Election Officials Are Vulnerable To Email Attacks, Report Shows
Six jurisdictions used software that Russian spies have targeted in cyberattacks. Election Officials Are Vulnerable To Email Attacks, Report Shows
Many of the thousands of county and local election officials who will be administering November’s presidential election are running email systems that could leave them vulnerable to online attacks, a new report has found.
Cybersecurity vendor Area 1 Security Inc. tracked more than 12,000 local officials and determined that over 1,600 used free or nonstandard email software that often lacks the configuration and management protection found with large cloud-service providers. More than half of the officials used email systems with limited protection from phishing attacks, Area 1 said. The findings underscore problems with the country’s diverse, locally administered election system that attracted the attention of state-sponsored hackers four years ago.
In 2016, Russian hackers targeted dozens of election systems in the U.S. and breached two counties in Florida. And while security officials and election officials say that much has been done to improve the security of these systems, email could be another avenue of incursion, especially for attackers looking to disrupt or undermine confidence in the November election, according to Oren Falkowitz, Area 1’s chief executive.
Often, all it takes for a cyber intrusion is a single software bug or misconfigured system, Mr. Falkowitz said in an interview. “When you run your own service and you don’t partner with someone to professionally manage it, it means you have to be perfect every single day,” he said. “That’s really hard.”
Area 1 found that officials in six small jurisdictions in Michigan, Missouri, Maine and New Hampshire, for example, were using a buggy version of a free software product called Exim, which has been linked to online attacks conducted by the Russian intelligence service known as the GRU. In May, the National Security Agency warned that this version of Exim had been targeted since 2019 in online attacks by the GRU.
An NSA spokesman declined to comment.
There is a range of systems used by election officials that could be hacked, all with varying results. The most sensitive of all are the vote-registration, tallying and reporting systems that are critical to election night. Then there are the computers and servers, such as email servers, used by the election officials for their day-to-day business.
While security experts say that county email systems aren’t directly linked to the computer systems that count votes or register voters, the risk may be one of public perception, not vote hacking, said J. Michael Daniel, a former White House cybersecurity official who is now chief executive of the Cyber Threat Alliance, an intelligence-sharing consortium.
“The biggest danger in my view is not actual vote changing,” Mr. Daniel said. “That’s actually really hard to do at scale in a way that would actually have a significant impact. But what you would be concerned about is undermining people’s confidence. It starts to raise these questions about what you can trust.”
Since 2016, Congress has given more than $1.2 billion to the states to improve election security and respond to coronavirus-related vote challenges. While some of that money trickled down to counties to prepare for voting in November, their agencies are facing new challenges. Running elections during the socially distant era of the coronavirus requires more help, said Rita Reynolds, the chief technology officer of the National Association of Counties.
“There’s not enough funding directly to counties for the pandemic situation,” Ms. Reynolds said. “Equally, there’s not enough funding to counties for cybersecurity.”
Over the past few years, government agencies across the country, including Atlanta, Baltimore and Jackson County, Ga., have been felled by ransomware attacks that render computer systems inoperable until a ransom—usually in the digital currency bitcoin—is paid. Many ransomware attacks begin with malicious email messages, security experts say.
At an online conference held by the National Association of Secretaries of State earlier this month, a top Department of Homeland Security election security official said malicious software targeted at the computer systems used by county officials remains a problem.
“We’ll see that ransomware will come and take down the county network, which has an impact on the election network, even though it wasn’t being targeted,” said Matt Masterson, senior adviser on election security for the Department of Homeland Security. “It may have an impact on, particularly, a local office’s ability to run elections.”
A ransomware attack on election night could undermine confidence in the election’s results, even if election systems weren’t affected, Area 1’s Mr. Falkowitz said.
Area 1 sells corporate antiphishing services and has been involved in election security in the U.S. by providing its services to candidates and political committees this year. It has no clients among the entities audited in the report. Mr. Falkowitz formerly worked for the NSA.
Despite the remaining risks, election officials say that there are now better information sharing, security testing and security monitoring on election networks than there were in 2016. And this year more counties are using voting machines that have paper ballots as a backup, which can be counted by hand in the event of a technical glitch or an election audit.
Still, Area 1 counted 666 local officials who were using their personal email address for election-related business, a practice that could expose their work systems to impersonation or other forms of online fraud.
“Unquestionably, we are better off than we were in 2016,” Mr. Daniel said. “But better off does not mean that we are where we need to be.”