With the U.S. elections quickly approaching, we’ve been talking about various aspects of election security. In previous posts we explained why elections are not administered online and discussed secure voting methods. Today we’ll dive into trust indicators for election communications, including how to avoid phishing and secure voter data.
Democracy depends upon trust in the electoral process. Trust is essential to ensuring voter confidence and securing elections. This includes trusting that voter registration data, election websites and emails are safe and secure for users.
Recently, the U.S. Justice Department charged six Russian military officers with a connection to global cyberattacks, including interference in the 2016 U.S. election, the French presidential election in 2017 and the 2018 Winter Olympics. In this threat environment, it is more important than ever to secure your site because hackers will take advantage of any vulnerabilities they can find. And attacks not only leave government and voter information vulnerable but also destroy voter confidence.
Here are a few measures both voters and government entities can take to secure voter data and information during elections.
Imagine the consequences if voter registration databases were hacked or altered, preventing voters from their legal right to vote. Just recently, a voter registration site in Virginia crashed on the last day of voter registration. And Florida’s voter registration site has been overwhelmed, causing it to crash three times since the site went live. In other cases, voter information has been exposed to hackers, including 18 million U.S. voter records exposed from a database error in 2018.
Voter registration sites must invest in security to protect the integrity of elections and to keep their sites available to voters. Additionally, any voter data collected must be encrypted at rest and in transit to protect personal information. Users are increasingly concerned with their privacy and using encryption can help secure their data. Public key infrastructure (PKI) provides encryption and authentication of users and devices, and also ensures integrity of communication. PKI has been used for decades to secure user data, and it can be applied to voter data as well.
Phishers will use any excuse to try and steal personal information or spread malware, and elections hold prime real estate in the public’s attention, so phishing is bound to increase around elections. Even the most professional-looking emails may be trying to harvest personal data or spread misinformation.
“Elections are a perfect backdrop for criminals to phish people by playing on their emotions and fears related to the elections," explains Brian Honan, CEO of BH Consulting and former Europol Special Advisor on Cybersecurity. “Criminals will use lures relating to the election, such as using a sensational fake story relating to a candidate to get the person to click on a link to get more details, or by pretending to be a request from their favorite candidate’s campaign looking for a donation, or faking an email claiming they have been removed from the electoral roll and need to re-register to vote.”
David Bisson, an infosec writer for IBM and TripWire, explains that some fraudsters will try to influence a voter’s ability to cast their ballot with misinformation. “This is especially relevant for attack campaigns that might try to lure users with announcements of changed polling places or modified voting hours,” he says. “If they have questions about how to vote, people should look up their local Board of Elections and/or contact officials in their town government directly.”
Voters should take steps, including the following, to avoid phishing and misinformation campaigns:
Organizations and governments can also implement best practices in their email use, like enabling S/MIME, a method for sending digitally signed and/or encrypted messages, and working towards Domain-based Message Authentication, Reporting and Conformance (DMARC), which ensures that only authorized emails can be sent from your domain so that your entities’ emails can’t be spoofed.
Bisson says that local and state elections officials need to invest in security. “Local and state elections offices should invest in email security controls that help to blacklist suspicious domains, block unnecessary file attachments and flag external emails in the fight against phishing. They might also want to consider conducting phishing awareness training and simulations with their elections administrators.”
All campaign and government election sites should be secured by a TLS/SSL certificate to ensure that information is encrypted and help prevent man-in-the-middle attacks.
As a website visitor, you should look for trust indicators like the padlock and never enter personal information unless you are confident that the site is secure and your data will be encrypted.
Unfortunately, many election sites lack basic security measures. McAfee conducted a survey of U.S. county election sites and found that most don't have a .gov domain or HTTPS. According to the survey, “the majority of these websites lacked official U.S. government ‘.GOV’ website validation and HTTPS website security measures to prevent hackers from launching fake websites disguised as legitimate county government sites.”
This is unacceptable for election security. Government entities should invest in their site security by installing TLS and enabling HTTPS to keep voters safe and prevent fakes.
Especially since the U.S. elections results may take extra time to be released, voters need to stay alert for any information that might be false and trying to steal their information. Voters and governments need to actively watch for potential phishing campaigns, and governments need to secure their voter registration databases and election websites. These steps will help ensure trust in the election process and can help prevent fraud.