Cybercrime capitalizing on the convergence of COVID-19 and 2020 election

The cybersecurity challenges of the global pandemic are now colliding with the 2020 U.S. presidential election resulting in a surge of cybercrime, VMware research reveals.

cybercrime 2020 election

Attacks growing increasingly sophisticated and destructive

As eCrime groups grow more powerful, these attacks have grown increasingly sophisticated and destructive – respondents reported that 82 percent of attacks now involve instances of counter incident response (IR), and 55 percent involve island hopping, where an attacker infiltrates an organization’s network to launch attacks on others within the supply chain.

“The disruption caused by COVID-19 has created a massive opportunity for criminals to restructure their businesses,” said Tom Kellermann, Head of Cybersecurity Strategy, VMware Carbon Black.

“The rapid shift to a remote world combined with the power and scale of the dark web has fueled the expansion of eCrime groups. And now ahead of the election, we are at cybersecurity tipping point, cybercriminals have become dramatically more sophisticated and punitive focused on destructive attacks.”

Data for the report is based on an online survey of eighty-three IR and cybersecurity professionals from around the world in September 2020.

Incidents of counter IR are at an all-time high, occurring in 82% of IR engagements

Suggesting the prevalence of increasingly sophisticated, often nation-state attackers, who have the resources and cyber savvy to colonize victims’ networks. Destructive attacks, which are often the final stage of counter IR have also surged, with respondents estimating victims experience them 54% of the time.

55% of cyberattacks target the victim’s digital infrastructure for the purpose of island hopping

The pandemic has left organizations increasingly vulnerable to such attacks as their employees shift to remote work – and less secure home networks and devices.

Custom malware is now being used in 50% of attacks reported by respondents

This demonstrates the scale of the dark web, where such malware and malware services can be purchased to empower traditional criminals, spies and terrorists, many of whom do not have the sophisticated resources to execute these attacks.

As we approach the 2020 presidential election, cybercrime remains a top concern

Drawing upon their security expertise – and in line with recent advisories from Cybersecurity & Infrastructure Security Agency (CISA) – 73% of respondents believe there will be foreign influence on the 2020 U.S. presidential election, and 60% believe it will be influenced by a cyberattack.

Most US states show signs of a vulnerable election-related infrastructure

75% of all 56 U.S. states and territories leading up to the presidential election, showed signs of a vulnerable IT infrastructure, a SecurityScorecard report reveals.

election infrastructure

Since most state websites offer access to voter and election information, these findings may indicate unforeseen issues leading up to, and following, the US election.

Election infrastructure: High-level findings

Seventy-five percent of U.S. states and territories’ overall cyberhealth are rated a ‘C’ or below; 35% have a ‘D’ and below. States with a grade of ‘C’ are 3x more likely to experience a breach (or incident, such as ransomware) compared to an ‘A’ based on a three-year SecurityScorecard study of historical data. Those with a ‘D’ are nearly 5x more likely to experience a breach.

  • States with the highest scores: Kentucky (95) Kansas (92) Michigan (92)
  • States with the lowest scores: North Dakota (59) Illinois (60) Oklahoma (60)
  • Among states and territories, there are as many ‘F’ scores as there are ‘A’s
  • The Pandemic Effect: Many states’ scores have dropped significantly since January. For example, North Dakota scored a 72 in January and now has a 59. Why? Remote work mandates gave state networks a larger attack surface (e.g., thousands of state workers on home Wi-Fi), making it more difficult to ensure employees are using up-to-date software.

Significant security concerns were observed with two critically important “battleground” states, Iowa and Ohio, both of which scored a 68, or a ‘D’ rating.

The battleground states

According to political experts, the following states are considered “battleground” and will help determine the result of the election. But over half have a lacking overall IT infrastructure:

  • Michigan: 92 (A)
  • North Carolina: 81 (B)
  • Wisconsin: 88 (B)
  • Arizona: 81 (B)
  • Texas: 85 (B)
  • New Hampshire: 77 (C)
  • Pennsylvania: 85 (B)
  • Georgia: 77 (C)
  • Nevada: 74 (C)
  • Iowa: 68 (D)
  • Florida: 73 (C)
  • Ohio: 68 (D)

“The IT infrastructure of state governments should be of critical importance to securing election integrity,” said Alex Heid, Chief Research & Development Officer at SecurityScorecard.

“This is especially true in ‘battleground states’ where the Department of Homeland Security, political parties, campaigns, and state government officials should enforce vigilance through continuously monitoring state voter registration networks and web applications for the purpose of mitigating incoming attacks from malicious actors.

“The digital storage and transmission of voter registration and voter tally data needs to remain flawlessly intact. Some states have been doing well regarding their overall cybersecurity posture, but the vast majority have major improvements to make.”

Potential consequences of lower scores

  • Targeted phishing/malware delivery via e-mail and other mediums, potentially as a means to both infect networks and spread misinformation. Malicious actors often sell access to organizations they have successfully infected.
  • Attacks via third-party vendors – many states use the same vendors, so access into one could mean access to all. This is the top cybersecurity concern for political campaigns.
  • Voter registration databases could be impacted. In the worst-case scenario, attackers could remove voter registrations or change voter precinct information or make crucial systems entirely unavailable on Election Day through ransomware.

“These poor scores have consequences that go beyond elections; the findings show chronic underinvestment in IT by state governments,” said Rob Knake, the former director for cybersecurity policy at the White House in the Obama Administration.

“For instance, combatting COVID-19 requires the federal government to rely on the apparatus of the states. It suggests the need for a massive influx of funds as part of any future stimulus to refresh state IT systems to not only ensure safe and secure elections, but save more lives.”

A set of best practices for states

  • Create dedicated voter and election-specific websites under the domains of the official state domain, rather than using alternative domain names which can be subjected to typosquatting
  • Have an IT team specifically tasked and accountable for bolstering voter and election website cybersecurity: defined as confidentiality, integrity, and availability of all processed information
  • States should establish clear lines of authority for updating the information on these sites that includes the ‘two-person’ rule — no single individual should be able to update information without a second person authorizing it
  • States and counties should continuously monitor the cybersecurity exposure of all assets associated with election systems, and ensure that vendors supplying equipment and services to the election process undergo stringent processes

What’s causing uncertainty about election security?

Confidence levels in securing the election are low, and declining, according to an ISACA survey of more than 3,000 IT governance, risk, security and audit professionals in the US.

uncertainty election security

While federal, state and local governments continue to harden election infrastructure technical controls and security procedures, 56 percent of respondents are less confident in election security since the pandemic started—signaling the need for greater education of the electorate and training of election personnel to drive awareness and trust.

Respondents say they believe that funding, legislation, technical controls and election infrastructure are all inadequate, including 63 percent who are not confident in the resilience of election infrastructure, and 57 percent who believe that funding is not sufficient to prevent hacking of elections.

Top threats to election security

Respondents identified the following as the top threats to election security:

  • Misinformation/disinformation campaigns (73%)
  • Tampering with tabulation of voter results (64%)
  • Hacking or tampering with voter registration rolls
  • Hacking or tampering with voting machines (both 62%)

The combination of low confidence and high perception of threats requires a call to action, according to retired Brigadier General Greg Touhill, ISACA board director and president of the AppGate Federal Group. “The overwhelming majority of localities have sound election security procedures in place, but the public’s perception does not match the reality.”

“This means that governments, from the county level on up, need to clearly and robustly communicate about what they are doing to secure their election infrastructure. As the study indicates, the most real threat to the election—impacting all candidates from all parties—is misinformation and disinformation campaigns.”

uncertainty election security

How to ensure voter confidence and accountability

The survey found that respondents believed the following actions could help ensure voter confidence and accountability:

  • Educating the electorate about misinformation (65%)
  • Using electronic voting machines with paper audit trails (64%)
  • Increased training for election and election security personnel (62%)

State Department offers $10 million for info on hackers targeting U.S. elections

As the day of the U.S. presidential elections is quickly approaching, election security is again becoming a topic of more and more security discussions.

U.S. election security

Are the polling booth systems secure? Could attackers interfere with them? What about voting by mail? Is it a secure option? Will the United States Postal Service (USPS) be able to handle a greater than usual (due to COVID-19) influx of mailed ballots?

The security of electronic voting

Prior to the 2016 U.S. presidential elections, cyber attackers that are believed to be Russian operatives succeeded in compromising websites or voter registration systems in seven U.S. states, the NBC revealed in early 2018.

Though the attackers apparently didn’t make changes to votes or voter rolls, the revelation was enough to raise doubts about voting security.

It doesn’t help that, over the intervening years, security researchers and hackers have demonstrated how electronic voting systems and polling booths can be hacked and manipulated.

In 2019, the U.S. House of Representatives passed a bill that would mandate election systems to use voter-verified paper ballots so that election interference can be avoided, for voting machines to be disconnected from the internet, and for states to get funds to enhance the security of their election systems and infrastructure. The bill was never voted on in the U.S. Senate.

In May 2020, the House again tried to allot money ($3.6 billion) for election security through the Health and Economic Recovery Omnibus Emergency Solutions (HEROES) Act, but the bill is expected to be modified and it’s possible it won’t include funds for helping states cover pandemic-related costs for the election.

In the meantime, the federal government is providing state and local officials with additional tools – endpoint detection and response software – to help defend the nation’s election systems from cyberthreats ahead of the November vote.

On Wednesday, the U.S. Department of State offered “a reward of up to $10 million for information leading to the identification or location of any person who works with or for a foreign government for the purpose of interfering with U.S. elections through certain illegal cyber activities.”

“The reward offer seeks information on the identification or location of any person who, while acting at the direction of or under the control of a foreign government, interferes with any U.S. federal, state, or local election by aiding or abetting a violation of section 1030 of title 18, which relates to computer fraud and abuse,” the State Department noted.

The reward is offered for information about individuals involved in the unauthorized accessing of election and campaign infrastructure, including voter registration databases and voting machines, and in malicious cyber operations against U.S. political organizations or campaigns to steal confidential information and then leak that information as part of influence operations to undermine political organizations or candidates.

The security of mail-in voting

As U.S. President Donald Trump claims that voting by mail opens the voting process for potential fraud and corruption, then backtracks, some voters have started doubting the security of the options.

Experts are, on the other hand, are saying that adversaries couldn’t interfere with voting by mail in any meaningful way, and the USPS assures it can handle the added volume of mail-in ballots in November’s election.

Assessing the email security controls used by 10,000 U.S. state and local election administrators

With fewer than 100 days left until Election Day, a new report from Area 1 Security reveals that states are still in widely varying stages of cybersecurity readiness.

election administrators phishing

Key findings include:

  • The majority (53.24 percent) of state and local election administrators have only rudimentary or non-standard technologies to protect themselves from phishing
  • Fewer than 3 out of 10 (28.14 percent) election administrators have basic controls to prevent phishing
  • Fewer than 2 out of 10 (18.61 percent) election administrators have implemented advanced anti-phishing cybersecurity controls
  • A surprising 5.42 percent of election administrators rely on personal email accounts or technologies designed for personal email (such as Yahoo!, Hotmail, AOL or others), to conduct their duties
  • A number of election administrators independently manage their own custom email infrastructure, including using versions of Exim known to be targeted by cyber actors linked to the Russian military that interfered in prior U.S. elections.

Ninety-five percent of cybersecurity damages worldwide begin with phishing, and phishing campaigns come in all shapes and sizes. The majority of phishing campaigns begin with an innocuous and authentic email that individuals are unable to recognize as malicious. Consequently, the quality of email protection used by organizations and individuals has an inordinate bearing on their overall cybersecurity posture.

“Our elections are vital. They need to be resilient against whatever crisis the moment throws at us — and that requires resources and planning,” said Oren J. Falkowitz, co-founder of Area 1 Security. “However, most state and local election administrators are not very close to ensuring a safe election. This challenge is going to be exacerbated the longer it takes for them to get the resources and expertise needed to make changes.”

Security recommendations for state and local election administrators

Ending use of Exim email servers: Given the government’s guidance to update Exim to mitigate CVE-2019-10149 and other vulnerabilities including, but not limited to, CVE-2019-15846 and CVE-2019-16928, election administrators are urged to cease use of Exim. Upgrading alone does not mitigate exploitation. Prior Russian cyber activities directed towards U.S. elections make use of Exim ill-advised. For those who must continue running Exim, update to the latest version; running a version prior to 4.93 leaves a system vulnerable to disclosed vulnerabilities. Administrators can update Exim Mail Transfer Agent software through their Linux distribution’s package manager or by downloading the latest version.

Transitioning to cloud email infrastructure: Running custom email infrastructure requires network administrators to be perfect every single day. Instead, Area 1 Security recommends the use of cloud email infrastructure such as Google’s GSuite or Microsoft’s Office 365 in combination with a cloud email security solution.

Ending use of personal email technologies for election duties: Under no circumstances should election administrators use personal email for the conduct or administration of elections.

Cybersecurity concerns front and center as online voting expected to shape future elections

Online voting is likely to shape future election cycles, according to a study from OneLogin. 59% of respondents expect online voting will become a reality within five years.

cybersecurity online voting

Online voting demographics

Though various demographics differ in their opinions about online voting, respondents shared concerns about the possibility of fraud and compromised data security.

49% of millennial and 55% of Gen Z voters believe that online options would make them more likely to vote while only 35% of those ages 74+ felt the same. Digital voting might also assist during the pandemic as 26% of respondents indicated COVID-19 could impact their likelihood of voting in the general election this fall.

An online voting option could also boost voter turnout among minority groups: 55% of black and 54% of Hispanic voters said an online voting option would make them more likely to vote this fall, compared to 42% of whites.

By party lines, 37% of Republicans do not want online voting compared to 12% of Democrats. Additionally, 43% of self-identified Trump supporters do not want online voting, compared to 12% among non-supporters.

Online voting and cybersecurity

Regardless of these divisions, respondents came together around two issues: convenience and security. Among those in favor of moving to online voting, 68% liked the potential convenience and 61% believed it would increase voter turnout. For those against it, the opportunity for fraud (77%) and lack of security (75%) were major concerns.

“The 2020 presidential election is happening in one of the most turbulent and divisive times in our country’s history,” said Brad Brooks, CEO and president of OneLogin.

“We were curious to understand the opinions around online voting and cybersecurity. The results speak to the demand and call for safe and secure identity management, today, in the 2020 election, and beyond.”

Most security experts agree that the process to cast a secure online vote would require multiple steps of authentication. Although 61% of respondents were willing to take up to three steps, 13% weren’t willing to take any security steps at all if voting online.

Similarly, 48% of voters would spend no more than five minutes logging in to vote, with only 5% willing to take more than 30 minutes, even though there are often long waits for in-person voting.

cybersecurity online voting

Who is the most trustworthy?

Trust will be another hurdle, as voters are uncertain which group is the most trustworthy to manage and administer online voting. Only 25% felt the government was best equipped, while 21% believed a private company could do it best and 20% would rely on a big tech company. Over 35% stated they wouldn’t trust any of the choices listed.

Other findings from the study include:

  • Pandemic politics: 31% of those who disapprove of President Trump say the pandemic is influencing them towards not voting compared to only 17% among Trump supporters.
  • Online turnout: 45% say that if they could vote online, they would be more likely to vote in the general election this fall while only 6% say they would be less likely to vote. 49% were the same either way.
  • Disenfranchisement: Out of those who are not in favor of moving to online voting, 44% believe it would disenfranchise people who are computer illiterate. 61% of those ages 74+ have this concern.
  • Voting by mail: 1 in 3 rural voters have security concerns with voting by mail, compared to 1 in 4 from urban/suburban areas. 46% of Trump supporters are worried about security and fraud with voting by mail, compared to just 16% among those who don’t support Trump.

Review: Kill Chain: The Cyber War on America’s Elections

Kill Chain: The Cyber War on America's Elections

Kill Chain is an HBO documentary made and produced by Simon Arizzone, Russell Michaels and Sarah Teale.

Kill Chain: Inside the documentary

Arizzone and Michaels already worked on a documentary in 2006 called Hacking Democracy, which was about uncovering voting machines vulnerabilities and about how votes were manipulated, leading to George W. Bush winning the elections (2004).

And here we are again in 2020 talking about the same problem and uncovering the same old security holes inside the machines that are supposed to be secure and reliable, since they have the essential role of ensuring democracy is being practiced properly.

The authors gathered various experts, including Harri Hursti, a hacker and election security expert, to talk about their view and knowledge of the U.S. election system.

Hursti already warned about the hackability of the election machines in 2006. Now, once again, he went on a mission to expose the susceptibility of the U.S. election system by analyzing the machines currently in use, but also the discarded ones which he easily got hold of through eBay. As if that weren’t enough, the purchased ones still contained voting data.

He then decided to test the hackability of the machines by allowing hackers at the DEF CON hacker convention to try to access them. The task was shockingly easy and every single machine has been successfully breached, which meant anyone could effortlessly manipulate the election results.

The authors also interviewed a hacker that goes by “CyberZeist”, who claimed to have accessed the Alaska voting system website with little effort. Had he been backed by an organization with an agenda, the repercussions would have been much greater.

The documentary gives you the technical information about how a kill chain works and a hacker’s potential motivation, whether it’s personal satisfaction and gain or political reasons. It also sheds light on how technology is supposed to make things faster and easier but how, in the end, it can be easily manipulated.

Does it hit the spot?

This is an eye-opening and captivating documentary accompanied by an eerie soundtrack that complements the seriousness of the issue well. The technical parts are well explained and comprehensible to the average viewer.

A great number of politicians and decision-makers continue to dismiss warnings and refuse to pass bills that would guarantee a secure and protected election system. Experts are worried, but without political backup, there’s not much they can do about it. Hopefully, this documentary will make U.S. citizens worry about the outcomes of future elections and push them to demand changes.

Here’s a trailer for the documentary:

[embedded content]

Researchers use AI and create early warning system to identify disinformation online

Researchers at the University of Notre Dame are using artificial intelligence to develop an early warning system that will identify manipulated images, deepfake videos and disinformation online.

identify disinformation online

The project is an effort to combat the rise of coordinated social media campaigns to incite violence, sew discord and threaten the integrity of democratic elections.

Identify disinformation online: How does it work?

The scalable, automated system uses content-based image retrieval and applies computer vision-based techniques to root out political memes from multiple social networks.

“Memes are easy to create and even easier to share,” said Tim Weninger, associate professor in the Department of Computer Science and Engineering at Notre Dame. “When it comes to political memes, these can be used to help get out the vote, but they can also be used to spread inaccurate information and cause harm.”

Weninger, along with Walter Scheirer, an assistant professor in the Department of Computer Science and Engineering at Notre Dame, and members of the research team collected more than two million images and content from various sources on Twitter and Instagram related to the 2019 general election in Indonesia.

The results of that election, in which the left-leaning, centrist incumbent garnered a majority vote over the conservative, populist candidate, sparked a wave of violent protests that left eight people dead and hundreds injured. Their study found both spontaneous and coordinated campaigns with the intent to influence the election and incite violence.

Those campaigns consisted of manipulated images exhibiting false claims and misrepresentation of incidents, logos belonging to legitimate news sources being used on fabricated news stories and memes created with the intent to provoke citizens and supporters of both parties.

While the ramifications of such campaigns were evident in the case of the Indonesian general election, the threat to democratic elections in the West already exists. The research team said they are developing the system to flag manipulated content to prevent violence, and to warn journalists or election monitors of potential threats in real time.

Providing users with tailored options for monitoring content

The system, which is in the research and development phase, would be scalable to provide users with tailored options for monitoring content. While many challenges remain, such as determining an optimal means of scaling up data ingestion and processing for quick turnaround, Scheirer said the system is currently being evaluated for transition to operational use.

Development is not too far behind when it comes to the possibility of monitoring the 2020 general election in the United States, he said, and their team is already collecting relevant data.

“The disinformation age is here,” said Scheirer. “A deepfake replacing actors in a popular film might seem fun and lighthearted but imagine a video or a meme created for the sole purpose of pitting one world leader against another – saying words they didn’t actually say. Imagine how quickly that content could be shared and spread across platforms. Consider the consequences of those actions.”

Only 38% of US govt workers received ransomware prevention training

73% of government employees are concerned about impending ransomware threats to cities across the country, and more employees fear of cyberattacks to their community than natural disasters and terrorist attacks, an IBM survey has revealed.

More than 100 cities across the United States were hit with ransomware in 2019. Data in the new Harris Poll found ransomware attacks might be even more widespread, with 1 in 6 respondents disclosing their department was impacted by a ransomware attack.

Despite the growth of these attacks, half of the employees surveyed have not seen any change in preparedness from their employers, with only 38% receiving general ransomware prevention training. Also, budgets for managing cyberattacks have remained stagnant according to 52% of state and local government IT/Security professionals polled.

ransomware attacks preparedness

“The emerging ransomware epidemic in our cities highlights the need for cities to better prepare for cyberattacks just as frequently as they prepare for natural disasters,” said Wendi Whitmore, VP of Threat Intelligence, IBM Security.

“The data in this new study suggests local and state employees recognize the threat but demonstrate over confidence in their ability to react to and manage it. Meanwhile, cities and states across the country remain a ripe target for cybercriminals.”

2020 elections concerns

With the impending 2020 election in the U.S, it’s no surprise election security is top of mind for government employees. In fact, the study found 63% of respondents are concerned that a cyberattack could disrupt the upcoming elections, with the majority of government employees placing their local Board of Elections among the top three most vulnerable systems in their communities.

While concerns of attacks against election systems and voting machines continue to make headlines, cyberattacks can also be used as a form of distraction or a way to weaken confidence in systems for voters, or even impede them from casting ballots.

The Cybersecurity Infrastructure Security Agency (CISA) has warned that ransomware attacks, in particular, pose a heightened risk to the elections. According to the study, the fear of ransomware attacks feels real to the vast majority of responding government employees, with 73% expressing concerns about threats to U.S. cities.

Public education

Public schools have emerged as a growing target for cybercriminals in 2019, ranking as the 7th most targeted industry. Ransomware impacted school districts in New York, Massachusetts, New Jersey, Louisiana and other states last year.

The study found that education respondents had the lowest amount of cybersecurity training compared to other surveyed state and local professionals. In general, 44% of those from the public education sector said they hadn’t received basic cybersecurity training, and 70% said they hadn’t received adequate training specifically on how to respond to a cyberattack.

With low training numbers, the majority of education respondents aren’t overly confident in their ability to recognize and prevent a ransomware attack – confidence is nearly 20% lower than other state and local employees surveyed.

Calling on the federal government

With ransomware attacks against cities likely to continue in 2020, both U.S. government employees and taxpayers believe the federal government should step in to assist.

The survey shows 78% of government employees believe the federal government should provide assistance to communities in responding to cyberattacks, echoing sentiments from the study where 50% of U.S. taxpayers said it’s the federal government’s responsibility to protect cities from ransomware.

The majority (76%) of state and local employees also believe cyberattacks warrant emergency support, similar to those used for natural disasters.

Positive progress and the path forward for cities

While the study details where work needs to be done in preparing cities for cyberattacks, the results also showed some improvements made since last year.

ransomware attacks preparedness

When asked whether they had seen any increases in preparedness and concern for cybersecurity in their departments, government employees surveyed claimed they had seen more improvements than not, and nearly 70% think their employers are currently taking the threat of cyberattacks seriously.

City and state employees ranked ransomware #3 among the threats they were most familiar with – demonstrating that well publicized attacks are increasing awareness.

Lack of .GOV validation and HTTPS leaves states susceptible to voter disinformation campaigns

There’s a severe lack of U.S. government .GOV validation and HTTPS encryption among county election websites in 13 states projected to be critical in the 2020 U.S. Presidential Election, a McAfee survey reveals.

election website security

Example of what a fraudulent email might look like

Malicious actors could establish false government websites

The survey found that as many as 83.3% of these county websites lacked .GOV validation across these states, and 88.9% and 90.0% of websites lacked such certification in Iowa and New Hampshire respectively.

Such shortcomings could make it possible for malicious actors to establish false government websites and use them to spread false election information that could influence voter behavior and even impact final election results.

“Without a governing body validating whether websites truly belong to the government entities they claim, it’s possible to spoof legitimate government sites with fraudulent ones,” said Steve Grobman, McAfee Senior Vice President and CTO.

“An adversary can use fake election websites for misinformation and voter suppression by targeting specific voters in swing states with misleading information on candidates, or inaccurate information on the voting process such as poll location and times.

“In this way, this malicious actor could impact election results without ever physically or digitally interacting with voting machines or systems.”

Lack of governing authority preventing .COM, .NET, .ORG, and .US domain names purchase

Government entities purchasing .GOV web domains have submitted evidence to the U.S. government that they truly are the legitimate local, county, or state governments they claimed to be.

Websites using .COM, .NET, .ORG, and .US domain names can be purchased without such validation, meaning that there is no governing authority preventing malicious parties from using these names to set up and promote any number of fraudulent web domains mimicking legitimate county government domains.

The HTTPS encryption measure assures citizens that any voter registration information shared with the site is encrypted, and that they can give greater confidence in the entity with which they are sharing that information.

Websites lacking .GOV and encryption cannot assure voters seeking election information that they are visiting legitimate county and county election websites, leaving malicious actors an opening to set up disinformation schemes.

“In many cases, these websites have been set up to provide a strong user experience versus a focus on the implications that they could be spoofed to exploit the communities they serve,” Grobman continued.

“Malicious actors can pass off fake election websites and mislead large numbers of voters before detection by government organizations. A campaign close to election day could confuse voters and prevent votes from being cast, resulting in missing votes or overall loss of confidence in the democratic system.”

State counties lacking .GOV validation

Of the 1,117 counties in the survey group, 83.3% of their websites lack .GOV validation. Minnesota ranked the lowest among the surveyed states in terms of .GOV website validation with 95.4% of counties lacking U.S. government certification.

Other states severely lacking in .GOV coverage included Texas (94.9%), New Hampshire (90.0%), Michigan (89.2%), Iowa (88.9%), Nevada (87.5%), and Pennsylvania (83.6%).

Arizona had the highest percentage of main county websites validated by .GOV with 66.7% coverage, but even this percentage suggests that a third of the Grand Canyon State’s county websites are unvalidated and that hundreds of thousands of voters could still be subjected to disinformation schemes.

State counties lacking HTTPS protection

The survey found that 46.6% of county websites lack HTTPS encryption. Texas ranked the lowest in terms of encryption with 77.2% of its county websites failing to protect citizens visiting these web properties. Other states with counties lacking in encryption included Pennsylvania (46.3%), Minnesota (42.5%), and Georgia (38.4%).

Assessment of Iowa and New Hampshire

In Iowa, 88.9% of county websites lack .GOV validation, and as many as 29.3% lack HTTPS encryption. Ninety percent of New Hampshire’s county websites lack .GOV validation, and as many as 30% of the Granite State’s counties lack encryption.

Inconsistent naming standards

The research found that some states attempted to establish standard naming standards, such as www.co.[county name].[two-letter state abbreviation].us. Unfortunately, these formats were followed so inconsistently that a voter seeking election information from her county website cannot be confident that a web domain following such a standard is indeed a legitimate site.

Easy-to-remember naming formats

The research found 103 cases in which counties set up easy-to-remember, user-friendly domain names to make their election information easier to remember and access for the broadest possible audience of citizens.

Examples include www.votedenton.com, www.votestanlycounty.com, www.carrollcountyohioelections.gov, www.voteseminole.org, and www.worthelections.com.

While 93 of these counties (90.2%) protected voters visiting these sites with encryption, only two validated these special domains and websites with .GOV. This suggests that malicious parties could easily set up numerous websites with similarly named domains to spoof these legitimate sites.

Strategies for transitioning to .GOV

While only 19.3% of Ohio’s 88 county main websites have .GOV validation, the state leads McAfee’s survey with 75% of county election websites and webpages validated by .GOV certification. This leadership position appears to be the result of a state-led initiative to transition county election-related content to .GOV validated web properties.

A majority of counties have subsequently transitioned their main county websites to .GOV domains, their election-specific websites to .GOV domains, or their election-specific webpages to Ohio’s own .GOV-validated ohio.gov domain.

Such a .GOV transition strategy constitutes an interim solution until more comprehensive efforts are made at the state and federal government level through initiatives such as The DOTGOV Act of 2020. This legislation would require the Department of Homeland Security (DHS) to support .GOV adoption for local governments with technical guidance and financial support.

“Ohio has made a commendable effort to lead in driving election websites to .GOV, either directly or by using the state run ohio.gov domain,” said Grobman.

“While main county websites still largely lack .GOV validation, Ohio does provide a mechanism for voters to quickly assess if the main election website is real or potentially fake. Other states should consider such interim strategies until all county and local websites with election functions can be fully transitioned to .GOV.”

Arlo: An open source post-election auditing tool

The Cybersecurity and Infrastructure Security Agency (CISA) is teaming up with election officials and their private sector partners to develop and pilot an open source post-election auditing tool ahead of the 2020 elections.

The tool, known as Arlo, is being created by VotingWorks, a non-partisan, non-profit organization dedicated to building secure election technology.

About Arlo

Arlo is open source software provided free for state and local election officials and their private sector partners to use.

The tool supports numerous types of post-election audits across various types of voting systems including all major vendors.

Arlo provides an easy way to perform the calculations needed for the audit: determining how many ballots to audit, randomly selecting which ballots will be audited, comparing audited votes to tabulated votes, and knowing when the audit is complete.

The first version of Arlo is already supporting pilot post-election audits across the country, including several from this month’s elections.

Some partners of this pilot program include election officials in Pennsylvania, Michigan, Missouri, Virginia, Ohio, and Georgia. Additional partners will be announced in the coming weeks.

Improving post-election auditing

CISA’s investment is designed to support election officials and their private sector partners who are working to improve post-election auditing in the 2020 election and beyond.

“Heading into 2020, we’re exploring all possible ways that we can support state and local election officials while also ensuring that Americans across the country can confidently cast their votes,” said CISA Director Christopher Krebs.

“At a time when we know foreign actors are attempting to interfere and cast doubt on our democratic processes, it’s incredibly important elections are secure, resilient, and transparent. For years, we have promoted the value of auditability in election security, it was a natural extension to support this open source auditing tool for use by election officials and vendors, alike.”

“We’re very excited to partner with CISA to develop Arlo, a critical tool supporting the implementation of more efficient and effective post-election audits. Because Arlo is open-source, anyone can take it and use it and anyone can verify that it implements audits correctly,” said Ben Adida, Executive Director of VotingWorks.