Third-party vulnerabilities may be new to voting apps, but they're nothing new to hackers and cybersecurity experts.
As Americans battle unprecedented mass devastation from a still-raging pandemic for which there is no vaccine, civil unrest marked by violent clashes between police and protestors across the country, and the weaponizing of information, fake-news, gas-lighting and actual facts – new concerns over voting security pose yet another threat.
In light of so much social disruption, it’s easy to understand why government leaders (at federal and state levels) and the voting public are looking for voting options that avoid gathering on election day.
In a post-internet era, the solutions seem obvious, convenient and intuitive. But these options are drawing more scrutiny from public officials and private researchers as risks being to surface that impact the public, government institutions, non-governmental organizations, and commercial businesses of all kinds.
There are three areas of concern for security analysts - the purity of the vote itself, the integrity of voter registration rolls, and the manipulation of public conversation by bad actors.
The Votes Themselves
When people think of election fraud - they tend to think of manipulating votes or vote totals, directly influencing the outcome. That's the least likely version of fraud to occur in traditional elections, but online voting creates new opportunities for direct interference.
In an analysis of OmniBallot, a tool currently in use by several states, researchers discovered that it has some apparent vulnerabilities. Specifically, the application "makes extensive use of third-party services and infrastructure... [as] a result, votes returned online can be altered, potentially without detection, by a wide range of parties, including... attackers who gain access to any of the companies' systems or a voter's client."
These third-party vulnerabilities may seem new in the context of voting apps, but they're rampant across the web.
Online voter registration has security experts especially concerned. Bad actors might manipulate those election rosters through server vulnerabilities or as a citizen is registering to vote through client-side exploitation.
Reporting by the New York Times illustrates that "Homeland Security officials have been focusing 'intensely on hardening registration systems,' said Christopher C. Krebs, who leads the department's Cybersecurity and Infrastructure Security Agency."
As states using advertising and social media tools to encourage their residents to register, they must be sure they have client-side security solutions in place to anticipate, monitor, and mitigate any vulnerabilities they inherit from those partners.
Finally, the same playbook that worked for bad actors in 2016 is available with minor adjustments in 2020. In addition to hacking voter rosters and looking for ways to alter vote counts, provocateurs hacked the conversation of actual voters. By introducing false narratives into social media platforms and creating fraudulent news sites disguised as real sources, bad actors were able to influence votes before they were cast.
Facebook and Twitter have taken efforts to reduce this kind of abuse of their platforms - but advertising networks remain vulnerable to intrusion. DEVCON research shows that online tracking pixels from foreign servers land on local new sites millions of times a day - a number that only increases as elections approach.
This information adds up to one stark fact: US elections will be vulnerable in 2020. There is no catch-all safety net coming from government do-gooders, commercial organizations, or white-hat volunteers. But even in a time of civil unrest, a widespread health crisis, and public discourse as divisive as ever - our freedoms can be protected. State governments, civic organizations, and online publishers must take responsibility for securing their part in the process.
What Can I Do?
Here are 5 free (or free-to-try) digital security tools for businesses & organizations:
DEVCON provides our own client-side security tools via a free community license. Sign up today!
- Qualys offers their robust IT security monitoring platform free via a Community Edition.
- Proofpoint offers a complimentary “Cybersecurity Awareness for Remote Workers” toolkit to help encourage best practices. Find the toolkit here.
- Detexian uses artifical intelligence to scan logs from a variety of SaaS platforms and surface misconfigured policies or unauthorized data sharing. They offer a 28-day free trial.
- KnowBe4 has a number of free tools to test your team’s security awareness - including email & social media phishing simulators.