In August, the FBI and the Cybersecurity Infrastructure Security Agency (CISA) jointly announced that many voter registration databases across the U.S. were vulnerable to ransomware, a pronouncement that seemed to underline earlier CISA reports that county election offices will likely be prime targets come November.
While ransomware may best be known for its use as a blackmailing tool, experts say it could just as easily be deployed as a politically motivated attack, one meant to cause chaos and sow public doubt about electoral processes. Theoretically, nation-state hackers from U.S. adversaries like China, Russia and Iran could all perpetrate such a scheme, according to experts.
For county IT officials in charge of securing communities' election infrastructure, there are a lot of different scenarios in which the malware could wreak havoc, said Aman Bhullar, chief information officer for the Los Angeles County Registrar-Recorder/County Clerk.
"The dependence of elections on general computing and networking infrastructure makes ransomware a highly relevant threat," said Bhullar, in an email. "We feel that ransomware is a very real threat vector and high risk to elections."
Even setting aside scenarios involving nation-state actors, basic cybermercenaries are also a big problem. Your average criminal hacker looks for high-value targets and it doesn't get much more valuable than voter data during a presidential election, Bhullar commented. On that basis, the incentive for criminal hackers to target county election offices is high.
For L.A. County, where more than a million voters will be casting ballots at more than 1,000 different polling locations on election day, even an attack aimed at non-essential election systems "could have a direct impact on an election due to the interconnected nature of the systems [and] processes," said Bhullar.
That's because election infrastructure — everything from voting machines and voter registration databases to ballot printing machines and e-poll books — is an interlocking web of systems and data, all of which need to function properly for accurate delivery and tabulation of the vote.
"An undetected attack could damage the voter information, registration statuses, vote eligibility, inability to print ballots, check-in processes, create confusion and delays, or even at a large scale question the integrity of the election process," said Bhullar.
A report published last week by cybersecurity firm BlueVoyant notes that many municipalities are in an insecure position for the upcoming U.S. presidential election. The report, which looked at a sampling of municipal governments spread across the country, shows a patchwork of communities with differing levels of experience with digitized electoral applications and processes, sometimes lacking basic funding and resources for proper IT security.
"The most damaging thing that can come out of all of this is essentially undermining faith in the electoral process. There's no evidence that a data breach or cybersecurity breach can affect the voter count in any meaningful way," said Austin Berglas, ransomware analyst with BlueVoyant. "But any kind of data breach or cyberincident for a county is enough to create some doubt in the process."
Indeed, threat analysts have consistently shot down the idea that hackers could meaningfully manipulate vote count, yet incidents like ransomware attacks would obviously influence public confidence in election results and potentially open up communities to disinformation and other problems.
Dennis Tomlin, the chief information security officer for Multnomah County, Ore., says he was lucky enough to be allowed to work for a county with the proper funding and resources to deal with threats like ransomware.
"We take it very seriously," said Tomlin. "Over the years we've put together a pretty strong, layered approach. ... In the event that something were to actually get into our environment, we are generally pretty successful in stopping it... With ransomware, we feel we are pretty well protected. We even have trouble phishing ourselves."
Risk management in this context means different things for different communities and traditionally there is quite a bit of overlap between election security and general network security, but there are some notable exceptions.
Like a lot of other counties, Multnomah uses a managed security service provider (MSSP) to protect its network, and its security infrastructure includes intrusion detections systems (IDS) and intrusion prevention systems (IPS) — all of which defend from malware by comparing network packets against a database of known cyberattack signatures. But the county also engages in comprehensive patch management, as well as counter-phishing training and products, while also having an incident response plan primed on the offhand chance an intruder actually gets in.
For L.A. County, election security processes run a similar gamut, including segmentation of networks, applications, and users to reduce the potential impact of a ransomware campaign, counter phishing training, as well as IDS and IPS systems. The county's security program is also continually rated on standard benchmarks to ensure it is maintaining an overall high degree of defense.
"We look at each and every system and process, no matter if it is seen as less risky or not," said Bhullar. "Even a system as simple as email is very important during an election. We look at every threat vector as an opportunity to harden our systems [and] processes so that there is no way an attacker has an advantage."
As always, there is no silver bullet for security. But communities can avoid catastrophe by proper attention to common sense basics: preparation, communication and investment.