Both voting systems and the voters themselves could be targets of malign influence.
The 2020 election was successfully completed without any major disruptions, but that did not stop some people from questioning the legitimacy of the election and the security methods in place to safeguard it. And while the claims of an unfair or biased election have been almost completely debunked, it’s still critical to examine the cybersecurity and other protections surrounding voting, in order to protect future elections—like the one happening just a few days from now.
Nextgov talked with two cybersecurity experts about election security. They pointed out both the strengths of the current system and some potential vulnerabilities that government officials should be wary of in the future.
Mark Stamford is the Founder and CEO of OccamSec, a cybersecurity firm that helps organizations perform continuous penetration testing on their networks. But Stamford did not begin his career wearing a white hat. Before that, he was a hacker.
Nextgov: Before we begin, can you tell us a little bit about your personal background and how you started to study the security of our elections and other critical networks and infrastructure?
Stamford: Sure. I started messing around with security when I was young because it seemed like a fun thing to do. From there I graduated to becoming a professional penetration tester. Then about 11 years ago I founded OccamSec, which was originally focused on penetration testing and red teaming. Originally it was just me but we grew to include intelligence support and threat hunting.
Nextgov: First, looking at the previous election in 2020, were there any notable attacks or breach attempts made against voting systems?
Stamford: I think the biggest attack was really the social engineering of voters via disinformation campaigns, which was really the biggest hack of all. And that makes sense when you think of how social engineering continues to be a hugely effective vector. Social media platforms were weaponized and the echo chambers they create were manipulated to great effect.
In terms of a large-scale attack made directly against a voting system, that was still a difficult task for attackers. The U.S. is not like some other countries, where people can vote online at scale. And given what happened in 2020, it feels like we are seeing a backlash against implementing that.
Nextgov: Looking forward, because you are able to see both sides of the fence in terms of cybersecurity, do you think that security vulnerabilities will be an issue for the upcoming election taking place in just a few days?
Stamford: It won’t be too much of an issue for the next election, but for 2024, it absolutely could. It’s inevitable that more voting systems will move online, and remote capabilities will increase. If a fridge is connected to the Internet to tell you when you are out of milk, a voting system is probably going to soon be online so you can vote, and so that the admins can troubleshoot problems at two in the morning on a Sunday. This will in turn increase the focus of our adversaries to try and compromise those systems.
Nextgov: Looking at future elections then, what are the key areas that need to be considered when designing election cybersecurity to thwart the most likely avenues of a potential attack?
Stamford: For now, onsite attacks are probably still the main vector of attack, which is similar to an internal penetration test, especially given the use of wireless networks and the fragmented nature of our voting system. It’s likely that polling environments will be utilizing wireless networks, which attackers will try to compromise from as far away as possible.
At the same time, social engineering of election officials will increase. If an attacker can phish an admin into giving up their password, it makes accessing the systems so much easier.
Remote attacks—coming from beyond the range of a wireless signal or even from a foreign country—are of course the stuff that gets more press, but online voting is still in its infancy. So for now, I think that kind of potential attack is more of an outlier.
The other vector is what’s now become known as supply chain attacks. What if an attacker is able to compromise the software that goes into a voting system? Or some piece of software that runs in a supporting role? In that case, you end up with a SolarWinds type issue where an agent deployed onto a system is actually the source of the problem.
Nextgov: It’s interesting that Stamford lists social engineering and the use of social media as a potential vulnerability for elections. Social media exists outside of any network designed for voting, and yet has the potential to sway voters and elections with no direct hacking needed. It’s an issue that our next expert, Matt Chiodi, has been studying.
Matt, can you first tell us a little bit about your background?
Chiodi: My passion for cybersecurity started at the tender age of eight when my parents bought me a TRS-80 from RadioShack. I was fascinated by a machine that could be programmed to do what I told it. Perhaps even more interesting for me was how to break it. Over the years I became progressively involved in how computers worked, learning a ton about hacking from an ancient medium known as a BBS—Bulletin Board System. In college, I spent a great deal of time investigating the university’s networks, probing for vulnerabilities, finding them and exploiting them. After college, I started as a Unix system administrator and quickly pivoted into cybersecurity, where I’ve spent the last 20 years.
Nextgov: And now you work with the Cerby security firm. What made you want to join them?
Chiodi: I joined Cerby because they were solving a problem no one else was even looking at. The founders discovered a massive class of applications being used in governments and enterprises globally that don’t meet widely accepted security standards, like single sign-on. We call this group “unmanageable applications,” because in the enterprise, that’s exactly what they are...unmanageable.
Nextgov: Okay, let’s talk about social media in terms of election security. Mark says that it’s one area that is very troubling. Why is social media a potential threat to elections?
Chiodi: Because influencing a vote is much easier to do than directly changing one in an election system—at least in the United States. Every nation-state has an unquenchable appetite for data. Consider that the U.S. has been the biggest data requester for many of the most popular social media platforms. Don’t think of one social media platform’s data in isolation, but what could a nation-state do with it in conjunction with data from public and dark web sources—like the Twitter breach several months ago that exposed millions of its users?
Any nation-state with access to that volume of data could use it in the following real-world scenarios:
- They could develop targeted campaigns to identify those with access to sensitive intellectual property and execute spear-phishing campaigns to gain access. For example, if you work for a defense contractor or a telecommunications company, you could be a prime target.
- They could sway the opinion of a group of users by promoting a certain point of view that is advantageous to the geopolitical fortunes of the nation-state and its allies. This would likely be done via the algorithm that recommends videos.
- They could create a long-haul campaign to uniquely identify individuals they predict will have the most future influence in industry or society. Predictions could be based upon various degrees of separation, among other factors. These individuals could be targeted and influenced over the course of years, and then may eventually be approached for espionage purposes.
Nextgov: Wow, that is some sinister sounding stuff. Has any nation-state ever done something like that?
Chiodi: While not a nation-state example—which are likely to only be declassified far in the future—around this time two years ago, some very prominent Twitter accounts got hacked. Stars ranging from Former President Barack Obama and Michael Bloomberg to Warren Buffett and Kanye West—with a collective audience of 250 million—suddenly urged their followers to buy Bitcoin via sinister addresses. Twitter only became aware of the issue after the sales pitch went out. Law enforcement got involved, and it turned out the dastardly criminals were…teenagers.
Nextgov: And that incident, along with general cybersecurity concerns, led your firm to conduct an audit of the cybersecurity of the leading social media platforms. That report will be out soon, but can you give us a sneak peek at some of your findings?
Chiodi: Social media platforms used by popular U.S. political leaders often lack the security controls necessary to prevent disinformation campaigns. U.S. politicians have grown their social presence over the last few presidential elections, following a general trend away from mass media, and nation-states have taken notice. In the run-up to the 2022 mid-terms, Cerby evaluated five prominent social media platforms for security controls across critical areas, such as two-factor authentication, enterprise readiness and privacy.
Despite a history of controversy, Facebook took the top prize with an overall score of 2.85 out of a total of 5 possible points. Twitter came in at a close second at 2.78. Taking the third spot was Instagram with 2.27, followed by Reddit at 1.92 and TikTok at a distant 1.08. Note that these platforms are constantly changing and releasing new features and this was a point-in-time assessment from the fall of 2022.
Nextgov: What were the biggest differences between the highest scoring platforms and the lowest?
Chiodi: The greatest differentiator, and where we placed the heaviest weighting, was the strength of two-factor authentication options. Most consumers see 2FA as a single technology, when, in truth, there are different levels of security with various 2FA options. While platforms like Facebook and Twitter stand head and shoulders above TikTok, one thing they all have in common is that none of these platforms offer enterprise-grade security outside of 2FA.
Even in the category of 2FA, support for emerging standards like FIDO2 and U2F—passwordless—is very inconsistent across social media platforms. This is a massive challenge, as a lack of enterprise-grade authentication options leaves political leaders susceptible to credential reuse attacks. U.S. politicians on these platforms have to manage their own passwords and hopefully are using 2FA. But suppose these platforms offered support for enterprise-grade authentication options like single sign-on? In that case, politicians would no longer need to manage their passwords. They could rely on their armies of IT staffers via integrations with popular identity management solutions like Okta and Microsoft’s Azure Active Directory.
Nextgov: Okay, but what about disinformation, which is often cited as a threat to elections. Valid accounts could be controlled by nation-states for the purpose of spreading disinformation. What can we do about that?
Chiodi: Disinformation works best when a nation-state can coordinate its efforts across multiple platforms. Politicians need to look at these findings through two lenses: the social media platforms' security and the level of security controls the platforms offer to politicians as end users. We are not recommending that politicians stop using these platforms, but rather that they focus their efforts on mature platforms scoring at least 2.7 or higher.
From a macro perspective, the social media platforms themselves, while very competitive, could take a cue from Information Sharing and Analysis Centers and more closely share information that would likely better govern and block bots.
NextGov: Okay, final question for each of you. First, for you Mark, what can be done to directly protect voting machines and systems to ensure the integrity of our upcoming elections?
Stamford: Implementing multi-factor authentication for everyone involved with elections is a good starting point. And make sure that any voting system has either been built securely, or at least has undergone some testing to see how secure, or not, it is. And don’t put anything online that doesn’t have to be. You also need to secure the supply chain for voting systems, including hardware and software.
Finally, try to be bipartisan about the whole thing. It's in the best interest of both sides if we sort this out, rather than arguing about whatever it is people want to argue about.
Nextgov: And for you Matt, what should government and politicians do to help ensure that their social media accounts are secure, and that social media can not be used by nation-states or other groups to “hack” an election indirectly?
Chiodi: First, politicians—or anyone using social media—should ensure they use solid passwords via a password manager and have the most potent form of 2FA enabled. Do not use SMS-based 2FA, as it is easy to exploit and a favorite of attackers. On Facebook and Twitter, this means using something like a YubiKey to take advantage of the ultra-secure emerging FIDO2 standard. On platforms like TikTok, unfortunately, they are relegated to email-based 2FA or, worse yet, SMS-based 2FA, which is very susceptible to SIM-based attacks. Secondly, politicians should consider updating Section 230 of the Communications Decency Act to provide security and privacy oversight for social media platforms that now dominate the U.S. political landscape. There is a delicate balance between too little and too much regulation. But in the digital realm of the U.S., free speech is regulated by Section 230 of the Communications Decency Act, which went into law in the technical dark ages of 1996.
John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys