Voting has already started ahead of Election Day on Nov. 3, but there are concerns about the state-level cybersecurity posture of election infrastructure after officials in Hall County, GA revealed that a ransomware attack took down a voter signature database and a voting precinct map that was hosted on the county’s website.
The attack, which was the first one announced this election season, highlights the precarious, patchwork nature of cybersecurity when it comes to how each state protects digital election tools.
SecurityScorecard released a report earlier this month that looked through the overall cybersecurity posture of all 56 US states and territories leading up to the presidential election. The study found that 75% of all states and territories had IT infrastructures that are vulnerable to a variety of cyberattacks.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Alleged inaccuracies in the report
The findings of the report have been vehemently disputed by representatives for dozens of states, who slammed it for alleged inaccuracies and for spreading unnecessary fear.
Reid Magney, public information officer for Wisconsin’s Elections Commission, called the report “a marketing tool” and said Wisconsin as well as other states “expressed significant concerns about the timing of their report, the lack of transparency in their methodology, and their lack of outreach to the states.”
“The Wisconsin Elections Commission has been working for years with our local, state and federal partners to ensure the security of our elections systems,” Magney said.
SecurityScorecard did not respond to multiple requests for comment in light of the concerns expressed by states nationwide.
Phil Bates, head of Information Security with Utah’s Department of Technology Services, listed a number of inaccuracies and misrepresentations that he believed marred the report’s overall findings.
“I think it casts some doubts that aren’t really there and are not really helpful for any state to look at that and be able to do anything meaningful with it. Some of the states that they were grading pretty low, I think they’ve got a really good program in place. Like North Dakota really has a great program in place and they didn’t score very high so that leads me to believe that the methodology that they’re using wasn’t the best,” Bates said.
“One of the biggest problems with that report is that when you look at a network the size of the state of Utah, that all of the people we provide services for, election related infrastructure is a very, very tiny piece of that. That election infrastructure is segmented away and firewalled away from the rest of the network assets that we have out there,” Bates said.
He went on to explain that many states like Utah have guest networks that provide services to anyone coming into state facilities and that it made sense why the researchers behind the report would find malware there because the state largely does not protect those networks.
“[They’re] going to see malware on those kinds of machines because we don’t do any protection for those, we just provide them an internet connection and throw them right out the front door of our network,” he said.
Many county governments in Utah provide similar public internet services to citizens that the state doesn’t provide security for, Bates said, noting that to use examinations of those networks and “make some assumptions about problems with election security is really a big, big stretch.”
How the report graded states
The report gives each state a grade, from A to F, and noted that 75% were rated at a C level of below, meaning they are three times more likely to experience a breach or ransomware attack like what was seen in Georgia on Oct. 7. More than 30% garnered a D or below in the report, which makes those states or territories five times more likely to face an attack of some kind.
“The results are not surprising, and vulnerability management remains a challenge for many organizations. As this analysis shows, security gaps can be amplified by resource constraints, interconnected support systems, and a remote workforce that may increase the vulnerability footprint,” said Matt Ashburn, who served as CISO for the White House’s National Security Council from 2017 to 2019.
“Teams with limited resources many times have the unenviable position of defending systems against the world’s most persistent and well-resourced adversaries. Organizations must prioritize their security investment, ensure user awareness of threats, and develop backup procedures in case critical processes fail,” Ashburn said.
Researchers with SecurityScorecard put the scores together using publicly available data and based it on the weighted average of 10 “Factor Scores” in different categories: Network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leaks, and social engineering.
American Samoa, Puerto Rico, Guam, Northern Mariana Islands, and the US Virgin Islands were included in the ranking because they are full of US citizens and, while they are not involved in presidential elections, do take part in the party primary process.
The report found that Kentucky, Kansas, and Michigan all had scores above 92, while states like North Dakota, Illinois, and Oklahoma all garnered scores around 60.
For the most part, most battleground states like Michigan, Wisconsin, Texas, Pennsylvania, and Arizona had scores above 80. But others, including Georgia, New Hampshire, Nevada, Florida, Iowa and Ohio had scores in the 70s and 60s.
“The IT infrastructure of state governments should be of critical importance to securing election integrity. This is especially true in ‘battleground states’ where the Department of Homeland Security, political parties, campaigns, and state government officials should enforce vigilance through continuously monitoring state voter registration networks and web applications for the purpose of mitigating incoming attacks from malicious actors,” said Alex Heid, chief research and development officer at SecurityScorecard.
“The digital storage and transmission of voter registration and voter tally data needs to remain flawlessly intact. Some states have been doing well regarding their overall cybersecurity posture, but the vast majority have major improvements to make.”
The study notes that many of the scores have changed since the beginning of the year, due in no small part to the coronavirus pandemic, which has forced many election teams to work remotely.
“Many states’ scores have dropped significantly since January. For example, North Dakota scored a 72 in January and now has a 59. Why? Remote work mandates gave state networks a larger attack surface (e.g., thousands of state workers on home Wi-Fi), making it more difficult to ensure employees are using up-to-date software,” the report said.
“SecurityScorecard observed significant security concerns with two critically important ‘battleground’ states, Iowa and Ohio, both of which scored a 68, or a ‘D’ rating,” it noted, adding that half of all states considered “battlegrounds had lackluster IT infrastructure.
The report notes that while the focus was on election cybersecurity, the scores do reflect on the larger security posture of the state and its local offices.
Endpoint security an issue in most states
The issue most states had issues with was endpoint security, which was the lowest-scoring category of all 10 measured in the survey, at an average of 61.
Researchers “measured detected versions for operating systems, web browsers, and other notable data points that comprise endpoint security.”
“Massachusetts rates last in endpoint security with nearly 2,000 outdated operating system findings. Illinois comes in second-lowest with over 1,000 findings. Outdated software is vulnerable against the latest security threats, making it easier for attackers to deploy malware, either via a drive-by-download attack or spear-phishing attack,” the report said, adding that states can easily fix this by updating web browsers and operating systems to the latest available versions.
Andrew Homer, head of security strategy at Morphisec, said his company has done its own research finding that of the 16 million employees that work in state and local government today, nearly 40% of them are still working from home. This means there are at least 6 million endpoint devices that employees are working on outside of traditional IT oversight.
“This only compounds existing issues with state and local governments when it comes to weak endpoint protection. These IT departments are often underfunded, short-staffed, and are not often a fit for costly and complex solutions,” Homer said. “That can leave state governments solely reliant on legacy antivirus solutions, which are increasingly ineffective against endpoint threats because they cannot detect advanced attacks.”
Malware another problem in states
Malware was also a major problem, particularly for states like West Virginia, Idaho, and Indiana, which all had the highest counts of malware present across multiple malware families.
Researchers generally found a variety of malware types in state infrastructure ranging from Conficker, Emotet, Trickbot, Matsnu, and Qrypter.rat. One of the most worrying sections of the report notes that cyberattackers looking for access to state networks could easily purchase access “from criminal groups that have gained a foothold through pre-existing malware infections.”
The analysts behind the report added that there was a high volume of Server Message Block observed at the state level, specifically SMB protocols exposed to the public internet.
“This enables applications and users to access files (or other resources like printers) on remote servers. When this is exposed to the public internet, actors can quickly and easily gain access to a network,” the report said.
“This is how the infamous WannaCry and Petya ransomware attacks were executed.”
For the states with low scores, the consequences are particularly dire considering the ever-widening attack landscape. Cybercriminals are already leveraging an array of targeted phishing and malware delivery tools through email and other mediums to both ” infect networks and spread misinformation.”
According to the report, attackers sometimes sell their access to a system to other people after infiltrating a network or infecting devices.
Dozens of states also use third-party vendors for a variety of tools and often contract with the same companies, meaning one breach could allow access to multiple state systems.
“In fact, third parties are the primary area of focus for political campaigns because a significant amount of information is held by mom-and-pop ad-buying shops and pollster outfits. It’s not about the campaigns being attacked themselves, but one of their vendors,” the report said.
“Voter registration databases could be impacted, but more information about a state’s IT infrastructure would need to be uncovered to determine how such information is maintained within the state’s overall IT architecture, i.e., a low score may not necessarily mean that such information is easily compromised. In the worst-case scenario, attackers could remove voter registrations or change voter precinct information or make crucial systems entirely unavailable on Election Day through ransomware.”
The report’s authors reminded readers that the rankings are not intended to shame states and they noted that SecurityScorecard does provide both political parties with cybersecurity products and services at no cost.
This article was updated on Oct. 27, 2020 to reflect concerns by some states about the findings and methodology of the report.