Election 2020: 9 Ways Cybercriminals Are Trying to Steal Your Vote
The election systems of countries around the world are not as secure as they should be.
![Election Hacking Cover Election Hacking Cover](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltb259fe889ce7af2c/6524579a1783892c50cadad7/Election-Hacking-Cover.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
The FBI and Department of Homeland Security say hackers, and potentially nation-state actors, have gained access to U.S. election systems. This comes as no surprise to Allyn Lynd, cybersecurity expert at CriticalStart.
“Currently the FBI, Department of Homeland Security (DHS), Cybersecurity and Infrastructure Security Agency (CISA), U.S. Cyber Command, and various other government agencies do their best to react to cybersecurity threats during elections,” he said. “While they do a good job reacting to reports of fraud and cyber attacks, and validating whether or not they occurred, this is all reactionary and does not amount to detection or prevention.”
Phishing campaigns still work, and are targeting elected officials and election systems, as well as election workers and volunteers, Levin said.
“Businesses must be aware that election-themed social content is prime fodder to bait unsuspecting employees into a phishing attack, since it can often evoke a highly emotional response, which can lower people’s guard against clicking suspicious links,” Matthews said. “To avoid the risk from ransomware or phishing, organizations must act now to educate employees on new social dangers.”
Disinformation is a major threat, Levin said. Disinformation campaigns are conducted via social media and via email. The methods and strategies vary, from general programmed activity popularly referred to as bots, to more targeted campaigns. Russia, China, North Korea and Iran are all thought to be conducting these kinds of attacks on our democratic process. The result can be that people go to the ballots with bad information, or they decide not to vote at all.
Distributed denial-of-service (DDoS) attacks, where a botnet sends a flurry of requests to a server until it fails, could definitely be a strategy on Election Day with many jurisdictions using electronic poll books, Levin said.
“The goal of a DDoS attack could also be voter suppression by disabling various modes of communication and transport,” he said.
A hardware and/or software attack on voting equipment is harder to pull off, but very possible, Levin said. In states that do not implement a paper trail with electronic voting, there is an opportunity to hack the vote with both hardware and software attacks on voting machines.
Particularly insidious during the COVID-19 pandemic would be cyberattacks targeting registered voter rolls to alter addresses by only a few characters to make just enough mail-in ballots undeliverable, Ray said.
“Hackers could target voter registration systems and thereby invalidate the vote by adding, deleting or modifying information,” Levin said. “In all instances a major threat is calling into question the integrity of the vote.”
Malicious hackers could use ransomware attacks and other cryptography-based attacks to lock election officials out of crucial voter information, making it impossible to vote in affected areas, Levin said.
“All manner of reasons can motivate a ransomware attack on a political organization in the runup to an election,” Matthews said. “Attacks may be carried out by political hacktivists who believe there’s a moral imperative to stop an opposing candidate. Or they’re purely financially motivated, where hackers believe organizations under the pressure of a voting deadline will be more likely to pay up. Regardless of the motivation, a ransomware attack can be devastating to an organization, so political bodies must be acutely aware of, and prepared for, ransomware.”
Networks and systems built for community organizations are rarely designed to withstand the ransomware threats much larger, established political bodies face, Matthews said. But in the rush to scale, data protection is often forgotten. These conditions create the perfect environment for ransomware to take hold – and the hackers know it.
The election results are already in dispute. That is the message championed by the party more in fear of losing, Ray said. The doubt will be pushed further up to Election Day.
“And while domestic and foreign actors alike will try to sow further discord thereafter by spreading falsehoods about the election results, cybercriminals will relish the madness and rampant online arguments hungry for websites and social media feeds with the real answers, ground truths, insider scoops or quick retorts that will defend a stance,” he said. “The higher the temperature of those defending or defaming the election results, the lower their awareness of multitude of attacks awaiting them through phishing emails, fraudulent websites, and all of the well-known forms by which the highly distracted may be exploited online.”
Levin said there are several ways public and private institutions can fight these threats:
● Develop and implement a cybersecurity strategy, and make sure everyone involved in the process is trained to spot trouble.
● Use two-factor authentication on all mission-critical systems.
● Conduct penetration tests and hire a security expert to audit systems and conduct risk limiting audits.
● Educate election workers on the threats and how to spot signs of trouble, especially when it comes to phishing emails.
● On a legislative level, passing laws that penalize the social media companies where disinformation is spread.
Matthews recommends the following steps for businesses to take now:
● Communicate the risk of election-based hacking to all employees.
● Remind them of the company’s security policy.
● Ensure the personal, acceptable use policy is well understood. Specify if employees can use social media for such personal interests as the election research and news.
● Push out regular updates to all remote devices, ensuring the latest security patches are in place.
● Fully assume that, no matter how good your defenses are, someone will eventually click a rogue link and the corporate network will be compromised. Ensure all information is protected through comprehensive backup so it’s recoverable after an attack takes place.
Levin said there are several ways public and private institutions can fight these threats:
● Develop and implement a cybersecurity strategy, and make sure everyone involved in the process is trained to spot trouble.
● Use two-factor authentication on all mission-critical systems.
● Conduct penetration tests and hire a security expert to audit systems and conduct risk limiting audits.
● Educate election workers on the threats and how to spot signs of trouble, especially when it comes to phishing emails.
● On a legislative level, passing laws that penalize the social media companies where disinformation is spread.
Matthews recommends the following steps for businesses to take now:
● Communicate the risk of election-based hacking to all employees.
● Remind them of the company’s security policy.
● Ensure the personal, acceptable use policy is well understood. Specify if employees can use social media for such personal interests as the election research and news.
● Push out regular updates to all remote devices, ensuring the latest security patches are in place.
● Fully assume that, no matter how good your defenses are, someone will eventually click a rogue link and the corporate network will be compromised. Ensure all information is protected through comprehensive backup so it’s recoverable after an attack takes place.
It’s the big question on everyone’s mind during Election 2020: Is my vote safe?
With voting already well under way, cyberattackers are working overtime to stop election workers from counting votes and to taint election results. Therefore, everyone’s worried if criminals will prevent accurate vote counts and impact the results of the Nov. 3 General Election.
Jerry Ray is COO of SecureAge.
SecureAge’s Jerry Ray
“Whatever the pathway or intended target within the realm of candidates, platforms, parties, voters and voting infrastructure, the most inevitable and effective cyberattacks will be subtle, unnoticed, misattributed and masked within the culture of doubt and suspicion cast upon the election for the sake of either plausible deniability by the victors or grounds for dispute by the vanquished,” he said. “With only a fraction of a percent of the voting population able to determine the outcome, the attackers need only work in the margins and against those least able to defend themselves or least likely to notice.”
Multitude of Motivations
All manner of reasons can motivate a ransomware attack on a political organization in the runup to an election. That’s according to Doug Matthews, Veritas’ vice president of enterprise data protection and compliance. Political hacktivists may carry out election attacks. And they may believe there’s a moral imperative to stop an opposing candidate.
Veritas’ Doug Matthews
“Or they’re purely financially motivated, where hackers believe organizations under the pressure of a voting deadline will be more likely to pay up,” he said. “Regardless of the motivation, a ransomware attack can be devastating to an organization. So political bodies must be acutely aware of and prepared for ransomware.”
Adam Levin is chairman and founder of CyberScout, and author of “Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves.“
The election systems of countries around the world are not as secure as they should be, he said. And they don’t include defense against the kinds of bot-driven disinformation that increasingly decides outcomes.
CyberScout’s Adam Levin
“We should continue to do everything in our power to ensure the integrity of the vote, which means proper funding and training for election systems and staffing,” Levin said.
Voters Don’t Necessarily Need to Worry
U.S. electoral systems are resilient, Ray said. Moreover, they can combat malicious activities related to voting infrastructure.
“While voters don’t necessarily need to be concerned about the security of the election, such as votes being manipulated or concerns over mail-in-ballots, the threat of misinformation will continue to be strong during and past a definitive election result,” he said. “ Recently, many networks and social media channels have taken steps to stop the spread of misinformation. These are strong steps in the right direction from the tech world.”
Many of the lessons learned from this election cycle will set precedent for future elections at all levels.
Our slideshow above shows nine ways cybercriminals are targeting the election.
About the Author(s)
You May Also Like