The coming election, with all of its complexities and potential controversies, is at the forefront of every American’s mind. Our vote on November 3 will determine not only the next President of the United States, but also the balance of power in the US Senate and a host of other federal, state, and local offices.
Many articles and studies have analyzed the events surrounding the 2016 election. Independent researchers have determined that nation-state actors tried to manipulate the perception of the electorate, both directly and indirectly. The Cambridge Analytica scandal, involving the use of Facebook data for targeted political ads, is a prime example.
This constant manipulation has subtly and gradually altered the way we perceive truth and facts regarding our government. And that is a frightening development for the stability and progress of the country. The only way a democracy functions is if we, the people, believe that our votes are counted to determine the results of our elections.
While the election is absolutely critical to protect the health and continuity of our democracy, we cannot fixate so much on this singular event that we overlook all the other critical security risks that face our local governments every day. Even if someone manages to disrupt electronic voting systems, citizens can always use a pen-and-paper ballot. But they might not have such a simple solution if their local 911 system goes offline.
The outcome of the 2016 election has created an environment where we have to fight a constant onslaught of manipulated media, amplified by life-like bots and malicious actors. Voters are also questioning the security of the physical act of voting, with a growing distrust of the computers used in the process — and the people who operate them.
This issue is especially complex in the US because of its decentralized election system. State, not federal, laws govern the act and mechanisms of ballot-casting. And each county or municipality within each state is responsible for executing its own voting process.
Voting remains either a manual, paper-based process or a direct-record electronic system in most jurisdictions. There has been a shift to adopt computerized ballot-marking systems that combine the convenience of an electronic system with a verifiable paper trail. These systems not only reduce human error, they provide more equal access to the voting process for people of varying backgrounds, abilities, and education levels. Ballot-marking devices are not without fault or controversy. While the security community has made strides in addressing technical weaknesses in systems used for marking ballots and tallying results, electronic systems do present a potential attack surface for adversaries.
If the voting process utilizes any form of electronic support system, like an e-pollbook (an electronic voter information database), it is supported by local government infrastructure. When people think about someone “hacking the election,” they think of the ballot-marking devices that mark their choices on a piece of paper. But a more likely target is the e-pollbook that supports the voter registration and verification systems in many states. A disruption of these systems could degrade the American people’s confidence in the results of the election.
The reality is that these systems are much more likely to have software flaws that cause accidental failures or system crashes than they are to have security vulnerabilities that enable attacks by foreign adversaries.
With such an emphasis on the election, other risks to local governmental infrastructure are often overlooked or deprioritized, even though that infrastructure is the most likely target for an attack.
Even the smallest counties and cities have basic support services for their residents, including emergency services, transport, water, power, and other government services. Larger cities have even more complex infrastructure, including many connected agencies and hundreds of thousands of endpoints to help serve residents.
Attackers are opportunists and will take whatever is presented to them to achieve their objective. As shown by recent incidents, attackers continue to target municipal systems well beyond the election, so the security of these systems deserves special attention.
From an adversarial perspective, the attack surface of an election system is relatively small as the contact window is limited, and security gets greater scrutiny. It is far more beneficial for the attacker to view the election as a time of opportunity rather than the end-target. A municipality holds elections only periodically, but municipal systems are always ripe for an attack.
Based on our analysis, the average municipal computer presents an attacker with more than 30 potential vulnerabilities or risk conditions at any time. In most cases, the only things standing between these vulnerabilities and the attacker are firewalls, antivirus, and luck.
Long gone are the days where clueless attackers gain a foothold in a system and then trip around until they are caught. Today ransomware gangs, advanced threats, and basic cyber criminals operate with a much higher level of sophistication.
Once an attacker gains a foothold in a municipal system, the calculation is simply how to maximize value: install ransomware to extract payment, or sell access to that system? If the cost-benefit analysis comes out in favor of selling access, there’s a chance the compromise will go unnoticed.
The reality is that many municipal systems are probably compromised already, and the attackers are lying dormant, waiting for the most beneficial moment to strike.
A quick Google search for “ransomware” will return countless stories of cities, counties, and their IT providers that have been victimized. Ransomware results in a loss of availability and integrity of the compromised systems, as well as the monetary loss to restore those systems. And that gives attackers an incentive to return after the initial incident response.
Ransomware is a game of large numbers. Attackers use techniques like social engineering and phishing to trick government workers into clicking malicious links in emails, documents, and websites. For most ransomware operators, the objective is money — in the form of cryptocurrency, like Bitcoin — and disrupting city services is the easiest way to achieve this goal.
But these breaches also provide opportunities for nation-state threat actors. They can buy access to compromised government organizations from ransomware crews, much the same way you can buy cloud services from Amazon. This can give state-sponsored attackers a foothold in municipal systems, where they can lie in wait, undetected. This is a very low-risk, low-cost tactic, but it enables attackers to time their disruptions for maximum effect or maximum value.
Another point to consider is that most ransomware can adapt to the conditions it encounters, spreading through design and configuration mistakes. A single well-intentioned design decision, say to enable remote worker access, can have dire unintended consequences, resulting a massively expanded attack surface.
Excluding major metropolitan areas, most municipal and county governments have limited IT staffs — often just a handful of people. And their IT budgets focus on keeping systems running, not securing them against attacks. So they prioritize only what is most important now.
With the current focus on the election, and much of their IT budgets devoted to that, local governments are extremely vulnerable. They could well end up in a worse position than they were in before the election. Remember, election systems are put away after the vote, but the rest of the government is still online.
An analysis of multiple municipalities indicates that… in an average local government network, an attacker has over 15 ways to penetrate a typical computer and reach an intended target. Since most of these networks allow every computer to talk to every other machine, a single compromised device can give attackers access to multiple targets of opportunity to disrupt critical services or exfiltrate data.
This brings us full circle back to the election, or any public event attackers would like to use to their advantage. There are many ways to interfere with the election process, like attacking a county clerk’s webserver to prevent people from seeing where and when to vote, or to try to impede the reporting of votes.
More complex attacks, well beyond the timeframe of the election, pose other frightening scenarios. For example, a compromised water or power distribution system could disrupt many lives. And ransomware in a hospital could result in patients being turned away, or even in loss of life.
While these scenarios might seem farfetched, there are dozens of examples of the real-life consequences of compromised institutions. Breaches have taken municipalities in Florida completely offline and shut down entire hospital systems.
So what can local governments do to improve their cybersecurity?
As with most things, the answer is complicated.
Many vendors will say they have a solution that will stop attackers, but that oversimplifies the situation. Yes, municipalities must invest in modern security and IT solutions, but they must also build a plan to support technical solutions — before and after the purchase.
Most local governments have not taken the time to understand their risks before making technology purchases. Instead, they focus on features or promised outcomes. But purchasing a solution with a limited budget may mean that the technology can’t be fully deployed or properly supported. And that can create a false sense of security.
To reduce the attack surface and understand the risks, local governments need to invest in a multi-step approach: know the surface, understand the impact, evaluate the risk, and match technology more precisely to the desired outcome.