Experts Weigh in on Strengths and Vulnerabilities of Election Cybersecurity – Nextgov




traffic_analyzer/Getty Images

By John Breeden II
The 2020 election was successfully completed without any major disruptions, but that did not stop some people from questioning the legitimacy of the election and the security methods in place to safeguard it. And while the claims of an unfair or biased election have been almost completely debunked, it’s still critical to examine the cybersecurity and other protections surrounding voting, in order to protect future elections—like the one happening just a few days from now.
Nextgov talked with two cybersecurity experts about election security. They pointed out both the strengths of the current system and some potential vulnerabilities that government officials should be wary of in the future.
Mark Stamford is the Founder and CEO of OccamSec, a cybersecurity firm that helps organizations perform continuous penetration testing on their networks. But Stamford did not begin his career wearing a white hat. Before that, he was a hacker.
Nextgov: Before we begin, can you tell us a little bit about your personal background and how you started to study the security of our elections and other critical networks and infrastructure?
Stamford: Sure. I started messing around with security when I was young because it seemed like a fun thing to do. From there I graduated to becoming a professional penetration tester. Then about 11 years ago I founded OccamSec, which was originally focused on penetration testing and red teaming. Originally it was just me but we grew to include intelligence support and threat hunting. 
Nextgov: First, looking at the previous election in 2020, were there any notable attacks or breach attempts made against voting systems?
Stamford: I think the biggest attack was really the social engineering of voters via disinformation campaigns, which was really the biggest hack of all. And that makes sense when you think of how social engineering continues to be a hugely effective vector. Social media platforms were weaponized and the echo chambers they create were manipulated to great effect. 
In terms of a large-scale attack made directly against a voting system, that was still a difficult task for attackers. The U.S. is not like some other countries, where people can vote online at scale. And given what happened in 2020, it feels like we are seeing a backlash against implementing that.
Nextgov: Looking forward, because you are able to see both sides of the fence in terms of cybersecurity, do you think that security vulnerabilities will be an issue for the upcoming election taking place in just a few days?
Stamford: It won’t be too much of an issue for the next election, but for 2024, it absolutely could. It’s inevitable that more voting systems will move online, and remote capabilities will increase. If a fridge is connected to the Internet to tell you when you are out of milk, a voting system is probably going to soon be online so you can vote, and so that the admins can troubleshoot problems at two in the morning on a Sunday. This will in turn increase the focus of our adversaries to try and compromise those systems.
Nextgov: Looking at future elections then, what are the key areas that need to be considered when designing election cybersecurity to thwart the most likely avenues of a potential attack?
Stamford: For now, onsite attacks are probably still the main vector of attack, which is similar to an internal penetration test, especially given the use of wireless networks and the fragmented nature of our voting system. It’s likely that polling environments will be utilizing wireless networks, which attackers will try to compromise from as far away as possible. 
At the same time, social engineering of election officials will increase. If an attacker can phish an admin into giving up their password, it makes accessing the systems so much easier.
Remote attacks—coming from beyond the range of a wireless signal or even from a foreign country—are of course the stuff that gets more press, but online voting is still in its infancy. So for now, I think that kind of potential attack is more of an outlier.
The other vector is what’s now become known as supply chain attacks. What if an attacker is able to compromise the software that goes into a voting system? Or some piece of software that runs in a supporting role? In that case, you end up with a SolarWinds type issue where an agent deployed onto a system is actually the source of the problem.
Nextgov: It’s interesting that Stamford lists social engineering and the use of social media as a potential vulnerability for elections. Social media exists outside of any network designed for voting, and yet has the potential to sway voters and elections with no direct hacking needed. It’s an issue that our next expert, Matt Chiodi, has been studying.
Matt, can you first tell us a little bit about your background?
Chiodi: My passion for cybersecurity started at the tender age of eight when my parents bought me a TRS-80 from RadioShack. I was fascinated by a machine that could be programmed to do what I told it. Perhaps even more interesting for me was how to break it. Over the years I became progressively involved in how computers worked, learning a ton about hacking from an ancient medium known as a BBS—Bulletin Board System. In college, I spent a great deal of time investigating the university’s networks, probing for vulnerabilities, finding them and exploiting them. After college, I started as a Unix system administrator and quickly pivoted into cybersecurity, where I’ve spent the last 20 years.
Nextgov: And now you work with the Cerby security firm. What made you want to join them?
Chiodi: I joined Cerby because they were solving a problem no one else was even looking at. The founders discovered a massive class of applications being used in governments and enterprises globally that don’t meet widely accepted security standards, like single sign-on. We call this group “unmanageable applications,” because in the enterprise, that’s exactly what they are…unmanageable. 
Nextgov: Okay, let’s talk about social media in terms of election security. Mark says that it’s one area that is very troubling. Why is social media a potential threat to elections?
Chiodi: Because influencing a vote is much easier to do than directly changing one in an election system—at least in the United States. Every nation-state has an unquenchable appetite for data. Consider that the U.S. has been the biggest data requester for many of the most popular social media platforms. Don’t think of one social media platform’s data in isolation, but what could a nation-state do with it in conjunction with data from public and dark web sources—like the Twitter breach several months ago that exposed millions of its users? 
Any nation-state with access to that volume of data could use it in the following real-world scenarios:
Nextgov: Wow, that is some sinister sounding stuff. Has any nation-state ever done something like that?
Chiodi: While not a nation-state example—which are likely to only be declassified far in the future—around this time two years ago, some very prominent Twitter accounts got hacked. Stars ranging from Former President Barack Obama and Michael Bloomberg to Warren Buffett and Kanye West—with a collective audience of 250 million—suddenly urged their followers to buy Bitcoin via sinister addresses. Twitter only became aware of the issue after the sales pitch went out. Law enforcement got involved, and it turned out the dastardly criminals were…teenagers.
Nextgov: And that incident, along with general cybersecurity concerns, led your firm to conduct an audit of the cybersecurity of the leading social media platforms. That report will be out soon, but can you give us a sneak peek at some of your findings?
Chiodi: Social media platforms used by popular U.S. political leaders often lack the security controls necessary to prevent disinformation campaigns. U.S. politicians have grown their social presence over the last few presidential elections, following a general trend away from mass media, and nation-states have taken notice. In the run-up to the 2022 mid-terms, Cerby evaluated five prominent social media platforms for security controls across critical areas, such as two-factor authentication, enterprise readiness and privacy.
Despite a history of controversy, Facebook took the top prize with an overall score of 2.85 out of a total of 5 possible points. Twitter came in at a close second at 2.78. Taking the third spot was Instagram with 2.27, followed by Reddit at 1.92 and TikTok at a distant 1.08. Note that these platforms are constantly changing and releasing new features and this was a point-in-time assessment from the fall of 2022.
Nextgov: What were the biggest differences between the highest scoring platforms and the lowest?
Chiodi: The greatest differentiator, and where we placed the heaviest weighting, was the strength of two-factor authentication options. Most consumers see 2FA as a single technology, when, in truth, there are different levels of security with various 2FA options. While platforms like Facebook and Twitter stand head and shoulders above TikTok, one thing they all have in common is that none of these platforms offer enterprise-grade security outside of 2FA. 
Even in the category of 2FA, support for emerging standards like FIDO2 and U2F—passwordless—is very inconsistent across social media platforms. This is a massive challenge, as a lack of enterprise-grade authentication options leaves political leaders susceptible to credential reuse attacks. U.S. politicians on these platforms have to manage their own passwords and hopefully are using 2FA. But suppose these platforms offered support for enterprise-grade authentication options like single sign-on? In that case, politicians would no longer need to manage their passwords. They could rely on their armies of IT staffers via integrations with popular identity management solutions like Okta and Microsoft’s Azure Active Directory.
Nextgov: Okay, but what about disinformation, which is often cited as a threat to elections. Valid accounts could be controlled by nation-states for the purpose of spreading disinformation. What can we do about that?
Chiodi: Disinformation works best when a nation-state can coordinate its efforts across multiple platforms. Politicians need to look at these findings through two lenses: the social media platforms’ security and the level of security controls the platforms offer to politicians as end users. We are not recommending that politicians stop using these platforms, but rather that they focus their efforts on mature platforms scoring at least 2.7 or higher. 
From a macro perspective, the social media platforms themselves, while very competitive, could take a cue from Information Sharing and Analysis Centers and more closely share information that would likely better govern and block bots. 
NextGov: Okay, final question for each of you. First, for you Mark, what can be done to directly protect voting machines and systems to ensure the integrity of our upcoming elections?
Stamford: Implementing multi-factor authentication for everyone involved with elections is a good starting point. And make sure that any voting system has either been built securely, or at least has undergone some testing to see how secure, or not, it is. And don’t put anything online that doesn’t have to be. You also need to secure the supply chain for voting systems, including hardware and software. 
Finally, try to be bipartisan about the whole thing. It’s in the best interest of both sides if we sort this out, rather than arguing about whatever it is people want to argue about.
Nextgov: And for you Matt, what should government and politicians do to help ensure that their social media accounts are secure, and that social media can not be used by nation-states or other groups to “hack” an election indirectly?
Chiodi: First, politicians—or anyone using social media—should ensure they use solid passwords via a password manager and have the most potent form of 2FA enabled. Do not use SMS-based 2FA, as it is easy to exploit and a favorite of attackers. On Facebook and Twitter, this means using something like a YubiKey to take advantage of the ultra-secure emerging FIDO2 standard. On platforms like TikTok, unfortunately, they are relegated to email-based 2FA or, worse yet, SMS-based 2FA, which is very susceptible to SIM-based attacks. Secondly, politicians should consider updating Section 230 of the Communications Decency Act to provide security and privacy oversight for social media platforms that now dominate the U.S. political landscape. There is a delicate balance between too little and too much regulation. But in the digital realm of the U.S., free speech is regulated by Section 230 of the Communications Decency Act, which went into law in the technical dark ages of 1996.
John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys
NEXT STORY: Russia Linked to Nearly 75% of Late 2021 Ransomware Attacks, Per Analysis
Do Not Sell My Personal Information
When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.
Manage Consent Preferences
Strictly Necessary Cookies – Always Active
We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.
Sale of Personal Data, Targeting & Social Media Cookies
Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link
If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.
Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.
Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.
If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings

Cookie List
A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:
Strictly Necessary Cookies
We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.
Functional Cookies
We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.
Performance Cookies
We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.
Sale of Personal Data
We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.
Social Media Cookies
We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.
Targeting Cookies
We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.
Help us tailor content specifically for you:

source


CyberTelugu

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page