NEWS ANALYSIS: Stakeholders in U.S. election infrastructure could learn a lot from corporations' approaches to cyber-security. Yet, the reverse is true as well: Security issues surrounding the midterm elections hold lessons for businesses.
The election race for the governorship of the state of Georgia promises to be tight, with current estimates showing that Democrat Stacey Abrams and Republican Brian Kemp are in a statistical dead heat. Unfortunately, Georgia is also one of five states that continue to use fully electronic voting with no verified paper ballot trails, raising the specter that, if inconsistencies arise, voters could lose confidence in the result.
Like many companies, the state is behind in implementing good cyber-security measures and having good visibilities over their assets and vulnerabilities. One example: Officials in the Kemp’s office—he is also Secretary of State in charge of elections—used an internet-connected computer to load memory cards containing the voting-system software,
. Over the weekend, the Democratic Party of Georgia pointed out critical vulnerabilities in the election website that Kemp’s office had ignored.
The fact that the all-electronic voting machines do not create paper ballots or some other way to audit the system means that such vulnerabilities could impact the vote, or at least voters’ confidence, Marian Schneider, president of the nonprofit Verified Voting, said during a press briefing on election issues.
"That is a huge risk of attack," she said. "The takeaway here is, yes, it is a risk, it is not a certainty, [we] can't get the risk down to zero, but [the problem is] if something happens, it will be very hard to detect and it will be impossible to recover from it."
As Americans head to the polls this week, Georgia's travails underscore the cyber-security complexities of conducting elections on a budget, but its efforts—and the efforts of other states—also hold lessons for companies. The threat landscape for elections differs from those faced by most companies but should underscore the multiple pathways to compromise that most companies face.
"There is one thing for sure—we can learn a lot from this election," said Srinivas Mukkamala, CEO of RiskSense, a cyber-threat management firm. "Trust, misinformation, cyber-physical systems, and whether this is this a lot of FUD [fear, uncertainty and doubt] or are we trying to solve a real problem?"
While a lot of potential attacks are ones commonly seen by companies—such as phishing, denial-of-service and database-injection attacks, such as SQL-command injection—the threat landscape faced by election officials also demonstrates other, less popular methods of compromise.
Here are five lessons that companies can learn from the current election security landscape.
1. Trust is valuable, so disinformation is a danger.
In May, election officials in Knoxville, Tenn., faced a nightmare: Minutes before the primary election results would be posted online, a denial-of-service attack crashed the county's server. While the issue did not affect election results, it did cause citizens to question whether the integrity of the election was compromised,
. Attackers also used the chaos to slip into the election tally system and view the code, according to the report.
Such attacks undermine trust in election systems, as does disinformation pushed through fake accounts on social media. The infrastructure for such propaganda is enormous: Twitter
in May and June, a pace that seems to be continuing.
"When you go to a restaurant, you assume that the health department has been in there—you would not buy food by some person on a street corner because there is no sense of trust," said Shawn Henry, president of services and chief security officer for cyber-security firm CrowdStrike. "But people are consuming media every day without knowing the source."
Companies should look to their brand on social media to keep consumer trust in their products. In addition, service disruption should be considered as a significant risk. Attacks on both can undermine consumer confidence, Henry said.
2. Physical security is important.
At the DEFCON hacking convention in August, a group of voting-security activists taught kids techniques for hacking voting machines and tabulating systems. Among the problems found: A system used in 18 states could be hacked in two minutes by picking the lock and using a program to load malicious software onto the system.
"[I]t takes the average voter six minutes to vote," stated
. "This indicates one could realistically hack a voting machine in the polling place on Election Day within the time it takes to vote."
Companies need to worry about insiders having physical access to systems. Many adversaries will try to get someone hired into a company, use a contractor to gain access to sensitive areas or co-opt someone already working for a company, said CrowdStrike's Henry.
"If you are looking at comprehensive nation-state programs, they are looking at the physical aspect," he said. "That's not speculation. It is happening."
3. The most obvious hack is not the most dangerous.
Because election machines are, usually, not connected to the internet, many election officials consider them to be safe. As Georgia's election officials learned, however, there are other ways to attempt to compromise such systems.
In a court case filed in 2017,
that sensitive information on Georgia's registered voters had already been downloaded from a purportedly secure database, that officials in the Secretary of State's office used an internet-connected computer to load memory cards containing the voting-system software, and that the voting machines could be hacked without even being connected to the internet by installing software onto the USB memory stick.
Yet, in September, a U.S. district court judge ruled that
and so allowed Georgia to continue using the all-electronic systems.
Companies should conduct threat modeling exercises to identify overlooked avenues of attack. In addition, third-party suppliers and contractors need to be evaluated as potential sources of risk, said RiskSense's Mukkamala.
"It is not just a need to understand your own systems—you have to understand your vendors and their systems," he said. "The unfortunate situation is that most of the election vendors are not very sophisticated in cyber-security. Often, small third-party suppliers are similarly unsophisticated."
4. Have a crisis plan.
Because misinformation and denial-of-service on election officials' pages can undermine trust in election systems, officials need to have a crisis response plan in place. Having such a plan in place was the primary recommendation of the DEFCON Voting Village 2018 report, which pointed to the publication of false election results in Ukraine and distributed denial-of-service (DDoS) attacks on industry and election sites as potential threats.
"Organizational leaders should anticipate what conditions might be created by a cyber attack on their systems … and create a plan for how to communicate with the public and other stakeholders under such conditions," the report recommended. "This plan should be part of a local or state government’s overall emergency planning."
5. When nation-states are involved, organizations need help.
The May attack on Knox County election systems, the massive efforts of the Internet Research Agency in Russia, and continuing attacks and probes on states’ election systems underscore that nation-states are looking to disrupt U.S. elections and deepen the divides between parties.
Companies have dealt with similar attacks for at least a decade, but defending against such well-resourced attackers is difficult. Both election systems and businesses need government collaboration to better defend against such attacks, said CrowdStrike's Henry.
"All organizations need to understand that there are nation-states that are interested in their information," he said. "It also provides an asymmetrical threat. There are nations that can impact the U.S., and they don't have the weaknesses that we have."
With the latest evidence showing not just Russian operatives targeting the U.S., but also attackers from Iran and potentially China running their own operations, the U.S. government is doing more to protect election systems and companies.
"Our adversaries are trying to undermine our country on a persistent and regular basis, whether it’s election season or not," Christopher Wray, director of the FBI, said in an August briefing on election security. "There’s a clear distinction between activities that threaten the security and integrity of our election systems and the broader threat from influence operations designed to influence voters. With our partners, we’re working to counter both threats."