of the Energy Sector Control Systems Working Group’s Roadmap of resilient Energy Delivery Systems (EDS).

CyberSeek

CyberSeek

CyberSeek provides detailed, actionable data about supply and demand in the cybersecurity job market.

CyberStream

CyberStream

CyberStream, a division of the TechStream Group, is an information & cybersecurity talent acquisition solution provider.

OriginalMy

OriginalMy

OriginalMy is a cybersecurity startup, focussed on digital governance and information authentication. Its mission is to prove authenticity using state-of-the-art cryptography and blockchain technology

1Kosmos

1Kosmos

1Kosmos provide Digital Identity and Passwordless Authentication for workforce and customers. Powered by advanced biometrics and blockchain technology.

YorCyberSec

YorCyberSec

YorCyberSec act as a trusted Cyber and Information Security broker and procurement specialist. We help companies to Reduce Risk, Increase Assurance and Improve Performance.

StateRAMP

StateRAMP

StateRAMP reduces risk from unsecure cloud solutions and protects data by providing State and local governments a standardized approach for verifying and monitoring security postures.

SafePaas

SafePaas

SafePaas is a leading Enterprise Risk Management Platform. One source of truth for all your Audit, Risk, and Compliance requirements. Complete governance across your systems.

OSC Edge

OSC Edge

OSC was founded with the vision of providing expert solutions in IT to government and businesses. OSC Edge empowers organizations with solutions that prepare them for today and tomorrow.

TAFEcyber

TAFEcyber

TAFEcyber is an Australian based consortium focusing on the skilling of the fast-growing cyber security workforce through education and training.

SecureClaw

SecureClaw

SecureClaw offers specialized cybersecurity consultation, various products, and a range of services to meet your company's business domain needs.

RAD Security

RAD Security

RAD Security (formerly KSOC) is a cloud native security company that empowers engineering and security teams to drive innovation so they can focus on growth versus security problems.

SpectrumWise

SpectrumWise

SpectrumWise is a business technology specialist that provides Managed Services and Managed Security for small and medium IT Networks.