Given the embarrassing catastrophe that was the 2016 presidential election, staving off cyberattacks and foreign influence campaigns is a top priority for election officials nationwide as we get closer to November. Apparently, though, no one thought to apply that same level of scrutiny to their emails. Who’d have thought phishing scams would be the downfall of democracy?
Research firm Area 1 Security published a report Sunday (via the Wall Street Journal) that tracked more than 10,000 local officials and found that more than half used email systems with “rudimentary or non-standard” anti-phishing safeguards. Only 18.6% of election administrators employed “advanced anti-phishing cybersecurity controls,” and more than 600 officials simply used their personal email addresses to conduct election-related business.
(Sadly, the report didn’t mention whether any of them used cringey handles, like, say, HottieWitABodi69@hotmail.com or Vote4Pedro@yahoo.com)
Area 1 Security also found that six jurisdictions in Maine, Michigan, Missouri, and New Hampshire relied on an unpatched version Exim, free email software that has been targeted by Russian hackers in the past. As the Journal notes, the National Security Agency released a federal warning in May about the Russian intelligence service known as the GRU and how it had been exploiting flaws in this software to launch cyberattacks and disable security settings since 2019. These backdoors were patched in later versions of Exim, but it seems even election officials drag their feet and click “update later” when that annoying prompt pops up.
G/O Media may get a commission
Thankfully, security experts say that counties don’t typically connect their email systems with the same networks responsible for counting votes or housing registration information, so these kinds of vulnerabilities wouldn’t necessarily allow bad actors to hack in and influence vote tallies.
However, a security breach at any level in the election infrastructure can deal a devastating blow to voter confidence. We saw it happen in 2016 when Russian hackers broke into the election systems of two Florida counties. Email system vulnerabilities leave election officials open to ransomware, phishing-based campaigns, and other malicious software delivered via email, the Journal reports, which not only disrupt their ability to do their job but can also tank the public’s confidence in election results.
“The biggest danger in my view is not actual vote changing,” said J. Michael Daniel, CEO of the non-profit cybersecurity group the Cyber Threat Alliance, in an interview with the outlet. “That’s actually really hard to do at scale in a way that would actually have a significant impact. But what you would be concerned about is undermining people’s confidence. It starts to raise these questions about what you can trust.”
Given that Russian hackers previously made phishing attempts on high-profile targets in 2018, there’s a good chance state-sponsored actors could make a similar attack on the 2020 presidential election. However, counties already have their hands full scrambling to accommodate social distancing measures and other health precautions since, you know, there’s a literal pandemic going on. And the $400 million in election assistance allocated as part of Congress’s stimulus deal falls far short of the billions of dollars that experts predict state and local officials need to keep voters safe at the polls.
In short, resources are spread thin, even given the estimated $1.2 billion in federal funds for election security that states have received in the four years since the last presidential election, per the Journal.
“Unquestionably, we are better off than we were in 2016,” Daniel told the outlet. “But better off does not mean that we are where we need to be.”