This article originally appeared in Infosecurity Magazine on October 26, 2018.
As the 2018 midterm elections near, many remain concerned about the security of election infrastructure at the national level, though Steve Grobman, CTO at McAfee, said the realistic security risk lies in an attacker tampering with information and targeting individual counties and states.
“A realistic attack wouldn’t require mass voting manipulation or the hacking of physical machines. Rather it could use misinformation campaigns focused on vulnerable gaps at the county and state levels,” Grobman wrote in an October 24 blog post.
Because attackers look for the easiest point of entry that will yield the most effective results, hackers are more likely to have success by targeting specific states or congressional districts by spoofing the domains, according to Grobman. McAfee found 20 key swing states that have non-government domains, each of which could easily be spoofed to spread misinformation.
“Government websites in general are popular targets of malicious campaigns because they make bad actors’ jobs easy,” said Mike Bittner, digital security and operations manager of The Media Trust. “They are too often poorly secured, third parties/contractors that support them, who often have even poorer security measures, and the people and organizations that use them enter a lot of sensitive information.
“The root cause of these sites’ insecurity is increasingly strapped budgets that prevent government organizations from replacing legacy systems and machines with new ones or making needed updates. Given the extensive use of these sites and the sensitive information they receive, county governments should thoroughly vet their third parties, audit third parties’ security measures, continuously scan their sites in real time and work closely with their third parties on identifying and foiling any unauthorized activities.”
States must also protect voter registration systems, poll books, vote tabulation, publishing systems and more, said RiskSense CEO Srinivas Mukkamala. Assessing devices, applications, databases and networks for vulnerabilities, missing patches and misconfigurations is often beyond their capabilities, which is why Mukkamala proposed that AI-assisted penetration testing – a service that is already in use in some states – as a solution to the election security problem.
“While internet-connected systems used for online voter registration and election-night reporting have a significant attack surface, an end-to-end assessment of election systems is needed to understand which vulnerabilities truly matter,” said Mukkamala.
Amitai Ratzon, CEO of Pcysys, agreed but added, “Automated penetration testing is the simplest measure to help prevent election hacking. It can be implemented across networks seamlessly and with ease, is agent-less and operates 24/7.”