It’s no longer a question whether hackers will influence the 2016 elections in the United States — only how much they’ll be able to sway them.
Leaked emails already have cost a Democratic Party chairperson her job, and the FBI last month issued a flash warning that foreign cyberadversaries had breached two state election databases.
Those two states — most likely Arizona and Illinois — aren’t alone in having their voter information compromised. Voter registration databases from all 50 states are being hawked on Deep Web marketplaces, an investigation by the Institute for Critical Infrastructure Technology has found.
Those databases could be used for all kinds of mischief, noted ICIT Senior Fellow James Scott, who collaborated with ICIT researcher Drew Spaniel on a study of voting system vulnerabilities.
For example, an attacker could sour a candidate’s supporters by sending bogus robocalls, supposedly originating from the candidate, at 3 a.m.
“An attacker could alter registration records on Election Day to delay and disrupt the election process and to spread disenfranchisement in the U.S. democratic process,” Scott said.
Dilapidated Black Boxes
Theft of voter registration records may be just the tip of the iceberg. U.S. voting systems are woefully vulnerable to hacker attacks, the ICIT maintained in the study released last week.
“Western democracy is held hostage to vulnerable code in black boxes on dilapidated bare bones PCs with virtually zero endpoint security, otherwise known as e-voting machines,” Scott and Spaniel wrote.
“Moreover, the systems are maintained and managed either by manufacturer personnel who obfuscate the insecurity of the systems or by local and state voting officials who are the very prototype of victims that repeatedly fall for spear phishing, ransomware and malware attacks and other easily avoidable cyber-attacks,” they continued.
“The problem in the sector is not merely a matter of lacking basic cyber hygiene, rather it is the sheer absence of the technical aptitude required to understand the cyber, physical and technical landscape available for exploit by the multitude of adversaries possessing a keen interest in manipulating the election process,” Scott and Spaniel added.
Safety in Fragmentation?
As vulnerable as U.S. voting systems are, it would be difficult for hackers to influence the outcome of an election, maintained Tellagraff CEO Mark Graff, a former CISO of Nasdaq and Lawrence Livermore Labs.
“It’s one thing to steal voter registration information from websites on the Internet, but it’s quite something else to modify that information on the sites,” he said.
There’s a difference between generating noise intended to undermine the credibility of the election and actually influencing the outcome, Graff pointed out.
“I don’t believe there is a credible case right now that they are trying to directly influence the outcome of the election,” he said.
“While our systems do have vulnerabilities, the fact that we have a federal system and all 50 states have their own systems is a strength,” Graff observed. “It might be possible to change some votes, but to change the outcome of an election and do so in a way that could not be detected is not practical at this point.”
The fragmentation defense is an illusion propagated by the media, claimed ICIT’s Scott.
“The fragmented system does absolutely nothing to mitigate the risk of cybercompromise of election systems,” he argued. “If anything, the disjointed, distributed system makes it easier.”
The cybersecurity requirements of voting systems are not standardized or regulated, Scott explained. As a result, some states protect their systems, while other states only think that they protect their systems.
“Attackers only need to compromise one or a few counties in one or a few states to have a major impact on the national election,” he said. “It does not matter if some of the states adequately protect their systems, because the states that do not undermine the entire process.”
When it comes to ransomware, company brass have a bull’s-eye on their backs.
Upper management and C-level executives were popular targets of ransomware attacks, according to a recent Malwarebytes survey of 540 CIOs, CISOs and IT directors representing companies with an average of 5,400 employees across the U.S., Canada, UK and Germany.
Eighty percent of attacks affected mid-level managers or higher, the survey participants reported. A quarter of the attacks (25 percent) affected senior executives and the C-suite.
Ransomware in the wild increases by 46 percent or more every six months, noted Malwarebytes Senior Security Researcher Nathan Scott explained. “That’s because ransomware makes so much more money than any other malware that we have ever seen.”