We wanted to hear what more top cyber leaders thought about election security heading into this season. We’ve compiled some of their expert insights on the dangers to election security this go around and how organizations should be thinking about security and preparing for the worst-case scenario.
Tim Bandos, Vice President of Cybersecurity, Digital Guardian
“It’s been established that the integrity of our electoral system is incredibly vulnerable. We witnessed this firsthand in 2016 after the DHS notified officials in 21 states that their machines were targeted by attackers in the run up to the presidential election. This isn’t a new problem. It actually dates back more than 10 years; ever since the inception of electronic voting equipment, researchers have proven nearly every make and model can be hacked. The problem is that if steps aren’t taken soon to secure our election process, it’s not just our electoral systems that will remain at risk, it’s our democracy itself.
Much of the discussion around voting security has been driven by politics and vitriol. At its crux, the fact that voting machines are susceptible to hacking is a business issue. Data – in this case, digital votes – needs to be confidentially stored, received, and secured. The issue, from a technological standpoint, is not unlike any other that involves critical data. From the votes themselves to the electronic pollbooks that are used to maintain voter rolls, election officials need to be able to see, understand, and protect the data.
Prioritizing that any data involved in voting systems is secure should be paramount for anyone involved in election security. If they’re not already, organizations that process or oversee voter data should consider software, hardware, and cloud-based products and services that can protect data (like votes) at rest and in motion.
Technology companies owe it to the public to better secure the voting process. Doing so could play a vital role in winning back the public’s trust in our democratic voting process. Following through on this can help combat electoral fraud and ensure the integrity of the American voting system.”
Jason Bevis, VP Awake Labs, Awake Security
"There are key campaign functions that must be protected during any election cycle. Historically, the campaign in many cases may not have allocated money towards security until near the end because funding is first and foremost to get the candidate elected. Candidates today no longer have that luxury.
Campaigns in 2020 are different from previous years in that they are taking place mostly online. This means the Host Committee and Committee of Arrangements are no longer responsible for the larger part of information security. Thus, the campaigns are now the ones taking on a large part of the messaging, organizing and structuring of the platform, and the risk of potential disruption or manipulation of those functions. With conventions and debates happening remotely, it is vital campaigns consider how email and other proprietary apps can become the primary attack surface now that there is no venue."
David Higgins, Global Technical Director, CyberArk
"While many of the discussions around election security have focused on mitigating disinformation campaigns and voter fraud, there are other areas that also need to be considered.
Whether it’s a nation state or groups simply looking to cause chaos, attacks on public infrastructure – like stalling public transportation or shutting down the electric grid -- could be an indirect way to stop voters from getting to the polls in the first place. Of course, more direct attacks on voter registration databases or the voting systems themselves are a huge concern as they can cause damage that would have far reaching impacts including voter trust in the system. Confidentiality and the integrity of votes are all targets.
Attacks on the election infrastructure are highly possible – the key will be to ensure those attacks are quickly identified and contained to minimize harm."
Jamil Jaffer, SVP for Strategy, Partnerships & Corporate Development at IronNet Cybersecurity
"The upcoming elections obviously present a significant cybersecurity challenge given the potential for nation-states and other actors to seek to cause chaos and undermine confidence. While many have focused on the threat to voting machines and manipulation of actual votes, the more immediate threat may be from actors seeking to take advantage of existing public narratives around credibility of our overall election system, including through the use of cyber-enabled disinformation and misinformation campaigns around mail-in ballots and the spread of COVID through early voting and election day polling locations. In addition, to the extent that nation-states or other sophisticated actors seek to conduct direct cyber operations, they may well calculate that an actual attack on voting systems would cross a line, whereas they might correctly perceive that lower-level attacks may go unpunished. In that regard, we might very well see potential ransomware attacks on voter databases and small scale disruptive efforts aimed at key voting sites in the lead up to election day. The best defense against all of these activities is education of the voting populace and the hardening of our election systems through the sharing of actionable threat information amongst local jurisdictions, states, and the federal government, as well as real-time collaboration across these organizations to triage and stop cyber campaigns at speed and scale."
Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center (CyRC)
"While we can expect an increase in social media misinformation and conspiracy theories from 2016, such attacks serve to distract from larger threats to electoral infrastructure. Considering that many jurisdictions are expanding their absentee ballot programs to compensate for in-person voting due to COVID concerns, many of those systems may not have been designed to scale with the volume of ballots that could result if everyone were to vote by mail.
As a result, the underlying voting systems likely will be active for a much longer period of time than in prior elections. With extended on time comes an expanded window of opportunity for attackers to successfully complete their attacks. This requires local election officials to increase their level of vigilance over any part of their voting infrastructure as any compromise could serve as fodder for those seeking to sow seeds of uncertainty in the current election cycle. This vigilance should include more aggressive password management tactics, limiting physical network access to systems only during active electoral use, reducing the interval between backups of both systems and databases, and enabling verbose logging of all actions performed on computers used for elections. Such actions will protect against a variety of attack models, but should limit the damage caused by one of the more popular attacks in 2020 – ransomware."
Ken Liao, Vice President of Cybersecurity Strategy, Abnormal Security
“The 2016 DNC Hack puts security, and email security specifically, as a topical issue – as campaigns and fundraising efforts can open the door to fraudulent requests by attackers. It’s important to keep in mind that fundraising scams can be more challenging than typical business email compromise attacks because the emails are likely coming from unfamiliar sources. Remember to be extra vigilant and do your own research to ensure you are contributing to your intended recipient – research the websites, look for other sites referencing the website (i.e., backlinks), and validate with phone calls. Be extra cautious with seemingly low risk-exchanges, especially with contacts you haven’t interacted with prior, as those exchanges could be in the early stages of a slow and measured attack over multiple engagements. In short, be hyper vigilant about all communications – as even a smaller local campaign can become victim to advanced attacks looking to alter the outcomes of the election.”
Jesse Rothstein, CTO and co-founder at ExtraHop
"I’m not convinced election concerns are purely technology or infrastructure-related. Perhaps the greatest threat to our democracy is what we in the information security industry call “social engineering” – that is, if foreign interests and bad actors target people, rather than technology, to create uncertainties around the validity of our election results. It's easier to hack public opinion than it is to hack voting infrastructure. As a society, we’re only just starting to understand and regulate this “social engineering” that the bad actors have already mastered. I hope that politicians, lawmakers, campaign personnel, election managers, and security experts from the public and private sector can work together to maintain public faith in our election process."
Vladimir Fomenko, founder and director at Infatica.io
“By no means do I mean that these elections were not fair, but in 2016 we learned a lesson after which everyone understood that now elections take place on the internet, and the president is not the one who gets the majority of votes, but the one who has influence on voters, Vladimir Fomenko, founder and director at Infatica.io. As for fraud: it is good for companies to unite, because the more different their expertise, the better the product they can make together. In business, (and it is a business for them) 1 + 2 should equal 3, as two heads should have more than two ideas, but I still think it will be very difficult for them. The current deepfake and deepvoice technologies are already good, but they will continue to get better and better. While it remains to be seen whether this coalition will have an actual effect on dissuading information, their intentions are the right ones. We should all be doing our part to prevent fiction from parading as fact under the guise of free speech. People are ultimately going to believe what they want to believe, but we shouldn’t make it easy for them. We can’t simply sit by as the integrity of the elections are being challenged by disinformation.”
###