Cyber security concerns around voting should be around the processes involved rather than just the electronic equipment used, according to Steve Grobman, senior vice-president and chief technology officer at security firm McAfee.
Underlining this issue, he discussed a recent discovery by McAfee of a “big gap” in the security of the way US local jurisdictions communicate with their constituencies.
Because US elections are decentralised, being run at a state and local level rather than at a federal level, with every state and locality choosing how to do things, there is very little uniformity.
“We have found two big issues with the way local jurisdiction communicate with their constituencies,” said Grobman.
Although these issues are US-specific, he told Computer Weekly that the issue is likely to be global given that the failings in the US are underpinned by a lack of cyber security skills, which is a challenge facing most countries around the world.
“Clearly local governments in democracies around the world are not going to be able to compete from a compensation perspective with the private sector, so having the best cyber security defenders running the systems that take care of elections is likely to be a common challenge.”
The first issue identified in the US, said Grobman, is the use of top-level domains (TLDs) that are not standardised and often not regulated for issuance by the government.
“We found, for example, that a lot of the jurisdictions are using .com, .net and .org for their official voting information sites,” he told a news conference at the 2018 MPower cyber security summit in Las Vegas.
This means that anyone could register sites with very similar appearing names that could trick people into clicking on and sharing information with lookalike sites.
McAfee research shows that the worst offending state is Minnesota, where 95.4% of election sites are using non-government domains, followed by Texas (95%) and Michigan (91.2%).
The second issue, said Grobman, is that some of the “most basic” cyber hygiene practices are not being followed by some local jurisdictions.
Not all election-related sites are using secure socket layer (SSL) or transport layer security (TSS), for example, to provide users a higher level of assurance that they are communicating with the site they think they are.
The worst offending state is West Virginia, where 92.6% of election-related sites do not enforce SSL/TLS, followed by Texas (91%) and Montana (90%).
“While these are the worst offending states, the stats show that this is a pervasive issue right across the country, which gives malicious actors a much easier time in injecting content into the sites,” said Grobman.
“What concerns me is that if the parts of the infrastructure that we are able to observe are lacking basic cyber hygiene practices, what sort of a job is being done for the things we are not able to look at as directly, such as voter registration?”
Grobman believes pressure needs to be applied to local jurisdictions to ensure more consistent paradigms for identifying legitimate communication sites for things as important as elections.
While things appear to be better at a state level, he said the details of setting up sites are delegated to a county level, where there is “no rigorous guidelines”.
From a policy perspective, Grobman said certain things need to be regulated at a higher level. “We need the Department of Homeland Security or at least the secretary of state at a state level providing more prescriptive guidance that election sites must have a .gov extension, must use SSL and a number of other things.”
Having identified these issues, McAfee has begun discussions with US authorities, but in the meantime, Grobman said member of the public should be sceptical about whether any information they receive about elections is legitimate.
“There is a lot wrong,” he said, which means there is currently a lot of opportunity for malicious actors to do things such as conduct phishing campaigns to gather personal information.
In summary, Grobman said there are definite cyber security risks to the election process through a variety of means.
Although it is “practically challenging” to do “massive manipulation” of the direct vote because there has been a lot of focus on the controls for the voting apparatus, he said it is “critical” that all voting has a physical paper trail.
“The reason is that even if I were able to inspect the voting machine and I was convinced that it was secure, there would be no way for the average citizen to do the same,” he said.
“The fact that only a small percentage of the population is in a position to assess whether the technology is safe for something as critical as voting, is counter to the principles of democracy. All citizens need to have trust in the election process, so paper is incredibly important.”
Out of all the ways to manipulate an election, Grobman said he is most concerned about “information warfare”, which was apparent in the 2016 US presidential election.
“I think there are things we can do to make it less severe, starting with the way the media and candidates treat leaked data,” he said.
In 2016, Grobman said information was being leaked – such as Hillary Clinton’s US presidential campaign chairman John Podesta’s emails – and it was being claimed that they were his actual emails.
“But one of the problems with data theft is that you can use stolen data to increase confidence that data is legitimate, but nothing stops the actor from then intertwining fabricated data, so the public needs to be educated to have an inherent distrust of anything that comes out of a data breach.
“Unless you can independently verify every element of data, my perspective is that it should not be disclosed until verification has happened,” he said.
In closing, Grobman said that while the world things about information warfare in terms of Twitterbots, fake Facebook accounts and fake news, he said there are many ways to manipulate perception of reality and many ways to manipulate individuals’ behaviour in the run up to elections.
“Such as phishing attacks that take advantage of weaknesses at the local level, for example, which do not need to be carried out by a sophisticated, state-sponsored agency with world-class cyber attack capabilities,” he said.
Democracies with more centralised election processes will be able to potentially have greater levels of consistency and control, Grobman told Computer Weekly. “But the implementation will often end up being localised, which is where vulnerabilities can creep in,” he added.
At a federal level in the US and at a country-level in other places, he said there are many public-private engagements around financial matters because those are already understood to be critical so they have had more stringent controls placed on them.
“Election security, however, is a much newer topic and is just now getting some of the attention that it needs,” said Grobman. – Computer Weekly