From the Institute for Critical Infrastructure Technology: Hacking Elections Is Easy <read>. It is the most layperson accessible comprehensive overview of the problems we face protecting our elections that I have seen in a long time. It is 23 pages yet very readable. The main points are:
- We face multiple risks our elections: Registration systems, voting systems, reporting systems, and ballot security.
- We face risks from multiple actors: Nations with interests in manipulating our elections, corporations, U.S. Government agencies, sophisticated hackers, and insiders at all levels.
- For the unsophisticated, Hacking Is Easy. There are simple insider attacks, simple cyber attacks, and kits on the Internet to compromise results or simply disrupt elections.
- Most election officials are of high integrity. Yet, blind trust in all officials, machines, and that hacking is difficult is perhaps our greatest risk.
Just a couple excerpts from the Introduction:
To hack an election, the adversary does not need to exploit a national network of election technology. By focusing on the machines in swing regions of swing states, an election can be hacked without drawing considerable notice. Voter machines, technically, are so riddled with vulnerabilities that even an upstart script kiddie could wreak havoc on a regional election, a hacktivist group could easily exploit a state election, an APT could effortlessly exploit a national election and any corrupt element with nothing more than the ability to describe the desired outcome could order layers of exploits on any of the multitude of deep web forums and marketplaces. Yes, hacking elections is easy…
Manufacturers and voting officials have constructed an illusion of security based on the semblance of complexity when, in reality, voting machines are neither secure or complex. In general, these stripped down computers utilizing outdated operating systems possess virtually every conceivable vulnerability that a device can have…
Attackers’ ability to exploit vulnerabilities in the systems that support the American democratic process is not exclusive to election machines. Catastrophically disrupting the campaign of just about any political candidate can be done with little more than a DDoS attack on fundraising links and web properties, spam widgets on social media platforms, an insider threat who delivers a malicious payload on a USB drive or unsuspectingly by clicking a link in a spear phishing email, and a ransom ware variant to encrypt important donor lists to further cripple fundraising. A pseudo tech savvy adversary could create a network of spoofed sites to confuse voters and this is just the beginning. By combining attack vectors and layering attacks, an adversary can manipulate the democratic process by inciting chaos, imbuing suspicion, or altering results.
an eighteen year-old high school student could compromise a crucial county election in a pivotal swing state with equipment purchased for less than $100, potentially altering the distribution of the state’s electoral votes and thereby influencing the results of the Presidential election…
An unskilled threat actor may begin a campaign by sending phishing emails or using free script
kiddie tools to remotely attack undefended local networks to compromise email and exfiltrate
internal documents that reveal the types of systems used in an election as well as their storage
conditions.
