Local Voting Locations Spared From Hackers
Cybersecurity criminals do not appear to have attacked local voting locations, according to the FBI and CISA.
Both the FBI and CISA said on Oct. 4 that any malicious attacks on the election infrastructure are unlikely to either disrupt or prevent people from voting.
“Any attempts tracked by the FBI and CISA have remained localized and were blocked or successfully mitigated with minimal or no disruption to election processes,” the groups said.
Election officials use a variety of controls to mitigate the likelihood of malicious cyber activity such as phishing, ransomware, denial of service, or domain spoofing that would either alter votes or otherwise disrupt or prevent voting, the FBI and CISA said.
Local election officials can implement fail-safe measures such as provisional ballots and backup poll books, while there are safeguards that protect against voting malfunctions such as chain of custody procedures, paper ballots, and post-election audits.
How Voters Can Avoid Being Targets
Voters are urged to double-check emails or phone calls that are unfamiliar, especially ones that “make claims about the elections process or of social media posts that appear to spread inconsistent information about election-related incidents or results,” the FBI and CISA said.
Stick to trusted sources such as websites that end in “.gov” or websites that are affiliated with your state or local election office, the agencies said.
“Be sure to know what your state and local elections office websites are in advance to avoid inadvertently providing your information to nefarious websites or actors,” the FBI and CISA said. “Be aware that many emails requesting your personal information often appear to be legitimate."
Verify through multiple, reliable sources when there are reports about compromises of voter information or voting systems.
“Be cautious with websites not affiliated with local or state government that solicit voting information, like voter registration information,” the agencies said.
Election security remains a concern with the upcoming midterm elections, from data integrity to voting machine tampering to voter intimidation, Mike Parkin, a senior technical engineer at Vulcan Cyber, a Tel Aviv-based provider of SaaS for enterprise cyber risk remediation, told TheStreet.
“It has been a serious concern since before the 2016 Presidential election and the 2020 election was considered the most secure in U.S. history,” he said.
Election Equipment Not Hacked
Hackers have not tampered with election equipment, Karim Hijazi, CEO of Prevailion, a Houston-based cyber intelligence company, told TheStreet.
“As far as we know, the answer is no,” he said. “However, my company monitors malware communications coming from compromised organizations and we regularly see malicious signals beaconing out from the local government, school, and nonprofit networks.”
Since many schools or community and civic centers serve as voting locations where the network is hardly fortified, they could be the target of malware.
“They are likely riddled with any number of unpatched software vulnerabilities, overlooked endpoints directly accessible over the internet and poor security hygiene among staff,” Hijazi said.
Voting machines are usually protected through some level of air-gapping from the main network, he said.
“However, I do think it's important that we recognize there are legitimate risks here that need to be considered,” Hijazi said. “These locations that house voting systems often have insecure networks that are easy to hack. Once an attacker is on that network, he or she can look for ways to migrate to other devices. This is how a threat spreads inside a network.”
A sophisticated threat actor could target voting machine systems, but it would be a high-risk attack for a nation-state because of the “potential for diplomatic blowback, but countries like Russia don't have a lot to lose anymore,” he said.
While Hamerstone has not seen any reports of actual attacks on voting locations, there have been cases of attempted unauthorized access.
“In those cases, the motivation did not appear to be connected with changing vote counts,” he said.
Voter Registration Remains a Target
Voter registration databases are “always” a target for hackers because of the personal identifiable information they contain, Hijazi said. The data on voters can be used in identity theft, financial fraud, and phishing campaigns.
“However, this information is also an ideal target for a disruptive hacker, like a hacktivist or nation-state actor who wants to derail the voting process itself,” he said. “By accessing those databases, they could in theory delete voting records or change them to disqualify someone from voting, send them to the wrong polling station or create confusion and chaos for the election supervisors and the state election divisions.”
Local voting locations have not been the victim “to the best of our knowledge,” but breaches of voter registration information systems and potential vulnerabilities detected in election systems have occurred, Bud Broomhead, CEO at Viakoo, a Mountain View, Calif.-based provider of automated IoT cyber hygiene, told TheStreet.
Misinformation Is the Goal
The real story is more about misinformation and can take so many different forms with the potential to change outcomes in close contests, Alex Hamerstone, advisory solutions director at TrustedSec, a Fairlawn, Ohio-based ethical hacking and cyber incident response company, told TheStreet.
“As for the actual ‘hacking’ of election systems, the issue is largely overblown,” he said. “Although technical equipment issues can occur, the reality is that there are numerous technical protections in place for these systems, as well as many other safeguards in place (like air-gapping, data backups, logging, and monitoring that greatly reduce the potential for malicious activity.”
Voter registration records are less attractive as a target for cybercriminals since they are public information, but the voter registration process is certainly a target for nation-state actors who want to use it for misinformation purposes, Hamerstone said.
“They may attempt to convince people who are eligible to vote that they are not eligible, put out false information about deadlines, and use other types of attempts to prevent people from registering or voting,” he said.