It’s not too hard to imagine how that balance of political power in the U.S. after the November elections might be tipped one way another due to cyberattacks being launched against voting machines from overseas. In fact, a recent survey of 411 IT security professionals conducted by Dimensional Research on behalf of Venafi, a provider of tools for securing machine data, find 93 percent of security professionals are concerned about cyberattacks targeting election infrastructure and data. A total of 81 percent report they believe cybercriminals will target both software and hardware as well as election data as it is transmitted by machines from local polling stations to central aggregation points. In fact, 64 percent believe vulnerabilities and exploits connected with election systems are already available on the dark web.
Just to show how vulnerable the voting process, organizers at the recent DEF CON 2018 conference organizations set up an entire village on the show floor dedicated to hacking various systems and applications. They even invited kids as young as 11 to show how easy it is to hack those systems.
Not surprisingly, confidence in the cybersecurity resiliency of voting systems is low. Only two percent of the respondents to the Venafi survey are very confident in local, state and Federal government abilities to detect cyberattacks targeting election infrastructure. Only three percent are very confident in their local, state and federal governments' abilities to block them.
Concerns about cybersecurity also extend out to campaigns themselves. In the wake of a Presidential election that saw servers within presidential campaigns being compromised, IT security vendors are now offering free security tools to political campaigns at all levels. But naturally, whether those campaigns have the skills required to implement and manage those tools is another matter altogether.Cyberattacks against election systems are no longer focused on a single candidate. They are part of a much larger global disinformation campaign to affect the outcome of elections. ~@mvizardClick To Tweet
Of course, these cybersecurity issues are not confined to the U.S. Similar attacks are being launched around the globe. Those attacks are potentially even more devastating given the fragile nature of the democratic processes that exist in many countries. The goal of these attackers is to not just swing elections in favor of one candidate or another, but rather erode confidence in the entire political system. This issue has become so acute that some states are calling out the National Guard to bring additional cybersecurity expertise to protecting election systems.
In fact, cybersecurity attacks against election systems are only one aspect of those efforts. Social media companies are now looking to pool their resources to combat what is now being increasingly recognized as an exercise in information warfare. These attacks are no longer focused on a single candidate. They are part of a much larger global disinformation campaign to affect the outcome of elections. Rather than merely observing these events from afar, the point has been reached where cybersecurity professionals now have a civic duty to volunteer their expertise to protect the integrity of election processes. Among those leading the charge is Synack, a security services firm founded by former employees of the National Security Agency (NSA), is offering $500,000 worth of free penetration testing assessments for elections. Each test cost between $25,000 to $35,000.
To make it easier to help the Center for Democracy and Technology (CDT) has published guidelines for securing election systems, while the Defending Digital Democracy Project operating out of the Belfer Center for Science and International Affairs department of the Kennedy School of Government at Harvard University has even published a playbook for defending election systems. The only thing missing is somebody to run it.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.