With less than a year to go until America chooses its next president, its election security needs some work.
Last week, Mick Baccio, the CISO for democratic candidate Pete Buttigieg, quit the campaign. He cited “a fundamental philosophical difference with campaign management regarding the architecture and scope of the information security program.” This leaves democrats in the presidential race without a single CISO between them, which is startling given the targeted phishing that the Clinton campaign suffered during the 2016 campaign.
Reports indicate that Baccio was responsible for basic cybersecurity hygiene, like ensuring the use of 2FA (the lack of which led to the pilfering of the Clinton campaign’s email), and watching for the use of deep fakes, which some expect to be a big problem for politicians in this election.
The Buttigieg campaign is working with a third-party contractor. Nevertheless, the departure highlights the dire state of cybersecurity preparedness across the US political landscape. A recent poll by Harris and Google showed that 60% of US politicians haven’t upgraded their cybersecurity since 2016.
The problem here isn’t just with any single campaign, though; it’s with the entire electoral ecosystem.
Take voting machines. Academics and ethical hackers have repeatedly proven them insecure. Before the 2016 election, Princeton professor Andrew Appel cracked a popular Sequoia unit, swapping out its non-soldered ROM chips with new ones containing his own firmware.
Or election servers. Recently, it emerged that an election server in Georgia used by the organization that programmed the State’s voting machines showed signs of an exploit. System logs dating back to 2014 show a possible compromise using the shellshock vulnerability.
This flaw preceded another on the organization’s servers in 2016. That flaw, in the Drupal system, went unpatched despite the availability of a fix 22 months earlier. Researcher Logan Lamb had previously found an open directory exposing the state voter database along with PDF files with instructions to sign into the Center for Election Systems at Kennesaw State’s central server, reports said in 2017.
A legion of hackers is ready to exploit vulnerabilities like these. A Senate Committee on Intelligence report released last July detailing Russian efforts against election infrastructure found that Russia had made attempts to access election systems in all 50 states. It detailed the exfiltration of voter data in Illinois, from a compromised database containing 14 million voter records. The Senate report said that “State election officials, who have primacy in running elections, were not sufficiently warned or prepared to handle an attack from a hostile nation-state actor.”
Now Shelby Pierson, the election security threats executive at the Office of the Director of National Intelligence, has admitted that voting machines are still connecting to networks via modems, which the DNI has judged to be a vulnerability. She also said that the stakes are higher, pointing to a “more sophisticated” set of attacks from a broader array of countries.
These dangers to the US election process don’t sit well with voters. A Brookings Institution survey last August highlighted significant misgivings among 2,000 adult internet users over election cybersecurity. 57% saw it as at least “somewhat” of a threat to American democracy.
58% of Americans wanted additional federal funding to help states upgrade the security of their election equipment.
At least something is happening there. The US had already allocated an additional $380m for the US Election Assistance Commission (EAC) to bolster election cybersecurity in March 2018, along with $307m to help the FBI counter Russian cyber attacks.
In December, Congress approved a further $425m funding bill for election security, less than a year before the US public selects its next leaders in 2020. However, election reform advocates called it a Band Aid and a poor substitute for a regular annual commitment to election cybersecurity.
Longer-term policies are more difficult to shift. US lawmakers last year failed to pass laws governing the trafficking of political ads, forcing paper ballots, and funding the updating of voting systems.
The FBI has at least now agreed to warn state election officials of attempts to break into their hacking infrastructure, which is a beginning.
However, what isn’t clear is what to expect from Russia or other state-level attackers probing US election systems. The Senate report pointed out that there was no evidence of voter data tampering in Russia’s previous activity, even though the attackers had that ability in the Illinois incident. Experts put it down to reconnaissance, and/or to demonstrating that Russia had power over the US.
That’s the takeaway here: the threat to election systems may be real, but that may be part of a longer game. Smart attackers understand that cyber warfare is part of a broader full-spectrum battlefield including information warfare and psyops. By undermining confidence in election systems, an attacker can throw an entire population into disarray and erode democracy as a concept. What’s more effective – hacking some voting machines or hacking public confidence in the idea of voting, and therefore in the legitimacy of government in general?