A vast majority of websites operated by county election administrators around the United States lack key security features that would help users verify that the sites they’re viewing truly belong to their local officials, according to research published Thursday by the cybersecurity firm McAfee.
Following a review of sites run by county boards of elections in all 50 states, the company found that barely 20% have moved their websites to the federally administered .gov top-level domain, while 45% don’t employ the encrypted HTTPS protocol that preloads sites in browsers to prevent users from being redirected by third-party organizations or malicious actors.
In total, just 16.4% of nearly 3,100 county elections websites take both steps, McAfee found, and that figure is much lower for several battleground states, including Minnesota, Nevada and Pennsylvania.
“An adversary could use fake election websites for disinformation and voter suppression by targeting specific citizens in swing states with misleading information on candidates or inaccurate information on the voting process such as poll location and times,” Steve Grobman, McAfee’s chief technology officer, wrote in a blog post accompanying the research. “In this way, a malicious actor could impact election results without ever physically or digitally interacting with voting machines or systems.”
The McAfee report follows a similar one — with similar findings — the company published in February that looked at county election websites in 13 swing states, as well as a more recent warning by the FBI about cybercriminals operating malicious sites dressed up to look like state and local election authorities.
Of all states, Ohio is by far the best performer, with all 88 county boards of elections using HTTPS, and 77 having migrated to .gov sites. Grobman attributes this to an executive order Ohio Secretary of State Frank LaRose issued last year directing all county election administrators to adopt both protocols. While most counties launched their own .gov sites, LaRose’s order also allowed those that couldn’t to house their online election-related assets on the statewide Ohio.gov domain, even if counties’ main websites continue to reside on other TLDs.
McAfee also found that four of Hawaii’s five counties and 77% of Arizona’s counties use both HTTPS and .gov, but the gap between those and the next-best performing state — Virginia, where only 37% of counties use both — is wide.
There are also some states where implementation of HTTPS is widespread, but .gov migration is not. Sixty-four of Florida’s 67 county election supervisors use HTTPS, for instance, but just four run a .gov website.
Grobman chalks up much of this deficit to smaller counties that lack robust IT resources to build more secure web presences. They often instead simply link to state authorities to give voters information, or even direct their voters to look on social media like Facebook.
“Unfortunately, neither of these approaches prevents malicious actors from spoofing their county government web properties,” he wrote. “Such actors could still set up fake websites regardless of whether the genuine websites link to a .GOV validated state election website or whether counties set up amazing Facebook election pages. The platform could just as easily be used by malicious parties to create fake pages spreading disinformation about where and how to vote during elections.”
Cybersecurity analysts have long encouraged state and local government organizations to migrate their web domains to .gov, which is administered by the General Services Administration and includes a range of popular security features, including HTTPS preloading and mandatory two-factor authentication for all user accounts, as well as active vulnerability monitoring and a round-the-clock help desk.
“Websites using .COM, .NET, .ORG, and .US domain names can be purchased without such validation, meaning that there is no governing authority preventing malicious parties from using these names to set up and promote any number of fraudulent web domains mimicking legitimate county government domains,” Grobman writes.
But while .gov sites are available to all state and local governments in the U.S., they also come with a $400 annual registration fee, which leads many smaller, financially strained local governments to stick with commercially available .com or .org. While there are about 39,000 local governments nationwide, the GSA counts fewer than 4,000 non-federal entities operating .gov sites, a number that includes many statewide agencies.
“There are a lot of things that are complex in cybersecurity, this isn’t one of them,” Grobman said in a phone interview. “This is a basic hygiene set of steps that every county and election board should take.”
There is federal legislation — called the DOTGOV Act — that would let state and local governments use Department of Homeland Security grants to register for and migrate to .gov sites, and transfer authority over the domain from the GSA to the Cybersecurity and Infrastructure Security Agency. While the bill enjoys the endorsement of the National Association of State Chief Information Officers, it’s languished since being introduced in the Senate last November.