Think Your Election System Is Secure? Think Again.

User training and the latest cybersecurity tools are worthwhile, but there is no panacea.
July 19, 2018
Signs are posted on entry doors to a ballot storage area at the Franklin County Board of Elections in Columbus, Ohio. (AP/Julie Carr Smyth)
By John Odum  |  Contributor
City clerk and election administrator for Montpelier, Vt.

No one doubts that election administrators at every level of government have taken the call for increased cybersecurity seriously, recognizing the growing threats to our voting systems. Secretaries of state and other state-level election administrators, for example, have come around to the need to create "human firewalls" by training local administrators on safe and secure computer use.

Thankfully, nobody believes that user training by itself is an adequate solution. Unfortunately, however, too many election administrators are putting their faith in cybersecurity tools that by themselves don't provide nearly the level of security they need.

These days in professional circles, for example, "two-factor authentication" is all the rage. 2FA creates an additional requirement, beyond just a password, for access to systems such as the states' centralized voter-registration databases. It's best understood by comparing it to that extra number on the back of your credit card that is now generally expected to be provided for commercial transactions. In 2FA's more sophisticated form, this second passkey is either dynamically generated (such as through a text or email) or takes the form of a separate physical device (such as a card or fob).

But election authorities and consultants shouldn't fool themselves into thinking that 2FA solves all their problems, as I've heard some do. Hacking is as much art as science, and as an art it allows for an almost limitless and ever-evolving palette for artists to work with -- and there are some very good artists out there.

That means there are some that things 2FA won't protect you from. "Social engineering" is the big one, and no amount of user training can thwart it entirely. A hacker getting an end user to do something foolish isn't just about getting passwords. Clicking on a dangerous link, opening a dangerous file or even previewing a sketchy image can inject code that will allow a hacker to do anything and everything from spying directly on a user to hijacking control of the workstation (and maybe the network). With that kind of access, a bad actor has a platform to be able to deploy attacks against the local voting system or even the statewide registration system.

If unauthorized people gain access to a network, they can surreptitiously plant themselves between the user and a server to capture information. This information can include a "session key," a small bit of code that could tell the system that the hacker is a legitimate user. Two-factor (or multi-factor) authentication verifies the user only at the time the initial connection is made. It doesn't continue to authenticate once the handshake between the user and the server is established.

While these kinds attacks assume a degree of sophistication in a regular wired network context, they take very little at all where wireless networks are concerned. Open, public networks are the worst. Some industry experts suggest that half of public wireless networks are compromised. Even a protected Wi-Fi network could potentially have its password hacked by a program such as Aircrack. Encrypted data could be vulnerable if a hacker can obtain one of the keys to that encryption, which could be plucked right out of the air, conceivably.

Compared to social engineering, these sorts of attacks targeted at election systems are less likely to occur and take a greater degree of sophistication. But they aren't impossible. Such attacks are less likely to come from foreign actors, since some of them require an actor in close physical proximity. The most long-term, persistent threats to administrator-level computer security will always be the elusive black-hat hacker working from home rather than from a foreign capital.

At the end of the day, two-factor authentication is an important, even critical step that election administrators should be lauded for implementing. But while 2FA virtually eliminates an entire class of threat, it does not eliminate all threat. Election officials must remain vigilant. On top of the must-do list is to engage in regular professional penetration testing and be ready to deal effectively with the inevitably sobering results.

There is not, and will never be, a panacea for election systems -- a single step that provides true invulnerability. If your penetration tester reports that your system is impenetrable, it's time to find another penetration tester.