Election Security

A Senate Intelligence Committee report published on July 23 assesses that the Russian government likely targeted election systems in all 50 states between 2014 and 2017. In several cases, they searched for vulnerabilities in the security of election systems and, though the report concluded that no votes were changed, the Russians were able to access Illinois’s voter registration database and were in a position to change or delete voter data. While it is vital to secure election systems and ensure no vote is changed, Russia – or any other adversary – does not need to change a single vote to sow public doubt and distrust in the US election system. Just a day after the Senate report was published, a grand jury out of San Mateo County, California released a report detailing possible scenarios in which threat actors could target various aspects of the upcoming 2020 elections. Government and election officials’ social media, websites, and/or email accounts could be hijacked in order to disseminate disinformation, such as false voting information or election results, severely impacting and eroding confidence in the election results. To protect accounts from unauthorized access, individuals are advised to enable multi-factor authentication (MFA), also known as two-factor authentication, for every account that offers it. The report recommends using a hardware security token as a second factor over the use of SMS-based codes. While an effective security measure in many cases, the use of SMS-based codes can be circumvented via Man-in-the-Middle (MitM) or SIM-swapping attacks. MitM attacks can be executed by convincing a target to enter their account credentials on a fraudulent website. The threat actors use these credentials to sign into the legitimate account website, which then sends the target their code via SMS text. The target then submits this code to the fraudulent site, giving the threat actor the code necessary to access their account. Additionally, SIM-swapping attacks are also effective in circumventing SMS-based MFA. In these attacks, the threat actor impersonates the target and contacts their mobile carrier, requesting their phone number be swapped to a device in the threat actor’s possession. This allows them to receive the SMS code directly to their mobile device. For more information on the grand jury report and possible attack scenarios, review the Brian Krebs article. The NJCCIC recommends election officials and individuals involved in the election process consider joining the Election Infrastructure-Information Sharing and Analysis Center (EI-ISAC) to facilitate information sharing, maintain awareness of current cyber threats and tactics, and employ best practices including, but not limited to: running updated anti-virus/anti-malware programs, enabling multi-factor authentication where available, and keeping hardware and software up-to-date. States are encouraged to consider conducting vulnerability scans of their election infrastructure and taking advantage of DHS National Cybersecurity Assessments and Technical Services (NCATS).