As the United States prepares for the 2020 presidential election, there is concern regarding the vulnerability of the country’s voting infrastructure and the potential for international interference to sabotage election security.
According to a February 2020 NY Times article, history may repeat itself in the upcoming 2020 election if lawmakers don’t take extra precautions. Nation-state interference is a grave concern among governments as well as technology and social media companies. In reality, it does not take an entire nation to rig an election: Andrés Sepúlveda rigged elections throughout Latin America for almost a decade from an apartment in Bogota.
Leading up to the United States 2018 midterm elections, Radware surveyed Facebook users on the safety of U.S. elections and the results reveal a pessimistic situation. The overwhelming majority (93.4 percent) of respondents believe that the United States election system is vulnerable to targeting and hacking.
A Dangerously Flawed Voting Infrastructure
It is alarmingly easy to hack into U.S. voting systems. At the 2018 DEFCON conference, an 11-year-old boy hacked into a replica of the Florida state election website and changed voting results in under 10 minutes. At the 2019 DEFCON conference, organizers assembled over 100 machines and not a single machine was left uncompromised.
Why is it so easy? A large part of the problem is a lack of standards among state election systems regarding either protocols or equipment. Voting equipment varies from paper ballots and punch cards to electronic touch screens. Some states manually count votes while others use automated processes. Because of these variables, each state has different security flaws and different vulnerabilities.
There are roughly 350,000 voting machines used in the U.S. today, according to Verified Voting. There are two types of machines: direct-recording electronic (DRE) machines, which are digital and allow voters to touch a screen to make their selections, and optical-scan systems. Optical-scan machines allow voters to make their selections on a paper ballot, which gets fed into an optical scanner and can be used later to verify the digital
results. The DREs are of particular concern because all models are vulnerable to hacking and do not provide a hard copy of the vote to check results.
Voting machines need to be programmed with ballot information, generally using a network connection. Precinct results are often centrally tabulated by state and local governments over their various local area networks, adding even more points of vulnerabilities.
Thanks to the COVID-19 pandemic and millions of voters using mail-in ballots, voting machines will not be the only issue to securing elections. Although millions of ballots will be cast by mail, the networks and databases of local governments need to be secured against potential threats.
While Acting Undersecretary for Cybersecurity and Communications at the Department of Homeland Security, Jeanette Manfra stated voting machines “are not connected to the internet.” Recent research suggests the opposite.
Any device connected to the internet is vulnerable to an array of attacks, including DoS attacks that take down network access. During the 2019 elections in Finland, an investigation was launched into DDoS attacks against online services for communicating voting results.
Future voting machines are undeniably mobile devices, but mobile applications and internet APIs are even more challenging and harder to secure and control than “offline’ systems.” Application and API attacks can impact polling applications and malicious bots conducting scraping activities and account takeover attacks can disrupt network services and aggregate sensitive data.
The result is local election officials find themselves thrust into a global battle without borders, clear enemies or rules of engagement. Local municipalities are ill-equipped to deal with sophisticated, nationally-organized cyberattacks by foreign governments.
To mitigate denial-of-service attacks that impede infrastructure availability, Radware suggests a behavioral-based hybrid attack mitigation service which combines on-premise detection and mitigation with cloud-based volumetric attack scrubbing and a fully managed cloud-only attack protection service.
To protect sensitive data as well as mission-critical web applications and APIs, a WAF solution that uses a positive security model and machine learning algorithms to provide an adaptive defense against the OWASP Top 10 and other threats is critical.
It’s also crucial to discern human users from bad bots accessing web and mobile applications. A bot manager can defend against attacks including site scraping, fake account creation, skewed analytics and account takeover.