Cybersecurity Concerns Now Include Mail-in Ballots, Vulnerable Home Networks
The global COVID-19 pandemic has created a new series of cybersecurity challenges for election officials across the U.S., including concerns about the security of mail-in ballots and whether attackers will target vulnerable networks for those local election workers still working remotely, according to a new report.
The Brennan Center for Justice, a nonpartisan law and public policy institute connected to New York University Law School, released a report on Friday urging Congress to provide states with the required resources to ensure more secure election process.
“Effective digital resiliency plans can ensure that operations continue and eligible citizens are able to exercise their right to vote even in the face of cyberattacks or technical malfunctions,” according to the report.
Previously the Brennan Center called on Congress to allocate $4 billion for election security in 2020. When law makers in Washington passed the stimulus bill in March, it included $400 million for election security.
Since the start of the year, election officials throughout the U.S., as well as the U.S. Cybersecurity and Infrastructure Security Agency which is responsible for protecting the country’s voting infrastructure, have warned about a number of cybersecurity challenges that could affect elections in November. This not only include concerns about COVID-19, but also nation-state actors attempting to interfere.
Last week, Google’s Threat Analysis Group found that separate state-sponsored phishing attacks unsuccessfully attempted to infiltrate the campaign offices of President Donald Trump and former Vice President Joe Biden (see: Google: Phishing Attacks Targeted Trump, Biden Campaign)
2020 Voting Challenges
As the Brennan Center report notes, the November elections could be affected by local outbreaks of COVID-19, and this remains a significant possibility throughout the remainder of 2020.
In these cases, voters may not feel safe casting their ballot in-person and could opt to vote by mail instead. At the same time, local election officials have to ensure that voting booths are up and running for all those who prefer to vote in-person, according to the report.
As voters demand more online registration and mail-in ballots, election officials must be aware of the increase of interference by outside or nation-state actors taking advantage of the situation, The deployment of new voting options also raises the risk of technical issues and errors, the report notes.
The pandemic has also created a scenario where government workers and the vendors responsible for voting machines are now working remotely, further heightening the risk of cyber threats, according to the report.
“This added pressure creates new targets for those interested in disrupting American elections through ransomware or other cyberattacks. Good cybersecurity practices for remote operations are therefore essential,” the report states.
In a previous report, the Brennan Center called for the creation of a federal certification program that make sure vendors that build election infrastructure – including voting machines – meet cybersecurity standards.
In addition to pointing out election concerns, Brennan Center is making a series of recommendations to reduce cyber threats heading into November.
The report advises local elections officials to use National Institute of Standards and Technology guidance to develop security policies for all election workers. Administrators should also ensure that all remote workers are complying with cybersecurity best practises, such as updating devices and applying patches regularly and using two-factor authentication.
The report also suggests establishing 60-day blackout windows during which non-critical software updates and patches are stopped, which can cut down on the likelihood of programing errors crashing systems In the case of critical updates or patches during the blackout window, personnel should get express permission and test updates prior to the rollout, the report notes.
States must also conduct vulnerability and capacity testing on their voter registration systems well in advance to avoid the risk of malfunctions or distributed denial-of-service attacks, as well as use automated monitoring tools and intrusion detection services to alert officials if any of the sites are down, according to the report.
Election officials should consult with IT professionals on how to avoid overloading the registration database servers during peak use, and in the case of failure, voters should be redirected to a site where they can access and fill in a PDF that can be uploaded, the report states.
In order to keep that the process of mail-in voting is secure, the report advises officials ensure that the printing vendors can accept encrypted data files and that all data containing personally identifiable information is encrypted. Further, online and email ballot request systems should undergo vulnerability testing, the report notes.
Since many jurisdictions allow voters to submit an image of their signed mail ballot request form by email, all the attachments should be scanned for malware and only be opened on machines that have added access control an network restrictions, according to the report.