The 2020 U.S. elections are less than 90 days away and we already know the biggest news won’t be the winners and losers. It’ll be the cybersecurity issues that marred the campaign of the losing candidate.
There’s little doubt that the upcoming U.S. elections represent one of the most important events in the country’s history. But authorities seem to be having a bit of trouble handling the digital security side of things.
The last time the U.S. elected a new president, the nation lost some of its faith in the democratic process after it was revealed that Russia had carried out an extensive disinformation and hacking campaign to affect the results of the elections. This launched cybersecurity and data integrity into the limelight of world news.
This time around, many people are concerned more about the cybersecurity risks to the 2020 U.S. elections than the actual results. Cybersecurity problems have grown to such an extent that no one is asking if Russia will interfere but rather when and how they’ll interfere.
Another issue is that Russia, having not faced any meaningful consequences for their previous election interference, will likely try something bolder this time around. Of course, apart from Russia, there are a number of other countries that the U.S. has to watch out for.
The trade war with China certainly didn’t do anything to dissuade the Chinese government from attempting to disrupt the U.S. electoral process. Additionally, the fact that the U.S. military assassinated the second most important man in Iran, Qassem Soleimani, is something that’ll give Iran the impetus it rarely needs to meddle in another country’s affairs.
FireEye, a cybersecurity firm, recently stated nobody punished Russia for election meddling last time around and the reality was that U.S. adversaries were always constantly pushing the envelope. John Hultquist, the director of intelligence analysis at FireEye, mentioned while talking to the Washington Post that the Russians saw what they could do and get away with. It stands to reason that they will try to push the envelope again.
In the past four years alone the U.S. has spent close to $1 billion on defensive infrastructure to guard against digital election meddling. Add to that the additional costs that have gone into planning and educating for cybersecurity.
It goes without saying that if there’s another cybersecurity disaster in the upcoming elections the general public will likely lose confidence in electoral results for a very long time.
The U.S. has a deep-rooted trust in democracy and fair play. However, if U.S. adversaries are able to get their way again, it’ll undoubtedly cement the impression that they’ll cross any and all red lines set by the U.S. with regards to international cyberattacks.
Jon Bateman, a former cybersecurity official at the Pentagon, recently told the Washington Post that another full-blown episode of foreign-funded election interference would not only be spirit shattering but also tip the result from one side to the other if the election is as close as it was a decade ago.
As mentioned before, direct Russian meddling isn’t the only cybersecurity risk that U.S. law enforcement and intelligence agencies have to worry about. In fact, they’ve already warned that countries like Iran and China will want to disrupt the upcoming elections.
The University of Michigan and MIT recently published a report where researchers mentioned several cybersecurity vulnerabilities that could be exploited if the new OmniBallot system was used.
Note:OmniBallot is a new ballot delivery and marketing system that offers the option of online voting. The entire system works via the internet.
So far, New Jersey, West Virginia and Delaware have announced they will be using OmniBallot to enable certain types of voters to vote from their place of convenience.
Researchers who worked on the report mentioned that they found several vulnerabilities within the system that could allow malware to manipulate votes either via the device used by the voter or via compromised Cloudflare, Google or Amazon web infrastructure. According to the researchers, the OmniBallot voting system used a very simplistic approach to online voting and didn’t take into account many of the ways in which results could be tampered with.
Cybersecurity researchers said OmniBallot couldn’t even be trusted to accurately mark ballots that voters printed and returned through the mail.
The main problem with the system, according to the researchers, was that the system used software to identify the voter and then sent the voter’s ballot choices to Democracy Live. This method added a security risk which could in turn render a ballot useless. Researchers recommended that the system could use some tweaks which would make the process of ballot marking and delivery much safer.
The report also mentioned that OmniBallot represented a high risk for carrying out tasks such as electronic ballot returning and counting. That in turn could harm election security and may allow cybercriminals to modify the results of the election without leaving a trace.
AppOmni which is a CSPM (Cloud Security Posture Management) for SaaS based in San Francisco recently said that discussions regarding online voting and its demerits had been going on for many years and the pandemic had little to do with the increased concern of its security and accuracy.
The CEO of the company, Brendan O’Connor, recently explained that the pandemic moved the age-old discussion of whether extra security is a nice-to-have feature or a must-have feature.
He also said we could all learn something from companies supporting virtual and remote workforces as a way to keep productivity levels up during the pandemic.
According to O’Connor, it was becoming harder for companies to have control over the network or the location of its workers and where they could access their company information. Companies can’t even ensure control over the device one of its employees uses to interact with the company network.
With that said, O’Connor added that a lot of the security solutions made for mobile devices, personal computers and laptops that various companies have adopted today to manage a remote workforce can be applied to various new and online U.S. electoral voting systems.
Before going ahead though, O’Connor warned that any new voting solution should first take advantage of all the best available analytical and cybersecurity tools. Moreover, enterprises needed to employ such tools in the correct manner with the right configurations and then set up additional sub-systems to maintain a secure state.
Interestingly, he also said that looking at the current trends, it was clear that a huge portion of security problems with cloud services that support online voting solutions happened because of user errors.
Note:Even the best of systems are prone to unnecessary data exposure and leakage if the correct settings and configuration options aren’t put into practice. This is where the real problem lies.
Very few companies have employed these modern solutions consistently enough and long enough to monitor what type of configurations work the best and what should be done if a problem arises and the system must be reverted to a previously secured state. Of course, enterprises are learning quickly and some already follow the best-recommended practices. Online voting system services should learn from such enterprises and then put their experience to good use.
Coming back to the OmniBallet platform, the chief executive of Democracy Live, Bryan Finney, is of the opinion that before the lockdown, the OmniBallot system mainly served disabled voters and overseas Americans. He conceded that no technology could be considered hack-proof but the importance of enfranchising the disenfranchised could not be overstated.
President Trump himself used a mail-in ballot back in March to vote in Florida’s primary. The problem with these systems is that to function properly, they have to rely on the security and safety of federal and state registration systems.
Officials obviously knew they had to focus their efforts on making databases and voting machines more secure. Not only that, but they had also planned to put in place some improved audit controls. Unfortunately, the pandemic forced them to change their plans from improving the system to making it stable enough to accommodate a much larger number of ballots than were previously expected.
A couple of months ago, the Supreme Court of Texas put a stop to the expansion of mail-in ballots. Then, in Ohio, lawmakers made it more difficult for anyone to vote by mail by approving a Republican bill. They also removed prepaid postage.
Finally in Tennessee, the Secretary of State announced that it would dispute the vote by mail process all across the state. As mentioned before, the task of mailing ballots and making sure they get returned securely is a difficult one and election officials are starting to feel the pressure to accomplish this difficult task.Verifying a voting signature is another risk that’s magnified by online voting systems. Since the number of voters has gone up significantly, specialists no longer verify signatures. Instead, software is used for verification.
This is where security experts fear foreign powers could come in and exploit the system to modify election results. Of course, biased officials in the country could also use the same tactics to disenfranchise voters.
Around three months ago, the NSA warned authorities that hackers from Russia stole emails from a large number of congressional candidates by hacking the email program they used. Then, about a month later, Google blamed hackers from China for targeting and damaging the email accounts of Joe Biden’s campaign staff members. Google also confirmed that President Trump’s campaign was the victim of Iranian hackers.
Unfortunately, there are even more cybersecurity risks this time around. In 2016, Arizona officials belatedly found that hackers had stolen the passwords that election officials used. Later, the FBI and the Department of Homeland Security did a study that concluded that Russia had conducted reconnaissance and research missions against U.S. election networks.
Due to the pandemic, the upcoming elections will use the same registration system to an even larger extent.
These systems have an internet connection and if there’s anything we’ve learned about hackers it’s that, provided the required resources, they can get into any and all online systems.
One also has to consider the fact that hundreds of officials will have access to the registration system and if just one of them is the victim of a cyber attack, hackers will find a way into the election systems.
Then there are the companies that maintain these systems and store data related to OmniBallot. All that a team of hackers has to do is infiltrate the network of one of these companies and they have an open opportunity to tamper with election results.
While we’re talking about cybersecurity risks to the 2020 U.S. elections, let’s not forget ransomware attacks as well. If hackers are able to lock up records and demand money before making the records accessible, it could have catastrophic consequences.
Small towns in Texas and Florida along with Baltimore and Atlanta have had to deal with such ransomware attacks in the past where it becomes impossible for officials to record deeds or for the public to pay parking tickets.