The 2020 presidential election has already been upended by a disastrous pandemic that’s forced states to re-evaluate the methods by which people will vote this year. But election administrators, especially at the local level, must still contend with digital threats, like ransomware attacks, that could potentially disrupt voting infrastructure and create chaos on or after Nov. 3, county officials were warned last week during a webinar.
The hourlong event, hosted by the National Association of Counties, laid out what a ransomware attack could do to a county’s ability to safely and accurately carry out an election. Ryan Macias, a former technology specialist with the federal Election Assistance Commission who is now an election security consultant to the Department of Homeland Security, laid out a pair of unsettling scenarios.
“Picture it being National Voter Registration Day, Sept. 22, and your entire voter registration database is locked up,” he said. “Picture [on Nov. 3] that you’re getting to 8 p.m., close of polls, and you see a message that says: ‘Your system is locked up and you have no results for this election unless you pay us a ransom.'”
The Cybersecurity and Infrastructure Security Agency, the DHS unit that assists state and local governments with election-security matters, has warned that ransomware — which preys on local governments — could impact election systems by preventing poll workers from accessing voter roles or locking up websites where officials post unofficial results on and after Election Day.
“A successful ransomware infection on the elections infrastructure could result in the irreversible encryption or possibly deletion of voter registration databases, vote tabulation or other sensitive records,” said Tim Davis, an operations analyst with the Election Infrastructure Information Security and Analysis Center, which helps election officials monitor and defend against cyberthreats.
But election offices don’t need to be targeted directly to be impacted by ransomware, Macias said. Many county and small-town governments often outsource their IT and cybersecurity operations to managed service providers, which can be attacked.
“Some of that lateral movement into your network is the elections office or county IT infrastructure may not be the actual target,” he said. “They may have gotten into your MSP and then had an opportunity to move into the county infrastructure.”
Managed service providers were one of the biggest delivery vehicles for ransomware against local governments in 2019, including one incident last August in which 23 Texas cities and counties were disrupted. According to the Center for Internet Security, ransomware attacks against counties doubled last year.
‘Tabletop all the things’
And against the backdrop of an election, ransomware could go from causing inconveniences with online bill payments and marriage licenses to sowing chaos that throws a presidential race into doubt, Mick Baccio, the former chief information security officer for Democratic presidential candidate Pete Buttigieg, told StateScoop in an interview Monday.
“Just looking at the [Ransomware Attacks Map], we see so much of this over time, and you start learning about how interconnected these systems are,” said Baccio, who’s now a security adviser with Splunk. “If the voter registration is connected to the DMV, if you hit that with ransomware or some kind of locker the days after the election, that’s a recipe for disaster. You’ve seen elections before, it usually comes down to three states, two or three counties. It doesn’t take much. These are very vulnerable systems.”
Some statewide election officials have taken efforts to improve their counties’ defenses. Ohio Secretary of State Frank LaRose recently announced that his office is providing all 88 county election offices with free endpoint detection monitoring; every county also has network intrusion detection hardware.
Many political observers are already suggesting that the time needed to count the surge of absentee ballots due to the COVID-19 pandemic could mean it will take several days to determine the winner of the presidential election. But Baccio said that county officials can avert a nightmare with the right preparations.
“If 2020 is every disaster movie rolled into one, Election Day is the beginning of the final act,” he said. “I think it comes down to a lot of diligence, a lot of being careful. Do the basics [like patching] right. Tabletop all the things. Plan for everything bad that can happen. Know who to call. You might wake up Nov. 4 and not know who the president is, and that’s OK.”