By Haley Clark & Nick McCourt
During recent election years,
election security has been an increasing topic of interest and discussion. It comes as our voting system has evolved from shouting on rooftops, to voting on paper slips, to the incorporation of more and more technology in the process. People are rightfully concerned about the strength and security of systems that hold so much precious data — not only our personal information but the results of our elections. And election security brings up questions about personal and business cybersecurity.
How much do we have to fear? How is election security compromised? And what can we learn about protecting our data from the lessons learned by election officials?
Is election security something to worry about?
Let’s start on the good news: there’s not as much concern about election security as you might think. A joint statement from election officials and government councils that oversee voting systems across the country said the recent November 2020 election “was the most secure in history.” They pointed to paper records, post-election audits, pre-election testing, and various voting equipment certifications as reasons why Americans should have faith in the results.
But not everything is sunshine and roses. In 2018, the New York Times published a story highlighting hacks and malware installed in multiple state voter-registration systems. Election officials have been keeping an eye on various openings for infiltration: the machines that tally votes, the voter-registration systems, and internet voting (which some military personnel or citizens living overseas use).
What are these potential election security issues? How can we apply those lessons to our own security?
We know cybersecurity, and we think there’s a few important lessons that everyone can take from election cybersecurity incidents and experts. Whether you take them through the lens of your business or your personal accounts, here are the five key takeaways:
| Relying on providers inherently opens you up to security risks.
Three companies distribute most modern voting machines, with each one having possible vulnerabilities. Election workers can do everything right on their end, but exposure with a provider can offer security risks.
For a non-election example of this, consider Sodinokibi, ransomware that chose not to target individual companies but took advantage of a vulnerability in a common software many Managed Service Providers (MSPs) use. Like potential blows on the companies that create voting machines, hackers figure there’s potential to hit dozens of systems at once in these kinds of attacks.
What kind of message to take from this? Keep up to date with providers, partners, and cybersecurity news. Press them on their security procedures. As you’ll read below, keep your security healthy in other ways to prevent any possible situations from being more catastrophic.
| Avoid social engineering schemes: don’t click on strange links or download unknown files.
The Cybersecurity and Infrastructure Security Agency (CISA) lists social engineering as a significant threat to voter registration data. Always double check emails that ask you to download something or go to a specific link, even if they appear to come from a trusted source.
For businesses, security awareness training is a great way to see where your company is at risk and correct before problems occur.
| Keep firewalls active, servers secure, and records accounted for.
In 2017, a “security researcher stumbled across an unsecured E&SS [Election Systems & Software] server that left passwords exposed for its employee accounts… [a hacker] could conceivably corrupt these files so machines misinterpret a vote.”
We can’t tell you the number of audits we’ve done for new clients where we’ve seen unaccounted-for servers, unused and unsecured computers still connected to the network, and firewalls disabled for no reason. All of these are a hacker’s dream because they’re easy targets that no one is monitoring.
A preventative IT strategy — one that includes patching and monitoring, for example — is critical. Just “putting out fires” as they occur means you’re barely keeping up.
| Avoid getting paralyzed by ransomware by having a solid backup plan.
A Texas software company which “sells software that cities and states use to display results on election night“ was hit by ransomware in September 2020. But don’t think they’re only targeting companies like this: ransomware hackers have targeted big and small businesses alike in every sector.
While a hacker having access to your information is obviously not ideal, you certainly don’t need to pay the ransom. How? Part of the solution is tested, timely backups which a surprising number of businesses don’t have. Think about your own business or even your personal computer’s backup: how long since the last one? Is there a schedule in place? Where are the backups stored? And when is the last time someone tested them to make sure they work? If any of your answers gave you pause, it might be time to reconsider your backup and disaster recovery plan.
| Partner with professionals to help.
It was reported that the Department of Homeland Security hired the RAND Corporation to assess vulnerabilities in the voter registration website in 2016, with RAND finding several potential opportunities for hackers.
This is a testament to the power of an independent resource taking an objective look at your systems. And it doesn’t have to be just for huge businesses. Small businesses can benefit, potentially more so, from similar guidance.
We can work as a partner to your business — getting your technology working in a smarter way for your team and protecting your data. Our streamlined process includes a technology audit, where our engineering team takes a deep dive into your current setup to assess infrastructure and detect vulnerabilities to provide a comprehensive solution.
There are vulnerabilities that come with any technology. Learning how to properly mitigate and defend against these vulnerabilities is part of the delicate dance we all play, whether we’re election officials, business owners, or just someone with a laptop. But it’s not an impossible task — there are concrete actions you can take to protect yourself. Look to Integris as a potential partner if you’re serious about your business cybersecurity.