In this interview for Help Net Security, James Turgal, VP of Cyber Risk, Strategy and Board Relations at Optiv, talks about election cybersecurity and how to keep elections and electoral campaigns safe.
Midterms are getting closer, and election cybersecurity is again in the spotlight. What is making it so vulnerable?
After the results of the most recent presidential election was almost overshadowed by so-called “election deniers” and those who continue to claim fraud in the votes cast, all eyes are on the midterm elections in November. Social media platforms are flooded with manipulated information, and threat actors are getting good at creating narratives with some simple research mixed with deception and social engineering techniques.
Threat actors have the goal of creating “fake news” to manipulate communications and those who devour it. Dedicated nation state and proxy groups are targeting not just election systems and infrastructure, but also election volunteers and people who may not recognize a cyberattack during their work. After all, people are the weakest link when it comes to these social engineering techniques and other hack attempts.
Are people the weakest link in campaigns and why?
As is the case in many cybersecurity breaches, unfortunately, people are the weakest link within the election system. From the tens of thousands of volunteers who answer phones and emails, make banners, go door to door, etc. to support campaigns, to the ones operating the election information technology systems and voting machines, there are several avenues for bad actors to try to compromise the system.
All it takes is one person within an organization (particularly campaigns) to click a bad link in an email and allow hackers into the system, therefore compromising the troves of information and data, such as credit card numbers from donations and personal information. These volunteers and employees have varying degrees of cyber acuity, knowledge and experience, making them a prime target for nation state and proxy groups to hit with social engineering tactics.
What should campaign and election officials keep in mind and watch out for?
The hacking attempts that nation state threat actors will deploy have become significantly more sophisticated and harder to spot. Gone are the days where phishing and socially engineered messages had misspelled words, bad grammar and obvious clues that they were fake. Nowadays, the phishing attempts could closely resemble an organization the campaign might work with, such as a vendor or local association. They might also reference current events to seem more legitimate, or convey a sense of urgency in their messages, such as listing a deadline, so the victims will act quickly before being vigilante about checking the source.
Additionally, we’ve seen consistent attack patterns that not only target these candidates and campaign staffers, but also policy and legislative experts that may consult on key issues and subjects. Therefore detection and vigilance are critical from all staffers and partner organizations alike.
Is there something specific campaign and election officials can do to make sure campaigns are secure?
Elections officials and campaigns must be especially vigilant at detecting social engineering hacks. All staff should participate in social engineering training that includes information about all forms of attack vectors, including in-person, telephone and electronic-based attempts. Volunteers should also be trained to use caution when providing information online and to outside entities – including on social media posts – as threat actors will gather this information to craft more personal social engineering hacks.
Lastly, campaigns should prioritize hiring cyber subject matter experts, create cyber-focused defense and resilience plans, and secure cyber warrior volunteers who understand the threat actors, their tactics and techniques, and can then spot anomalies in emails, text messages, phone calls or other interactions. Just as experts are hired to consult on legislative, policy and foreign issues, cybercrime is a big business now, so organizations need expertise in this field to proactively defend themselves.
How are cybercriminals evolving in this area?
While cybercriminals have become more sophisticated in how they position attacks to become more convincing, they haven’t changed a lot in their techniques – because they still work. Simple phishing attempts like sending bad hyperlinks and emails are still getting hackers access to sensitive information within companies’ databases, so until they aren’t making money anymore from these types of attacks, we expect to see more of the same thing. Therefore companies must implement basic cyber hygiene practices – even simple tasks like using a 12-character password or double-checking email addresses after receiving suspicious emails can prevent hackers from getting into systems.