Usually, when we write a "What you need to know" post on the Rapid7 blog, it's generally a rapid response to breaking news about a specific software vulnerability that's grabbing headlines — recently, we covered the Exim, RDP, and Zoom vulnerabilities. Today, though, I want to talk about pretty much the opposite of that, and put together an explainer on one of the most written-about information security challenges we have today, covering everything from the weaknesses of individual voting machines, to the information ecosystem they participate in, through the human factors exploited by phishing and election day anxiety.
Before we get into details, I want to set a little context here. Generally, you can boil election manipulation down to two main goals: either you want to influence the outcome of an election to give one candidate an edge over another, or you want to fundamentally undermine confidence in the democratic election process as a whole. If your goal is the former, you will generally look for means that are highly scalable so you can get the result you want, and hard to detect so you get away with it and no one knows or can prove what you’ve done. For this, your best avenues are largely techniques that have been used to influence election outcomes for centuries; propaganda and misinformation, blackmail, and smear campaigns. Attempting to manipulate the technological systems that underpin elections to influence the outcome of an election is actually much less effective than well-executed propaganda campaigns, though some hacking can certainly be helpful in building these campaigns, as we saw in the 2016 election.
By contrast, if you want to undermine public confidence in democracy, it is highly effective to give off indicators of that voting technology was hacked, or is at least susceptible to hacking. People claiming an election was hacked like to have a smoking gun to point to, and unpatched, vulnerable voting machines make for a tangible target that voters can understand. In some ways, this is why voting machine security is important—it removes one basis for adversaries to drum up fear, uncertainty, and doubt around the validity of election results. Nevertheless, in my opinion, focusing strongly on voting machines alone is missing the point.
This is not to say that the security of voting machines is not important—it absolutely is. However, the truth about election security is considerably more complicated, especially once you appreciate how much is connected to the internet that is integral to our elections and how fragile some of it may be. Unfortunately, the whole topic is exacerbated by a non-technical, politically cynical dimension. It will be seductively easy to blame an election loss on an infrastructure outage, real or imagined, and it's equally easy to blame the lack of security as an intentional political gambit. So, let's acknowledge that reality, and (hopefully) just stick to technical considerations for the moment.
No easy fixes, no boogeymen
Unlike atomic, one-off vulnerabilities like BlueKeep and EternalBlue, election security is deceptively complex, and involves a whole host of software, hardware, endpoint machines, networks, vendors, implementers, and users. Yet, most of the press around election security is focused specifically on voting machine security, with headlines like this recent Wired article, “Some Voting Machines Still Have Decade-Old Vulnerabilities”.” Voting machine security is certainly important, but I get worried when articles about voting machine security draw an implicit link between Russian interference in the 2016 election and voting machine insecurity, such as The Hill's coverage of the same event. The implication from this kind of coverage seems to be that voting machine insecurity is the most pressing problem in securing American elections, and hostile foriegn powers are poised to exploit these machines in order to successfully manipulate the outcome of our elections.
I don't think this is true. In fact, I've started to regard the fear around voting machine security as practically equivalent to the fear around individual voter fraud (where someone who is not allowed to vote tries to vote anyway)—another issue that is easy to imagine, hard to detect, and is practically never exploited during real elections. Just like individual voter fraud, hacking voting machines tends to be high-risk, high-effort, and nearly impossible to scale since it nearly always requires showing up and touching machines because individual voting machines do not tend to be directly connected to the internet.
To be clear, I am worried about election security. I'm just not too concerned about voting machine security. While the latter could be considered a subset of the former, they are not the same thing. Unfortunately, it's nearly impossible to talk about election security without addressing voting machine security, so let's just get that out of the way.
Voting machine security and vulnerability disclosure
Right off the bat, all of the research into voting machine security is true. I believe that researchers like Matt Blaze, Harri Hursti, Jack Cable, J. Alex Halderman, and the many, many others working in this area are asking good questions, producing excellent research, and demonstrating a real problem: Our electronic voting machines do not appear to be nearly as secure as we should expect or deserve. It's taken some years, but I think the results of this work, such as the DEFCON 27 Voting Machine Hacking Village are slowly but surely moving the needle in voting machine security.
A coalition of voting machine vendors, including ES&S, Dominion, Hart InterCivic, and Unisyn —which together supply upward of 90% of the voting machines used in the United States—announced at the Department of Homeland Security’s CISA Summit a plan to launch a coordinated vulnerability reporting program for election systems in partnership with the IT-ISAC Elections Industry Special Interest Group.
This is a positive step. CVD is a necessary (but insufficient) condition in the industry that all individual vendors need to embrace. Today, things are a ton better than they were even two years ago on the voting machine security front. The vendors are listening and the voting constituency is demanding more secure devices. But, as stated above, buggy voting machines are only one (small) part of the problem.
Election cyber-resilience, end-to-end
The much bigger problems facing election security start with the issues that have already been provably exploited: an unsophisticated level of cyber-hygiene in the IT environment in which elections operate. This environment encompasses not only voting machines and tabulation machines, but the IT on which voter registration and voter verification systems operate, the backup systems that are entrusted to recover from a disaster, the day-to-day email and browser habits and technologies used by campaign workers, and a social media environment awash with misinformation, disinformation, and propaganda. We know for a fact that attackers working on behalf of foriegn interests have proven capabilities in every one of these areas, and fixing voting machines does nothing to affect those capabilities.
Election-critical network services
On July 25, 2019, The New York Times published the article, “Russia Targeted Election Systems in all 50 States” by David E. Sanger and Catie Edmonson. You can read the redacted version of the Senate report here (and you should, it's fascinating), but the net is that while voting machine security is discussed, the vast majority of Russian activity was directed at election infrastructure as a whole. This means that the well-resourced and talented foriegn adversaries appear to be interested in compromising the networks and internet-connected systems that elections rely on, such as voter registration systems and databases, voter verification services, web services that are used to publish polling information, and other network services run by local, county, and state election authorities.
Given the unredacted content of the Senate report, it is certain that Russian actors already have at least some valuable targeting information on these networks. It is imperative that those responsible for election-critical network services have at least routine vulnerability managementand asset management systems in place in order to be able to do the work of reducing attack surface and ensuring that critical software patches are rolled out in a timely matter. In addition, modern network security standards include a penetration testing program, where experts attempt to compromise the security of network in order to uncover gaps not covered by those vulnerability management systems and patch deployment systems.
Phishing for the win
And with all that said, the No. 1 vector that election hackers are likely to pursue is over regular old email-based targeted phishing campaigns. After all, phishing continues to be the most popular vector for online crime, and it shows no sign of abating. This does not have to be an attempt to directly target an election system itself. Of the publicly acknowledged attacks related to the 2016 election, the highest-profile successful effort involved a targeted phishing email directed at Clinton campaign manager John Podesta, as described exhaustively in the Dec. 13, 2016 New York Times piece about the many campaigns executed by Russian operatives. So, even while the campaign was intensely aware of the threat of a phishing attack, this one still succeeded (thanks in part to a typo made by an IT staffer in warning Podesta away from the email). It is worth noting that this attack was not designed to gain access to election systems, but rather to fuel a propaganda campaign and undermine public confidence in election systems and candidates.
In the 2020 round of elections, phishing will likely be used against virtually everyone connected to the U.S. elections in any official capacity.
Ransomware and disaster recovery
In the summer of 2019, municipalities across the United States saw a spike of ransomware attacks hitting critical city and county networks, as detailed in the Aug. 22, 2019 New York Times. Today, ransomware appears to be a wildly popular tactic for extracting cash from insured entities like American towns and cities of all sizes, ranging from small Texas towns to Baltimore, Maryland. However, we also know that ransomware-like attacks like NotPetya , which merely "brick" hard drives by hopelessly encrypting them without a key, are surprisingly devastating when coupled with self-replicating code that leverage both vulnerabilities and common Windows weaknesses. While these attacks may seem similar to ransomware attacks, they are not motivated by profit the way that ransomware attacks are. Rather, they are designed to cause maximum disruption to a service or organization.
Such an attack on Election Day would, if successful, cause huge chaos in any U.S. city, as critical election infrastructure such as voter registration and polling information websites are necessarily connected to and available over the standard public internet. Taking such websites offline doesn't even have to directly affect core voting and tabulation systems, since the very obvious service interruption would impact voter confidence and voter turnout. A ransomware attack on Election Day would certainly also drive intense press coverage, even if the attack does not change the election outcome, sowing additional distrust in the election system.
Election security is critical for defending democracy and it is at risk, not only in the U.S., but around the world. Voting machines are one piece of this. They are an important technology that help make voting easier and more accessible for millions of Americans, and we should expect these machines to be at least as secure as a typical casino-floor slot machine, the gold standard for self-service computer kiosks these days. However, the vendors of these machines are (now) taking that security responsibility seriously, and I expect nothing but upside to come from the latest CVD efforts in this area.
But truthfully, if the end-point voting machine was the most attractive target for internationally-based attackers, we'd be in a pretty great position—it would mean that all of the connected, internet-reachable infrastructure was rock-solid and resistant to attack. Attackers can reach campaign and election system online resources and email inboxes far easier than they can scale up hacks on individual voting machines, and so I hope election stakeholders for the 2020 election cycle will focus their limited resources on protecting back-end systems, increasing user awareness, and championing fundamentally simple solutions such as post-election risk-limiting audits.
But as I said at the outset, I also hope that the candidates and campaigns exercise restraint when tempted to cast suspicion and doubt on election results. After all, the whole point of an election is not so much to select winning candidates, but to convince losing candidates to relinquish power. In the U.S., losing candidates typically concede the race on election night, weeks before the results are certified, based on real-time polling and statistical sampling. Concession speeches are among the most important features of American-style elections, and provide an opportunity for the candidates to show grace and humility. But, the only reason they happen is because both winners and losers have confidence in the voting process.
That said, passions run hot on election night, so I would caution anyone to be skeptical of those who are quick to blame a loss on or lament a win due to a cyber-attack. Political opportunism will be very tempting, especially among those who aren't experts in network and information security, and it'll be difficult to tell the difference between sincere concerns and sour grapes. So, let's secure the things we can, audit the things we can't, and do everything in our power to maintain voter confidence and deny attackers easy propaganda wins.
October 2020 update
Wow, what a year it's been. I wrote the above in January at the start of the year, before COVID-19 was on most people's radar, and of course, there's been a ton of activity since then.
First off, both ES&S and Dominion, the top two voting equipment vendors in the U.S., have actually released vulnerability disclosure policies and processes, so if you find a bug, let them know. If you're not sure who you should report to, you should hit up our friends over at US-CERT.
Also since this blog post was first written, there have been some pretty major issues with voting by mail (VBM) systems. Historically, VBM systems have been generally fine and safe to use, especially in states like Colorado, Washington, Utah, Oregon, and Hawaii, where it's pretty much the only game in town. However, in other states, COVID-19 has attracted millions of first-time VBM users, and as a result, some districts have been struggling with the infrastructure required to validate and count these votes.
VBM systems also suffer from rejection rates that are higher than in-person balloting. This has always been true, and traditionally hover around a 1% error rate, but we're expecting a much higher rate this year as we have many, many new users of these systems.
So, if you're planning (or required) to vote by mail, double- and triple-check that you've signed the right things, you're using the right color ink, and that you mail it in as early as you can, then hope that today's signature matches your registered signature. The Washington Post has some good advice on how to have the best chance at having your VBM ballot counted.
That said, for many voters, the best-guaranteed way to have your vote counted is to vote in person at the polling place, where signatures are much less important and you have access to a poll worker right there to help you. And while I hope I've convinced you that hacked voting machines are pretty much not a thing, COVID-19 is a real concern and makes this a non-trivial decision. If your state has early voting, flatten that curve of in-person voters and try to show up somewhere in the middle of the early voting period. If you must vote on Nov. 3, then plan ahead—bring a book and a snack, maybe a jacket, and of course, your mask. It may end up being an all-day affair, and you might make some friends while standing in line.
Finally, don't expect results on Nov. 3, or Nov. 4, or really any time before December. While there will be plenty of local races with clear winners (and more importantly, clear losers conceding their races), the presidential election is pretty much guaranteed to be litigated through the month. Those VBM ballots, in particular, are going to take forever to count and recount, and there are certainly surprises up 2020's sleeve that we haven't even imagined yet.
So, my advice is that as November unfolds, take a critical view of outlandish-sounding claims of vote hacking, election hacking, or other stories of intentional election interference—especially if those stories align with your own biases. I'm certain we'll have this whole election thing figured out before mid-January. One silver lining to this stormcloud of an election is that we will almost certainly see new national legislation that will make voting in America easier, safer, and more trustworthy for everyone by 2022.