Because things aren't bad enough already: COVID-19 is going to mess up election security assumptions too
Socially isolated officials will be fair game for meddling hackers
The social distancing measures brought about by the COVID-19 pandemic will weaken election security in the US, according to a non-profit's security check.
A report [PDF] from New York University's Brennan Center for Justice warns that as election workers and local officials are forced to do their jobs remotely, the risk of attack skyrockets.
"Many government personnel must work and access election infrastructure remotely now; so too must vendor personnel," the Brennan report says.
"These changes to work environments, if not properly managed, could create new targets for those interested in disrupting American elections through cyberattacks."
The problem, the Brennan researchers say, is that many of the election security measures put in place over the last few years have been based on the assumption that election officials and workers will either be on-site or working from an office with strengthened core systems.
But the COVID-19 pandemic has lead to many of those officials working from home and dialing in to the local networks or using remote management software. Many US states are relaxing their initial isolation restrictions from the Spring COVID-19 outbreak, but health officials warn of a second wave of outbreaks that could arise later later this year around the election date of November 3.
This creates a weak point, as those officials are no longer under the protection of firewalls and security appliances and, more importantly, are now prey to phishing attacks as well as more targeted attacks against their laptops and mobile devices.
The problem is not by any means unique to governments and election workers. The entire enterprise space has had to deal with a litany of problems created by workers who move from offices to remote setups. Among the biggest is that security-employees who have to remotely login to services become targets for phishing operations.
Remember when Republicans said Dems hacked voting systems to rig Georgia's election? There were no hacksREAD MORE
In the case of election workers, however, these risks are magnified, as they were already targets for state-backed hacking crews eager to get at the inner-workings of local and state voting systems.
"This added pressure creates new targets for those interested in disrupting American elections through ransomware or other cyberattacks," the report reads. "Good cybersecurity practices for remote operations are therefore essential."
The report suggests that while phishing would be the easiest and most-likely attack scenario, aggressors who had the resources and motivation could take things a step further and target the actual devices of election officials and workers with ransomware, rogue apps, or even firmware attacks.
There is even, the researchers say, the possibility that attackers could seek to intercept traffic by setting up rogue Wi-Fi hotspots.
Interestingly, the Brennan report says that election officials and vendors are not the only ones that need to be on guard against hackers intent on interfering in November. Because many voters will be registering online to vote for the first time, agencies tasked with handling identification documents could also be in the crosshairs.
"Personnel employed by vendors and state agencies such as the Department of Motor Vehicles can have a significant impact on election security," the report notes. "Election officials should make sure that those personnel are also being held to cybersecurity standards."
To remedy the issue, it is suggested that security and IT departments make sure employees brush up on their best practices for avoiding phishing attacks and keep devices updated with patches. This includes not only local and state officials, but also the employees of voting equipment manufacturers and registration apps as well as those at the state DMV offices. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Federal government of the United States
- Government of the United Kingdom
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust