Election Hacking Threatens US Mid-Terms

Uploaded on 2018-11-02 in NEWS-News Analysis, GOVERNMENT-National, GOVERNMENT-Local, FREE TO VIEW

In March, officials from 38 states packed into a conference hall in Cambridge, Massachusetts, for a two-day election simulation exercise that was run like a war game. More than 120 state and local election officials, communications directors, IT managers, and secretaries of state ran drills simulating security catastrophes that could happen on the worst Election Day imaginable.

The tabletop exercise began each simulation months before the Nov. 6 midterm elections, accelerating the timeline until states were countering attacks in real time as voters went to the polls. 

Organised by the Defending Digital Democracy (D3P) project at Harvard, a bipartisan effort to protect democratic processes from cyber and information attacks. 

The drills forced participants to respond to one nightmare scenario after another, voting machine and voter database hacks, distributed denial of service (DDoS) attacks taking down websites, leaked misinformation about candidates, fake polling information disseminated to suppress votes, and social media campaigns coordinated by nation-state attackers to sow distrust. As we've seen in recent elections around the world, multiple attacks often occur simultaneously.

"Think about a denial of service attack and the normal phishing and malware-type tactics [hackers] would use during an election," said Eric Rosenbach, D3P director and chief of staff to US Secretary of Defense Ashton Carter from 2015 to 2017.

"The part I would be most concerned about with a DDoS is an attack against a web page announcing results combined with a high-end information operation. Look at what happened in Ukraine in 2014

“The Russians DDoSed the web page Ukraine was using to announce election results, then steered everyone back to state-run Russia Today and put up bogus results. Ukrainians were left confused about who had actually been elected president."

Understanding modern election security means coming to grips with a daunting reality: especially in the United States, the infrastructure is too fragmented, outdated, and vulnerable to be completely secured.

There are also far too many different types of attacks across the threat landscape to ever stop them all. 

On both sides of the political aisle, at every level of government, and throughout the tech industry, the United States is grappling with fundamental cybersecurity threats to our elections. We're also planning for how to react when things go wrong, both during this crucial midterm election and in the 2020 general election.

Protecting the 'Attack Surface'
In cybersecurity, all the exposed systems and devices that could be attacked are called the "attack surface." The attack surface of a US election is enormous and can be divided into three key levels.
The first is voting infrastructure; think voting machines, voter registration databases, and all the state and local government websites that tell people where and how to vote.

Then there's the campaign security level. As 2016 showed, campaigns are easy targets for hackers. Stolen campaign data can then be used as a potent weapon for the third, more nebulous attack level: the nefarious world of weaponised misinformation and social influence campaigns. 

On this front, the troll armies of nation-state actors continue to operate across the web and invade social media platforms, which have become polarising battlegrounds of voter perception.

Trying to solve the myriad systemic issues plaguing each of these levels often leads to more questions than answers. 
Instead, many of the strategies to mitigate election security risks come down to common sense: paper balloting and vote auditing; giving state and local governments more resources; and providing tools and security training for campaigns and election officials.

A couple more complicated and divisive questions, for election administrators and campaign workers as well as voters: How do you approach the electoral process in the social media era replete with online misinformation? And when you harbor doubts about all the digital information that comes across your screen, what should you believe?

UK PCMag

You Might Also Read:

California Bans 'Secret' Election Bots:

An Election Interference Alert System:

 

« Realistic Fake Videos Threaten Democracy
The Pentagon Prepares A Cyber-Attack On Russia »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

4ARMED

4ARMED

4ARMED specializes in penetration testing, information security consultancy and security training

Alert Logic

Alert Logic

Alert Logic delivers unrivaled security for any environment, delivering industry-leading managed detection and response (MDR) and web application firewall (WAF) solutions.

Willis Towers Watson

Willis Towers Watson

Willis Towers Watson is a global risk management, insurance brokerage and advisory company. Services offered include Cyber Risks insurance.

BGD E-GOV CIRT

BGD E-GOV CIRT

BGD e-GOV CIRT's mission is to support government efforts to develop ICT programs by establishing incident management capabilities within Bangladesh.

Fortra

Fortra

Fortra (formerly HelpSystems) is your cybersecurity ally, unified through the mission of providing solutions to organizations' seemingly unsolvable cybersecurity problems.

Network Integrated Business Solutions (NIBS)

Network Integrated Business Solutions (NIBS)

NIBS is an IT services provider offering a range of services with the aim of simplifying and securing technology.

Cyscale

Cyscale

Cyscale is a consultancy and development agency helping Enterprises adopt and migrate to the Cloud by providing an Automated Cloud Security Platform.

BullGuard

BullGuard

BullGuard is an award-winning cybersecurity company focused on providing the consumer and small business markets with the confidence to use the internet in absolute safety.

BAI Security

BAI Security

BAI Security is a Nationally Recognized Leader in IT Security. Keeping your data safe and your business compliant is our singular focus.

Tactical Network Systems (TNS)

Tactical Network Systems (TNS)

Tactical Network Solutions helps you discover hidden attack vectors in IoT and connected devices before someone else does.

Diaplous Group

Diaplous Group

Diaplous Group is a leading Maritime Risk Management (MRM) provider, delivering specialized services to an ever-broadening portfolio of shipping, oil & gas, energy and construction industries.

TrustGrid

TrustGrid

Trustgrid is a pioneer and leader in secure, cloud-native software-defined connectivity.

Digital Catapult

Digital Catapult

Digital Catapult is the UK authority on advanced digital technology. We bring out the best in business by accelerating new possibilities with advanced digital technologies.

ABM Technology Group

ABM Technology Group

ABM Technology Group (formerly True IT) provide business information technology services, solutions, and consulting for small to mid-sized organizations.

Bulletproof Solutions

Bulletproof Solutions

Bulletproof provides IT expert support, services, and guidance to businesses small and large as they grow and adapt to today’s complex IT, cybersecurity, and compliance needs.

Knostic

Knostic

Knostic is an early stage startup developing a risk management and governance platform designed for enterprise large language models (LLM).