Election hacking has remained in the headlines after a federal grand jury indicted 12 Russian intelligence officers on charges of hacking Democrats’ emails and computer networks using spear-phishing attacks and keyloggers in July. And in late August, Microsoft detected spear-phishing attempts by a hacking group connected to Russia’s GRU, this time targeting conservative American think tanks.
Spear phishing isn’t the only threat: in Knox County, Tennessee, an election commission website displaying results of the county mayoral primary was knocked offline during Tuesday night voting this past May due to a distributed denial of service (DDoS) attack, in which an online service is overwhelmed with traffic from multiple sources and becomes unavailable. Although it did not affect vote counts, the attack is something that could’ve been prevented.
These stories are not just for political reporters. There are also monetary and business angles involved in stories covering election hackings. Here are a few things you should know:
Local Businesses May Be Vulnerable
Local businesses may be indirectly attacked if they choose to do business with governments of interest to nation-state attackers, opportunistic hackers, or even organized crime.
NSA documents leaked by former intelligence specialist Reality Winner show that Russia’s military intelligence service attacked a voter registration services provider to target election officials. Local election networks are not that different in size and scope from local business networks in that they lack resilience against nation-state attackers. It’s possible that businesses involved with voting are the canary in the coal mine for broader attacks targeting local businesses.
Progress Has Been Made on Some Fronts
Many jurisdictions have put in work to secure elections, with a focus on two-factor authentication in some districts, as well as input validation to protect against SQL injections.
Some have entered into contracts with information security companies offering consulting and pen testing. Because the U.S. has more than 10,000 election jurisdictions, there’s a huge variety in the solutions used across the country.
L.A. County is even open-sourcing its election tally system. Travis County, Texas, plans to replace are switching to a voting system with a paper trail. The state of Colorado has carried out a risk-limiting audit. The Center for American Progress, a public policy research and advocacy organization, has published an election security report grading all 50 states in categories such as voter registration system security, voting machine certification requirements, and more.
Jurisdictions concerned about DDoS attacks, like the ones in Knox County, Tennessee, have some free solutions at their fingertips. Google’s Project Shield provides free, unlimited protection to election monitoring sites, political parties, political committees, Section 527 organizations, and federal, state, and local candidates. Cloudflare’s Athenian Project offers support to U.S. state, county, or municipal government sites related to voter data (including voter registration or verification), the administration of elections (including providing information on voting and polling locations), and the reporting of election results.
In addition to businesses offering DDoS defense, cybersecurity company Synack is offering free penetration testing to state-level election official to help secure voter registration databases.
Financial Challenges
There are many solutions on the market for preventing hacking and increasing cybersecurity, ranging from two-factor authentication tools including hardware devices (such as Yubikey) and software tools (such as Duo), as well as single-use USB sticks, which prevent equipment hacking conducted via malware on USB drives. Unfortunately, many of these solutions are too expensive for small jurisdictions, and elections are not a big market. However, inexpensive tools marketed to cash-strapped entities including small businesses could, of course, be used by governments and election officials.
