Security in the spotlight as the US heads into elections

A new report and tabletop exercise show how the upcoming US elections could be disrupted at the local government level without hacking the election itself.

Official vote-by-mail ballot.
Bill Oxford / Getty Images

Attacks on the digital infrastructures of US state, local, tribal and territorial (SLTT) governments continue at a healthy clip, a chronic trend that does not bode well for election security as the nation moves into the crucial run-up to the 2020 presidential election. Although a lot of research has focused on the potential hacking of election equipment and related backend infrastructure, recent studies and exercises suggest that adversaries can disrupt the democratic process almost as well by simply targeting other local government  and community systems.

In a report released today, cybersecurity firm Blue Voyant presents the results of a study that examined the local governments’ cybersecurity posture in 108 jurisdictions going back to 2017. They found a steep rise in ransomware attacks on SLTT governments from 2017 to 2019 and a jump in the amount of ransom demanded from $30,000 in 2017 to $380,000 in 2019, with some ransom amounts exceeding $1 million.

Lack of standardized online infrastructure hinders SLTT security

Although ransomware captures the lion’s share of attention when it comes to disabling local government operations, including elections, other attacks that can impair essential services include outright data breaches, typosquatting that leads to malware installation, and exploited weak VPN solutions. One big problem across the nearly 90,000 local governments in the US is the lack of standardization for online infrastructure and resources, Austin Berglas, global head of professional services at Blue Voyant tells CSO.

Berglas, who spent 22 years in the federal government, ultimately serving as the assistant special agent in charge of the FBI’s New York Office Cyber Branch, says that some state and local governments don’t even use .gov domains, where they would get the benefit of having US government oversight on those domains. The .gov domains also force the use of multi-factor authentication (MFA), HTTPs and other security features. It’s no surprise then that Blue Voyant has been able to track compromises of state and local government IT infrastructure back to bad actors, some of them nation-state actors.

Ransomware, other attacks can disrupt elections

When it comes to elections, the odds of threat actors changing votes are slim, but attackers can knock voter databases or other systems offline with ransomware or methods which could disrupt voting Berglas says. The potential for disruption in city services poses a threat to even mail-in voting. “If there were a state or municipality that took ballots and then imported them into a system and the next day that system was locked up with ransomware and they were unable to get at those results, that would disrupt the system. It wouldn’t necessarily change the vote tally but definitely put a damper on the system."

Lack of coordination among local governments and feds

Michael Hamilton, founder and CISO of CI Security and the former CISO of Seattle, worries about another form of standardization, namely the lack of real coordination among local governments and the federal government when it comes to system monitoring or detection of attacks. “I have no idea if they have analysts going through this stuff where it’s just kind of all automated…so that they can see how things are going across the country. There is no requirement for them to talk back to any of the jurisdictions where they’ve deployed the Albert sensor [a network monitoring system established by DHS’s CISA] and that’s a bit of a concern.”

Hamilton believes that local governments’ readiness to most effectively handle digital threats is contingent on “making information available every week [to the nation’s municipalities] so that everybody gets on the same page.” In terms of what last-minute efforts local governments can undertake to harden their infrastructure to bolster voting security given the likelihood of mass mail-in voting, Hamilton advises local CISOs to pay attention to computing systems that do signature-matching and bar-code reading. “I would focus on where there is actual ballot counting and handling being done…and when you’re talking about vote by mail, you’re talking about things like signature matching.”

Tabletop exercise provides insight into government security readiness

An annual tabletop exercise hosted by Cybereason called Operation Blackout: Protect the Vote conducted in August also provides some fresh insight into local government security readiness for the fall. The virtual edition of the exercise took place in the fictional city of Adversaria in the weeks leading up to a typical election day.

Like Blue Voyant’s analysis, the focus of Operation Blackout was not on election infrastructure itself; the exercise explicitly excluded targeting election equipment. The goal was to “examine and advance the organizational responsiveness of government entities to an anarchic group’s attempts to undermine democratic institutions and systems of governance in the republic.”

In this recent tabletop context, the local governments had to manage disinformation attacks. As a consequence, one of the key lessons learned from the exercise is that communications are the key battleground as cities gird for election season problems. To that end “[b]roadcast media is the bully pulpit. Make sure it's used effectively to help counteract the effects of misinformation through other channels,’ Cybereason said in its written Operation Blackout results.

Finally, another factor that could impact local governments’ ability to fend off attacks is the “defend forward” strategy of the US Cyber Command as spelled out this week by Cyber Command Chief Paul Nakasone and his Senior Advisor Michel Suhlmeyer in Foreign Policy magazine. Under this strategy, Cyber Command and the National Security Agency (NSA) joined forces during the 2018 elections to create what it called the Russia Small Group to share indicators of compromise with DHS to harden the security of election infrastructure. Nakasone and Suhlmeyer said they plan to do it again for the 2020 elections.

“The defend forward [part of Cyber Command’s election strategy] is ‘we know who is twisting our door knobs and we’re going to go smack ‘em,’” CI Security’s Hamilton says. “A lot of these are disinformation campaigns and I’ve heard a lot of them are run out of Africa and paid for by Russia.”

Still time for basic security hygiene to help

Even at this late stage, local governments can undertake some basic hygiene tasks to make their systems ready to withstand any challenges that the election throws at them. Reviewing the policies and procedures around the use of Remote Desktop Protocol (RDP) is job number one, Berglas says. “A lot of these smaller organizations are heavily reliant on outsourced IT and they need to use RDP to come into the network and do their work. The problem is they leave it open and the bad guys come in and compromise that.”

Secondly, “if there’s not two-factor authentication on significant account log-ins — from email to sensitive account log ins — that needs to be enforced as well. Third, if there is not a good enforceable password policy that is in place, that needs to be in place.” Blue Voyant’s report shows how easy it is to find compromised user names and passwords for state and local employees from the mounds of data breach reports out there.

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies