Defending against multifaceted election attacks

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Lavi Lazarovitz
 

Connecting state and local government leaders

By Lavi Lazarovitz

|

Voting system vulnerabilities have been the focus of election security discussions, but critical infrastructure attacks that prevent voters from getting to the polls could prove more effective.

Much has been made of the vulnerabilities inherent in voting infrastructure over the past few years. DEFCON hacking villages have repeatedly found flaws in voting machines, and researchers across the country have outlined the ways attackers could infiltrate voting systems and influence an election. While these headlines generate attention, they tend to overshadow the myriad of other ways attackers could impact elections without touching a single vote.

While many of the attacks in 2016 took the form disinformation campaigns, there are many other opportunities -- direct and indirect -- for attackers to have an impact. So while it is incredibly important to continue hardening the security of the physical voting machines, we must guard against other ways attackers could influence an election outcome without ever compromising a machine.

Disenfranchisement via critical infrastructure attacks

From a security perspective, vulnerabilities have been the main talking point when it comes to elections. But while changing a vote is one thing, preventing voters from getting to the polls altogether could prove more effective.  

Let’s take the 2020 U.S. presidential race for example. There are a number of key swing states that feature heavily red and blue areas, and suppressing turnout in only one or two of these areas to change the outcome of an election. Consider an attack on the public transportation system in Florida’s heavily Democratic Miami-Dade County, which could make it harder for likely blue voters to get to the polls. Could that be the difference between a blue Florida and a red? No recount could reverse that result. Alternatively, what if an attacker launched an attack on the electrical grid in a conservative suburban area, shutting down traffic lights and bringing businesses to a halt? 

Why would an adversary bother trying to manipulate vote totals when shutting down trains for a few hours could get the same result? It seems far-fetched, but in today’s interconnected world, the ripple effects of a successful critical infrastructure attack are real. Attackers motivated to influence an election could do more harm with targeted attacks on critical infrastructure than a thousand nation-state bots ever could.

Creating doubt and distrust through targeted ransomware attacks

When considering election security, it’s important to remember that while some nation-state groups have specific political goals, most are simply interested in causing chaos. In fact, many potential attackers’ efforts are not actually focused on impacting the vote, but simply creating the public perception that they have. The ultimate goal of many isn’t to further a political agenda, but to erode trust in key institutions and systems.

What if, rather than manipulating vote totals or taking action to impact turnout, an attacker launched a ransomware attack, shutting down key precincts or taking control of voter registration databases? Simply the perception of manipulation could be enough to erode public trust in the results and call the validity of an election into question.

Cities and municipalities have fallen victim time and time again to ransomware attacks. New Orleans and the state of Louisiana declared states of emergencies after two recent ransomware attacks shut down school district computers, among other issues. Riviera Beach, Fla., ended up paying nearly $600,000 to attackers after a ransomware attack crippled its computer systems. Without the proper security measures in place, an attack on election day could compromise trust in the election system and subsequently cause mass disruption.

To secure elections heading into 2020, we must be prepared for “false flag” operations of this nature. Some attacks may have actual tangible goals in mind, while others will be designed to create doubt and foster distrust in our systems.

Sequencing events

While the attack vectors outlined above have the capacity to both impact the actual vote and undercut public trust, even worse would be a sequence of such attacks. Targeting core infrastructure -- halting transportation, shutting down the electrical grid and launching an attack on voter registration databases -- could have a domino effect that negatively impacts the voting system’s ability to operate consistently with trust and reliability.

Taking a zero-trust approach

So this all feels quite unnerving. But while these attacks are entirely possible, it’s also entirely possible to stop attackers in their tracks. There are many components in the election supply chain, so securing all of them can feel like a daunting task.  However, while it’s important to make sure each individual component is secure, it’s critical to ensure that if any part of the chain is compromised, the attack can be contained and the impact minimized.  

The best strategy is to operate under the assumption that a breach will occur somewhere in that chain and adopt a zero-trust mindset.  With zero trust, IT managers trust nothing and verify everything -- whether it comes from inside or outside the organization -- before granting access.  Zero trust is all about never assuming that just because someone (or something) has gained access to one system that it should be able to access others.  This practice helps restrict lateral movement, prevent escalation and limits the damage hackers can do. 

Regardless of attackers' endgame, they typically need to expand their access to carry out any high-impact attack -- whether election focused or otherwise.  Attackers often start their mission at a seemingly minor point of ingress, but when they can move laterally through a network and expand their access, the real trouble starts. 

With all the focus on election security right now, state, local and federal agencies are working hard to fortify systems.  While nothing is ever 100% fail-safe, understanding the potential targets, employing the right level of security and continually monitoring for abnormalities is a good place to start.  By assuming that parts of the election chain are already compromised and securing against lateral movement, we are already in a good position to safeguard the sanctity of the vote.

NEXT STORY: TSA shines a light on insider threats

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.