MS-ISAC urges states, localities to protect against election system threats, ransomware
Prospective hackers have yet to launch widespread attacks against state and local election systems, but a top cybersecurity analyst is imploring IT leaders to prepare for that eventuality before voters head to the polls in November.
At the National Association of State Technology Directors’ annual conference Tuesday, Thomas Duffy — the executive director of the Center for Internet Security’s Multi-State Information Sharing and Analysis Center — cautioned that attackers will increasingly test the security of election systems as the presidential election inches ever closer.
“You’ll hear a lot of buzz about this in the coming weeks,” Duffy said. “The senior state staff, the governor’s office will be asking about it.”
Duffy’s group works closely with the Department of Homeland Security (an agency that some lawmakers have urged to support states and localities as they handle threats to election systems), and he noted that the department plans to “release some products by September to give you some guidance.”
But in the meantime, Duffy noted that there’s plenty of threats IT leaders need to be aware of when it comes to securing their voting systems.
He said his group has noticed a smattering of isolated phishing attacks against election officials, with “some successful” so far, and he expects those attacks will continue moving forward. He’s even noticed some attempts to infiltrate databases of voter registration information, something he thinks could prove to be more troubling than it might initially appear.
“There’s not a lot of [personally identifiable information] in there other than dates of birth, it’s just like a telephone directory,” Duffy said. “But it could enable absentee ballot fraud.”
Duffy also noted that local systems to transfer results from a polling place to a state Board of Elections could be another target for attackers, even if it’s something as simple as a denial of service attack.
“If they use an FTP or a web app to upload results, there’s the potential for DDoS attacks,” Duffy said. “That could delay results, and that’s a problem. If it got delayed by a couple hours, it could create havoc.”
[Read more: State websites become leading target for hackers]
Those concerns about elections aside, Duffy notes that ransomware still remains the most rapidly growing threat he’s noticed confronting states and municipalities.
“In 2015, we were just dealing with two or three types of ransomware,” Duffy said. “Since then, the volume and the different variants of it has ticked up exponentially.”
Indeed, he observed that it’s increasingly becoming easier for cyberattackers to use ransomware, since it’s now “a tremendously automated process.”
If hackers steal someone’s credentials for a bank account, they have to manually access an online banking system to use that information, Duffy noted — automated ransomware software removes a great deal of that risk for attackers. He’s noticed some criminal groups leasing out “ransomware as a service,” giving people access to advanced infrastructure to run ransomware attacks with relatively little technical expertise required.
“It’s all possible through browser-side vulnerabilities,” Duffy said. “If you’re running a vulnerable version of Adobe Flash, Java or [Microsoft] Silverlight, that’s low-hanging fruit for them to exploit.”
He pointed out that the majority of ransomware attacks still come against “home users” rather than people using business or government devices — he pegs it at a “60/40 split” currently — noting that the attacks are “mostly random” and “mostly opportunistic.”
Nevertheless, Duffy thinks the public sector needs to have its guard up as hackers continue to refine their methods.
“It’s very lucrative for them,” Duffy said. “This is definitely something to get used to.”