Everyone is talking about election security, but in my opinion, our focus is being drawn too much down the “voting machines are hackable” narrative, and not looking at the breadth of the threat landscape.
There are two much bigger threats: Ransomware and a Pandemic, like COVID-19 (Coronavirus). Either one of those will drive us to paper ballots faster than the ever-scary hacked voting machine.
Let’s first go to those voting machines: Yes, voting machines are vulnerable. Anything that relies on software is vulnerable. The introduction of even more technology, like using tablets using NFC to activate the voting machines, just creates more links in a chain where threat actors look for the weakest link.
But "hacking" the mechanics of the voting system is almost a red herring. Except for Iowa’s recent voter app issues, every other compromise on one of these voting systems was done with unrestricted physical access, like a controlled penetration test. These findings are not at all representative of a genuine attack.
Ransomware Used in Politics
Ransomware on or around election day is much more likely. Political operatives can now false-flag ransomware events, pretending to be organized crime.
Here are several facts that point to this trend:
- Ransomware Attacks on Local Governments
First and foremost, county governments conduct elections. Not cities, not states, and not the federal government. Counties. And county election agencies are considered low hanging fruit as their network assets have traditionally been easy for threat actors to compromise.
The two reasons Ransomware (aka extortion) is being preferentially leveled against the health sector and local government are A) they provide critical services that cannot be disrupted, and B) they have each failed to make investments in security to sufficiently raise their "risk bar" in a manner commensurate with the criticality of the services they provide. The high likelihood of success for extortion events has not been missed by criminal enterprises.
- Nation-States Masquerading as Organized Crime
There have been two acts by nation-states that were disguised as organized crime. It is now accepted that WannaCry was the North Koreans conducting extortion to mitigate the effects of economic sanctions, and NotPetya was Russia poking the economy of Ukraine. Both were ostensibly ransomware attacks until detailed attribution was conducted. "Ransomware" events that are false flags are now officially A Thing.
- Ransomware-as-a-Service – It’s not just for cybercriminals anymore
Ransomware-as-a-service is upon us. Without leaving fingerprints, it’s possible to contract a ransomware event through dark web services and direct it at the organization of your choosing. Skills not needed, just a credit card.
- Online Cyber Disruption and Disinformation Campaigns
Political operatives are already testing the waters. A staffer for Katie Hill has been arrested on suspicion that he orchestrated (paid for, presumably) a distributed denial-of-service attack against her opponent's website. Political activism using cyber disruption in various forms should not be discounted when the election fur starts to fly.
COVID-19, Coronavirus, and Pandemic Problems
With COVID-19 upon us in Washington State, we are starting to see how voting would be impacted: People are staying home from work and avoiding contact with others, parents are keeping kids at home, and government buildings are closing for cleanings.
Information security and emergency management teams dealing with the COVID-19 issues should anticipating closures of polling places. If someone shows up and hints at the virus, you’d have to shut down the building for a day.
There have already been some online campaigns full of disinformation about Coronavirus that could dissuade voters.
How Counties Can Prepare for Election Day
But, the action plan for either Coronavirus or Ransomware can be the same.
Counties need to start this now:
- Coordinate with the state on a contingency plan for forced closures of polling locations.
- Print a lot of absentee ballots. The state does this - hence, coordination is required.
- Have a communications/outreach plan. This should include communications before Election Day so people know what to do: “If this happens, here’s what we’ll do.”
- Have the Emergency Operations Center be the “trigger” with an incident action plan in place to initiate fallback to vote-by-mail.
I hope none of this happens, but the possibility is very real. It’s time to get prepared.