As we head into the 2020 election season in the United States, a key component of the U.S. election infrastructure remains vulnerable to attack. Only 5% of the country’s largest counties are protecting their election officials from impersonation, according to an analysis by Valimail. The rest are vulnerable to impersonation, meaning their domains could become the unwitting vectors for cyberattacks and misinformation campaigns.
This is a problem because the overwhelming majority of cyberattacks can be traced to impersonation-based phishing emails. In the corporate world, these cyberattacks result in the loss of funds or proprietary data. But when it comes to elections, the bedrock of democracy — free and fair elections — is at stake.
An August 2019 report from Valimail noted that most presidential candidates’ campaigns are not protected from email impersonation. And our earlier report found a similar situation across the thousands of domains used by state and local governments. This new report takes a closer look at those domains specifically used by the largest counties for election matters.
About 90% of all cyberattacks involve phishing, according to the Verizon Data Breach Investigations Report (DBIR) and multiple other sources. And 89% of phishing involves impersonation, according to a recent study by Barracuda. While these stats come from analyses of primarily private-sector domains, we know that the election infrastructure is also vulnerable to phishing. For instance, spear phishing played a major role in the 2016 election, as it was the vector by which the Democratic National Committee’s email system was compromised. And spear-phishing attacks targeted multiple election officials in Florida during the 2018 election season, although there was no indication that these attacks had an effect on the elections.
We’re not just talking about voting machines being vulnerable. While most voting machines are isolated from the Internet (they are often air-gapped for security), the same cannot be said for other elements of the election process. The electronic pollbooks that voters use to sign in on election day and the machines that tabulate votes may be connected to the Internet for software updates or to receive or transmit voting information. This makes them potential targets for email-based attacks aimed at other users of the same networks.
For example, an attacker might send an email to an election official that spoofed the identity of a voting machine vendor and posing as an “urgent software update” that they needed to install. Or malware could be delivered via spear-phishing emails that, if clicked on, would shut down the county’s network and disrupt the smooth functioning of an election.
These are not theoretical examples. Earlier this month the Louisiana state government’s computers were taken offline during an election week by a ransomware attack that most likely originated with a spear-phishing email message.
Apart from the voting infrastructure itself, there are other vulnerabilities susceptible to email attacks. Voting officials (county auditors, clerks, or boards of elections) must be able to communicate with the public via email. Email is often used to transmit running totals of the election results to the media. And media outlets also use email to deliver election news to the public via newsletters.
While email is not the only threat vector that election officials need to take seriously, our report shows that it is being significantly overlooked.