Cyber risk assessment of U.S. election commissions finds critical areas for improvement

Many election commissions are focused on quickly adapting and updating their cybersecurity; however, commissions still need to dedicate resources to updating outdated operating systems and protecting their email domains from being spoofed, according to NormShield.

election commission cybersecurity

The report, which examined more than 100 items, focused on the broader picture — the internet facing infrastructure that supports state election processes.

NormShield conducted two risk assessments (July and August) of 56 election commissions and Secretaries of State (SoS) to identify the publicly available information that hackers could exploit to conduct an attack.

During the July assessment, 27 commissions received a C grade or worse with all commissions averaging a D- for the management of security and other update patches for their operating systems. The second scan in August found that 43 of 56 commissions earned an A or B for their security posture.

“Limited resources coupled with the responsibility for a highly-attractive threat vector provide significant challenges to those responsible for the U.S. election infrastructure,” said Bob Maley, CSO of NormShield.

“With a little more than one year before a Presidential election, our nation’s election commissions still have the opportunity to secure their Internet-facing infrastructure to prevent hackers from finding a back door to a wide variety of critical data that includes voter registration data.”

Key findings

  • Use of outdated operating systems – More than half of election systems use Windows Server 2008 r2 and Microsoft IIS 7.5 where Windows Server 2019 and Microsoft IIS 10.0 are available. Four commissions even use Windows Server 2003. Windows 2003 is an example of a legacy system that is no longer supported by its manufacturer. The U.S. Dept. of Homeland Security Cyber+Infrastructure Security Agency (CISA) sent out an alert that Windows 2003 would no longer be supported by Microsoft, including for automatic fixes, updates, or online technical assistance.
  • Susceptibility to phishingDMARC Records are essential to prevent spoofing attacks through email. DMARC prevents hackers from sending emails that look like they from a legitimate organization. However, 59% of commissions had missing DMARC records. In addition, more than 40% of the election commissions have at least one website with an invalid or expired SSL certificate. Adversaries can leverage this lack of security to penetrate websites.
  • Botnet and spam attack risks – If a digital asset of an organization becomes a part of botnet or spam propagation, the organization’s IP addresses are listed in publicly available blacklists. Almost one third of the election commissions have at least one asset that is reported by blacklist databases.


What can election commissions do?

In the short term, vulnerabilities and potential attack vectors on highest-risk systems have to be monitored on a real-time basis and addressed as they are discovered.

In the long term, political leaders need to understand the complexity of the IT systems that have been put in place and support significant financial resources for technology and staffing to allow the CISOs and SOSs to stay ahead of hackers.

States can improve their understanding of what systems truly represent the most risk by becoming more aware of their cyber ecosystem footprint. Risk is not just present at the level of the Secretary of State’s website; but throughout the entire election ecosystem, which includes all of the underlying supporting infrastructure (and third-party services connected to and supporting that infrastructure).

However, awareness doesn’t create security. Critical infrastructure must be upgraded, patched, and replaced to give U.S. elections the best opportunity to remain secure.

Don't miss