One of the things we at McAfee have been looking at this midterm election season is the security of election infrastructure at the individual county and state levels. A lot of media and cybersecurity research focus has been placed on whether a major national attack could disrupt the entire U.S. voting infrastructure. Headlines and security conferences focus on the elaborate “Hollywood-esque” scenarios where tampering with physical voting machines allows them to be hacked in 45 seconds, and the entire election system falls apart via a well-orchestrated nation state attack. The reality is, information tampering and select county targeting is a more realistic scenario that requires greater levels of attention.
A realistic attack wouldn’t require mass voting manipulation or the hacking of physical machines. Rather it could use misinformation campaigns focused on vulnerable gaps at the county and state levels. Attackers will generally choose the simplest and most effective techniques to achieve their goal, and there are certain targets that have been overlooked which could prove to be the most practical avenues an attacker could take if their objective was to influence the outcome of an election cycle.
A well-crafted campaign could focus on specific states or congressional districts where a close race is forecasted. An attacker would then examine which counties would have a substantive impact if barriers were introduced to reduce voter turnout, either in total, or a specific subset (such as those in rural or urban parts of a district which generally have a strong correlation to conservative and liberal voting tendencies respectively).
Actors could use something as simple as a classic bulk email campaign to distribute links to fraudulent election websites that give voters false information about when, where and how to vote. Given the fact that voter data can be purchased or even freely obtained from numerous recent breaches, a very specific and targeted campaign would be trivial. As we will see – there are multiple challenges for a typical voter to identify legitimate from fraudulent sites, and the legitimate sites are often lacking the most basic security hygiene.
With this in mind we looked at how constituents get information from their election boards at the county level. County websites are typically the first place a citizen would go to look up information on the upcoming local elections. Such information might include voter eligibility requirements, early voting schedules, deadlines to register, voting hours and other critical information.
McAfee ATR researchers surveyed the security measures of county websites in 20 states and found that the majority of these sites are sorely lacking in basic cybersecurity measures that could help protect voters from election misinformation campaigns.
What’s in a Website Name?
Our first disturbing revelation was that there’s no consistency as to how counties validate that their websites are legitimate sites belonging to genuine county officials.
I stumbled upon this initially because I live in Denton County Texas, where the voter information site is votedenton.com. When I saw that, I was a little perplexed because the county actually uses a website address with a .com top level domain (TLD) name rather than a .gov TLD in the name.
Domain names using .gov must pass a U.S. federal government validation process to confirm that the website in question truly belongs to the official government entity. The use of .com raised the question of whether such a naming process is common or not across county websites in Texas and in other states.
This is important, because unlike .gov sites where there is a thorough vetting process and background checks (including government officials as references), anyone can buy a .com domain.
We found that large majorities of county websites use top level domain names such as .com, .net and .us rather than the government validated .gov in their web addresses. Our findings essentially revealed that there is no official U.S. governing body validating whether the majority of county websites are legitimately owned by actual legitimate county entities.
Our study focused primarily on the swing states, or the states that were most influential in the election process, and thus the most compelling targets for threat actors. Minnesota and Texas had the largest percentage of non-.gov domain names with 95.4% and 95% respectively. They were followed by Michigan (91.2%), New Hampshire (90%), Mississippi (86.6%) and Ohio (85.9%).
McAfee researchers found that Arizona had the largest percentage of .gov domain names, but even this state could only confirm 66.7% of county sites as using the validated addresses.
The other thing that was very concerning was that significant majorities of county sites did not enforce the use of SSL, or Secure Sockets Layer certificates. These digital certificates protect a website visitor’s web sessions, encrypting any personal information voters might share and ensuring that bad actors can’t redirect site visitors to fraudulent sites that might give them false election information.
SSL is one of the most basic forms of cyber hygiene, and something we expect all sites requiring confidentiality or data integrity to have at a minimum. The fact that these websites are lacking in the absolute basics of cyber hygiene is troubling.
Maine had the highest number of county websites protected by SSL with 56.2%, but the state was something of an outlier. West Virginia had the greatest number of websites lacking in SSL security with 92.6% unprotected, followed by Texas (91%), Montana (90%), Mississippi (85.1%) and New Jersey (81%).
Above all, there was no consistency within states, let alone across the nation, in website naming or in how effectively SSL was applied to protect voters.
The following Orange County site protects user information with SSL at the voter registration section of the site, but not at the main home page, meaning an attacker could manipulate the content of the top-level site and replace the legitimate registration link with a fraudulent one. Those accessing the site would subsequently never be able to navigate to the legitimate protected site.
Florida’s Broward County became famous (perhaps infamous) during the 2000 presidential election as one of the state’s counties for which then-Vice President Al Gore requested a vote recount. Today, the site is not protected by SSL and has a .org address that is not distinguishable from a fake .org domain. The browser itself actual calls out “Not Secure” when you go to the site.
Even sites that report election results are utilizing non-.gov domains, such as the Glades County site below.
This following site from Scioto County in Ohio uses an unvalidated .NET top level domain and doesn’t protect site visitors with SSL.
The Fulton County Ohio site uses an unofficial .com top level domain and is also missing enforced SSL support.
The following site from New York’s Albany County uses an unvalidated .com TLD. It also fails to use SSL protection on the site’s critical voter information pages.
Lacking Basic Protection
Because SSL protection is a very well understood website security practice, the lack of it does not instill confidence that other systems managed at local levels are adequately secured.
Given how important the democratic process of voting is to our society and way of life, we must work to better secure these critical information systems.
If you think about a close election race with rural or urban district elements to it, a malicious actor could simply send emails to hundreds of thousands of voters in rural or urban parts of the municipality and direct voters to the wrong voting locations. Such an actor would essentially be disrupting, misdirecting and perhaps even suppressing voter turnout through misinformation. No systems would be taken off line, no physical harm done, and likely no one would even notice until election day when angry voters showed up to the wrong sites.
We developed the following phishing email message to provide an educational example of what such an election campaign message might look like (we did NOT uncover it as a part of a real phishing campaign currently in progress):
To avoid early detection, it is most likely that a coordinated attack would take place just hours, perhaps a few days before a critical vote; the threat actors would want to provide enough time to reach a critical mass for election disruption, but little enough time to avoid detection and remediation. At that point what could you even do?
Influencing the electorate through false communications is more practical, efficient and simpler than attempting to successfully hack into hundreds of thousands of voting machines. Such a scenario is much easier to execute than tampering with voting machines themselves, and it scales to achieve the broad election objective any malicious actor might desire.
What Must Be Done Nationally
Regardless of whether central regulation or best practice publication are the best approaches to election security, we need better security standardization for all of the supporting systems that deal with elections.
While it might be difficult to pass a federal law that would mandate things like .gov naming standardization or utilizing SSL protection, an organization like the U.S. Department of Homeland Security could take a leading role by recommending these best practices.
How Voters Can Protect Themselves Locally
First, regarding SSL protection, anyone can always determine whether or not their communication with a website is protected by SSL by looking for an “HTTPS” in a site’s website address in the address bar of their browser. Some browsers also show a key or lock icon to make SSL protection easier for users to spot before they share street addresses, dates of birth, Social Security Numbers, credit card numbers or other sensitive personal information.
As for the validity of election websites, McAfee encourages voters across the country to rely on state voter registration and election sites. Such sites have a better track record of utilizing .gov TLDs and generally enforce SSL to protect integrity and confidentiality. These sites may navigate voters to their local sites which may suffer from the security issues described in this blog, but utilizing a state secured .gov site as a starting point is better than a search engine.
State voter registration websites:
- New Hampshire
- New Jersey
- New Mexico
- New York
- North Carolina
- North Dakota
- Rhode Island
- South Carolina
- South Dakota
- West Virginia
Finally, state governments provide information phone numbers allowing voters to confirm election information. McAfee encourages voters to call these official phone numbers to confirm any seemingly contradictory information sent to them, particularly if voters received any email or other online messages regarding changes to planned election processes (time, location, ballots, etc.).
Our country’s democracy is worth a phone call.
For more perspectives on U.S. election security, please read here on the topic.