“Russian hackers accessed voter databases in two Florida counties prior to the 2016 presidential elections.” 1
“It only took a few minutes to hack the voting machines at the DEFCON cybersecurity conference in 2017.” 2
There’s enough evidence to indicate that both nation-state and other cyber threat actors continue to target our election infrastructure. Securing voting systems from cyber intrusions is a huge challenge for the election officials during the 2020 U.S. elections.
The integrity of the elections heavily relies on the software and computer systems that run the election systems. There are many risks that arise through external and internal attacks that could compromise our elections. These include outdated and under-tested voting machines, attacks on voter registration databases, vulnerabilities in third-party vendors software that run the election systems, inadequate monitoring of ongoing attacks, and the overall election infrastructure as a whole. If left unaddressed, these vulnerabilities threaten to undermine the stability of our democratic system.
Here we evaluate the vulnerabilities of the voter registration databases and the election-related websites that are quite often targeted by threat actors. Government and state election officials must undertake all measures to secure the voter registration systems and infrastructure to maintain the availability, confidentially and integrity of the upcoming elections.
Secure Voter Registration Databases
Voter registration systems are the foundation of voting. The databases store voter registration information, including names, addresses, ID numbers, and other information. In addition to holding millions of records of individual voters, these databases constantly receive or update data from many sources. These sources may include:
- The Department of Motor Vehicles, where many voter registrations are now initiated due to the Voter Registration Act of 1993 (aka motor-voter). Also, the DMV database is often used to verify voter registration information, such as name, address, date of birth, state ID number, etc.
- State online voter registration websites
- Local and state election officials’ computers
- Other state agencies involved in voter registration
A look at the general voter registration system architecture gives an idea how the database links to the internal and external networks.
General Voter Registration System Architecture
Most of the voter registration systems were built years ago which makes these legacy voter registration systems extremely vulnerable to new and evolving cyberattacks. At stake is voter’s personally identifiable information (PII) and the increased possibility of threat actors accessing other systems connected to the voting registration systems. This is not at all a hypothetical situation. According to a Bloomberg report, Russia’s cyberattack on the U.S. electoral system in 2016 included incursions into voter databases and software systems. In all, the Russian hackers hit systems in a total of 39 states.
If hackers gain access to the voter registration database, they can use it to impersonate voters or for other malicious purposes.
By developing a thorough understanding of how data flows and how it affects the integrity of the voting systems and the confidentiality of the voter database can help in identifying vulnerabilities and risks that could lead to a potential breach.
Secure Vulnerable Websites
“A ProPublica investigation found that at least 50 election-related websites in counties and towns voting on Super Tuesday — accounting for nearly 2 million voters — were particularly vulnerable to cyberattack. The sites, where people can find out how to register to vote, where to cast ballots and who won the election, had security issues such as outdated software, poor encryption and systems encumbered with unneeded computer programs.” 3
Bryan Becker, Product Manager at WhiteHat Security says, “Availability of information is a critical component of security, securing election-related websites is essential. Even just a frontend website or a mobile application could be a target for cyber criminals. Such intrusions can result in manipulation or loss of data or just prevention of voter registrations in general. While implementing security programs and best practices, officials must ensure that state and local governments are fully testing all services related to the voter registration systems.”
U.S. election officials with guidance from the Election Assistance Commission (EAC) and Department of Homeland Security (DHS) are taking steps to improve election security through better funds allocation, upgrading elections systems, and cybersecurity awareness training; however, a lot more must be done to ensure secure elections.
Some Government & State Efforts that Address Security of Election Systems
Government and states are taking actions as they test and certify the voting systems, but do they address the issues or possible failures to the security of the voting systems?
- Action: DHS has conducted remote-scanning and on-site assessments of state and county election systems. 4
Problem: Does not address core vulnerabilities in voting machines, or the systems used to program them.
- Action: Some election officials are reporting the implementation of Albert sensors as an intruder detection system. 5
Problem: It is still a reactive approach which does not block intrusions in the first place.
Such measures and implementation of alert systems are good to have but not enough. It’s essential to proactively address cybersecurity at the core. This is where application security can help since it considers the perspective of an adversarial attack; finding security related system flaws and weakness in applications and suggesting remediation before the cyber-attack takes place.
WhiteHat Strengthens 2020 Election Security
Cyber threats have increased in volume and intensity presenting a serious problem to the integrity of the elections. To make the process as secure as possible cybersecurity companies can offer their technology and guidance to safeguard the electoral systems.
WhiteHat Security is working with federal, state and local agencies to help them develop secure applications and enable application security standards to protect their web applications, election systems, and other business systems against an ever-evolving threat landscape.
To mitigate the risk of application security vulnerabilities resulting in a successful attack, for a limited time WhiteHat is offering the following to government agencies at no charge (contact [email protected] for more info):
- WhiteHat Sentinel Dynamic, the company’s industry-proven dynamic application security testing (DAST) solution. The cloud-based SaaS platform accurately and rapidly finds vulnerabilities in websites and applications throughout the software development life cycle (SDLC), including in production.
- Sentinel Source Essentials Edition, WhiteHat’s entry-level SAST product, which delivers a fast, automated service that scans application source code, identifies vulnerabilities and provides detailed vulnerability descriptions and remediation advice. The discovered vulnerabilities are prioritized according to severity, thus providing guidance on what should be remediated first.
Download the 2020 Election Security toolkit to learn how WhiteHat Security is working with federal, state and local agencies to help them develop secure applications and enable application security standards to protect their web applications, election systems, and other business systems against an ever-evolving threat landscape.
Join us for a series of webinar with Robert Antia, consultant and President/Board of Directors for the Massachusetts Chapter of InfraGard, to hear his insights on the current state of our election systems and the need to secure the underlying applications that run our elections. Bob will also share some best practices on using election systems assessment tools, when to reach out to your DHS partner and how to implement strong coding practices when developing your own applications or working with a vendor. Register for the webinar here, the recordings will be available to all registrants.