State and local election officials have done a “tremendous” job reporting information about potential cyberthreats during the 2020 cycle, a senior Department of Homeland Security official said Tuesday.
But some, particularly at the city and county level, are also still in the unfortunate habit of not changing default passwords on new equipment or even sharing credentials, Matt Masterson, a senior adviser at DHS’s Cybersecurity and Infrastructure Security Agency, told the National Association of Secretaries of State online conference.
“CISA has observed instances where several people in election-related offices having been sharing passwords over e-mail or default passwords are being used,” read one of the slides Masterson shared.
Still, Masterson praised the actions that states’ top election officials have taken over the past few years to secure their network infrastructure and increase the amount of information they share with their counties and with federal entities like CISA, especially through organizations such as the Election Infrastructure Information Sharing and Analysis Center.
“We really have a much better picture of the election landscape,” he said. “We’re much more likely to feel a tremor in the Force now compared to 2016.”
While election officials entered 2020 wary of potential cyberattacks similar to those carried out by Russian military intelligence officers in 2016, the coronavirus pandemic has upended the presidential race, prompting states to drastically reduce the number of physical polling places and greatly expand the use of voting by mail. That’s made protecting the voter registration databases that secretaries of state oversee even more important, a fact Masterson himself noted during a CrowdStrike event last month.
On Tuesday, Masterson told NASS members that the threat to voter files could come in the form of ransomware that may not directly target election systems, but could still potentially disrupt the voting process if, say, a county fails to employ sufficient network segmentation.
“Ransomware will take down a county network in general, which will have an impact on the election network, even if it was not targeted,” he said. “The activity may not target election networks specifically, but it may have an impact. Many times a malicious actor isn’t going to knock on the front door. What they’re going to do is look for weakness across the enterprise as a whole and work their way to the eventual goal.”
Spencer Wood, the chief information officer for the Ohio secretary of state’s office, said that monitoring activity on his agency’s non-election functions, like business registrations, informs the security of its election-related assets.
“Adversaries could use that as a pivot point,” he said. “It’s really important to keep an eye on your non-election systems.”
But officials exchanging security tips — such as IP ranges that should be blocked or newly discovered software vulnerabilities — goes a long way toward securing the election space, Masterson continued, though he said the greatest strides have been made at statewide levels and in larger local jurisdictions.
“We’re seeing much more information sharing, password management, patch application, but not as much in smaller counties,” he said.
He encouraged secretaries of state to pass many familiar cyber hygiene steps — patching, access management, multi-factor authentication — onto their local election officials. In particular, he reminded viewers of patches issued this month for vulnerabilities in Microsoft, SAP and F5 Networks products.
The vulnerabilities in election administration, he said, are not too different than those in other critical infrastructure sectors.
“The difference is everyone’s watching,” Masterson said. “Simple hygiene steps: access controls, regular patching, and empowering IT staff to recognize vulnerabilities.”