On December 12th, 2019, we warned that the risk of data exfiltration had elevated the ransomware threat to crisis level and called on governments to act immediately to improve their security. Since that time, data has been stolen from multiple organizations and published online. Those organizations include at least one government (the City of Pensacola), Allied Universal, Southwire, Medical Diagnostic Laboratories, Bird Construction, Artech, as well as law and accounting firms and multiple other businesses.
We now feel it necessary to issue a similar warning in relation to the threat ransomware presents to the 2020 election and again call on governments to act immediately to improve their security.
Ransomware a credible threat to 2020 election
As the 2020 U.S. election looms near, many fear that foreign interference may once again disrupt the electoral process and potentially impact the outcome of the presidential race.
In 2016, it was Russian hacking and disinformation campaigns. In 2020, we believe election interference may come in the form of a different type of cyberattack: ransomware.
The use of outdated operating systems by election jurisdictions, widespread disregard for cybersecurity practices among local governments and low levels of public faith in the integrity of the election system have created a near-perfect storm for ransomware attacks to both disrupt the election and undermine the public’s confidence in the result.
While many discussions about election security center on the integrity of voting machines and voter databases, there are other aspects of the electoral process besides the election systems themselves that are much more vulnerable to ransomware-style attacks.
Specifically, we believe threat actors could use ransomware to tamper with the 2020 election process by attacking county-level entities and lower-level election officials who may not have the resources to maintain robust anti-ransomware practices. Successful attacks on the systems used by election administrators could potentially disrupt local voting infrastructure, stifle access to information, leak voter data and ultimately undermine public trust in the election system during what is expected to be a highly contentious presidential race.
This is not a far-fetched scenario. According to our figures, U.S. local governments have fallen to ransomware at a rate of one every other day since the beginning of 2020.
This report examines the risk factors and implications of ransomware attacks on local governments in the lead-up to the 2020 presidential election.
Ransomware risk factors for 2020 U.S. election
Disregard for cybersecurity
Local authorities (typically an individual or a commission of elections) are usually tasked with administering the election for their local electorate. This is problematic given that local governments have proven to be vulnerable to ransomware. In our State of Ransomware report, we found that 113 state and municipal governments were affected by ransomware in 2019.
What makes local governments so susceptible to ransomware? Research suggests it’s largely a matter of money. A 2019 University of Maryland, Baltimore County (UMBC) report stated that “Governments are under constant or near-constant cyberattack, yet, on average, they practice cybersecurity poorly” and cited lack of funding as the underlying cause of four of the top five barriers to cybersecurity. Findings included:
- More than a quarter of local governments did not know how frequently they were attacked.
- Almost 60 percent of attacks were ransom-related.
- Less than half of local governments had a “very good” or “excellent” ability to recover from a ransomware attack.
- Fewer than half of respondents said that they cataloged or counted attacks.
Cybersecurity audits at the state-level are relatively rare, but the audits that are conducted often reveal severe deficiencies. For example, a report issued by the State Auditor of Mississippi in October 2019 found that many Mississippi government institutions were not complying with the Mississippi Enterprise Security Program, which is required by law. The report identified a number of issues, including:
- More than 15 percent of institutions did not have a security policy plan or disaster recovery plan in place.
- 30 percent had not conducted a security risk assessment in the last three years.
- 38 percent reported not encrypting sensitive information.
The auditor concluded by stating that “State government cybersecurity is a serious issue for
Mississippi taxpayers and citizens” and “Many state agencies are operating as if they are not required to comply with cybersecurity laws.”
The results of the survey described above show that Mississippians’ personal data may be at risk. Many state agencies are operating as if they are not required to comply with cybersecurity laws, and many refused to respond to auditors’ questions about their compliance.
– Shad White, State Auditor of Mississippi.
Variation in election administration
State officials are often leery of federal involvement in election administration procedures. The federal government leaves the running of elections to states and municipalities, which results in significant variation in how election systems are administered and protected against cybersecurity threats.
While there are some advantages to this – a decentralized design means there’s no central database or voting equipment that could be vulnerable to attack and allows for more innovation among jurisdictions – it also means there’s a general lack of oversight and auditing.
“The crossover between election security, disinformation, and local government cybersecurity in the U.S. presents numerous vulnerabilities for our democracy,” explain UMBC Research Assistant Laura Mateczun and UMBC Professor and Chair of Public Policy Donald F. Norris who, along with UMBC Center for Cybersecurity Director Anupam Joshi, cowrote the previously mentioned UMBC research paper. “Although elections systems operate under state law and regulation, they are administered at the local level in roughly 10,500 local voting jurisdictions. This means that the potential for cyber disruption is a huge concern.”
The inconsistent application of cybersecurity practices between counties and states has rendered some jurisdictions more vulnerable to ransomware attacks than others – and a few vulnerable entities is it all it would take to potentially undermine the election. In a close and polarizing race, a successful ransomware attack on even a few counties could be enough to create doubt and affect voters’ perception of the election’s legitimacy, even if the attack didn’t directly affect the voting system itself.
It should also be noted that ransomware attacks are no longer limited to single targets. In August 2019, threat actors launched a large-scale ransomware attack on 22 Texas towns and counties by exploiting software used by an MSP that provided products and services to the affected entities. A similar coordinated attack on multiple jurisdictions could interrupt the flow of information, create widespread confusion and disrupt the election process.
Use of outdated technology
According to the Cybersecurity and Infrastructure Security Agency (CISA), machines running outdated applications and operating systems are the target of most ransomware attacks.
- The vast majority of the 10,000+ election jurisdictions in the U.S. rely on Windows 7 or an older operating system to run the election, according to the results of an Associated Press analysis.
- As of July 2019, about 31 percent of federal civilian agency computers were still running on Windows 7, according to a CISA official, as reported by Federal Times.
Windows 7 reached the end of its product life cycle on January 14, meaning Microsoft will no longer provide security updates or support for devices running Windows 7. Known vulnerabilities will not be fixed, leaving Windows 7 users substantially more vulnerable to ransomware and other cybersecurity threats. About 98 percent of computers affected by the devastating WannaCry attack in 2017 were running Windows 7.
Microsoft will provide election officials with free security updates for voting systems running Windows 7 through 2020 to ensure election systems are secure. However, this offer only applies to federally certified voting systems. The thousands of other Windows 7 systems still in use in local government entities (due to funding and compatibility requirements of legacy applications) are not eligible for the free security updates and will remain vulnerable, which could indirectly affect the election. Microsoft is offering paid security updates for Windows 7 enterprise users for the next three years, but it is uncertain whether cash-strapped jurisdictions will pay for the updates.
“I’m the person who’s supposed to be defending against these nation-state actors. It’s not that we’re not up to the task. But there are certain things we are unable to defend against. When someone has unlimited resources, they have unlimited power to try to find vulnerabilities in the system.”
– Kammi Foote, Inyo County local election official, as quoted by Rolling Stone.
How ransomware could impact the 2020 U.S. election
Undermine the election process
The main threat to the 2020 election isn’t encrypting voting systems, interfering with results or manipulating vote counts – it’s undermining the public’s trust in the electoral process and democracy itself. Faith in the integrity of the election is already low; more than 4 in 10 people believe the US is not prepared to keep the November elections safe and secure, according to the results of a recent NPR/PBS NewsHour/Marist Poll.
There are many ways ransomware could contribute to the erosion of trust in the election system. For example, threat actors could execute a ransomware attack on a vulnerable municipality and disrupt phone and email systems, while simultaneously launching a social media disinformation campaign falsely claiming polling station locations had changed, or voting equipment had been damaged or compromised. In a raze-thin race, such a scenario could have a major impact at the national level.
“Unless the election authorities have robust security measures in place to prevent intrusions and also effective business continuity plans to mitigate the effects if an attack takes place, the impact of a ransomware attack on the election process could be devastating for democracy,” says David Wall, Chair in Criminology at the University of Leeds. “The electorate involved could quickly lose confidence in the electoral process and the governmental process could quickly be destabilized.”
Disrupt election administration
Ransomware could impact the individuals and entities tasked with securing and overseeing voting systems. In the event of a ransomware incident, election officials could lose access to communications systems and databases, public-facing websites might be pushed offline and online payment systems may be disabled. After the incident, restoring impacted systems would likely be a stressful and resource-intensive process. Such an event could affect the operational efficiency of election officials and increase the risk of other forms of interference going unnoticed.
“Elections in the United States are largely operated by local governments, so any ransomware attack targeting a county, city, or town’s infrastructure could significantly compromise the ability of officials to check voter rolls, provide voters with polling place information, tally votes, or conduct audits. Moreover, even if the actual election infrastructure were not affected by such an attack, it might well undermine citizens’ trust in their local government’s ability to successfully carry out an election as well as their confidence in the results,” says Josephine Wolff, Assistant Professor of Cybersecurity Policy at The Fletcher School, Tufts University.
Manipulate voters’ access to media
Ransomware groups may interfere with the election by executing attacks on the media, which could limit voters’ access to information during the run-up to the election. As some media outlets are partisan, a ransomware attack could be used to influence voters by allowing them to only access media that is biased toward a particular candidate or party.
Dozens of major media companies in the U.S. have been affected by ransomware in recent years. Some high profile incidents include:
- In June 2017, KQED, one of the largest public media companies in the U.S., was infected with Samas ransomware. Operations were severely affected: KQED’s email stopped working, all network-connected devices were taken offline, phone systems were disabled and the station’s online broadcast was silenced for more than 12 hours.
- In late 2018, Tribune Publishing, a publishing company responsible for the production of a number of major newspapers, was hit by a strain of ransomware known as Ryuk. The attack caused distribution delays for the Los Angeles Times, the Chicago Tribune, the San Diego Union-Tribune and West Coast editions of the Wall Street Journal and the New York Times.
- In September 2019, Entercom, the second-largest broadcasting network operating in the U.S., fell victim to a ransomware attack, which affected the company’s telephones, production, billing, music scheduling and other internal digital systems.
Data theft
Recent events have shown that ransomware groups are willing to not only encrypt a target’s data, but also exfiltrate and publicly release it if their demands are not met. In November 2019, threat actors responsible for the Maze ransomware attacks published exfiltrated data of Allied Universal after the security firm failed to meet the ransom payment deadline. It marked the first time that a ransomware group had stolen and published a large amount of a victim’s data.
A successful ransomware and data exfiltration attack on the 2020 election could result in the leak of preliminary election data, which could influence voters. Alternatively, hackers could exfiltrate and release voter registration data, including personally identifiable information, which would impact voters’ privacy and cast more doubt over the election process.
Affect the voting system
In theory, an undetected ransomware infection could paralyze polls on election day and potentially prevent people from voting. However, it’s unlikely that a ransomware attack could directly affect election results due to tight security measures and the fact that 90 percent of voters are predicted to cast their votes on paper ballots, which are immune to cyberattacks and can be audited later.
Ransomware interference is more likely to affect other aspects of the voting system. For example, voter registration data is typically stored on the networks of local governments, which are often ill-equipped to defend their systems against advanced ransomware attacks. What’s more, there is no common standard for how often local governments should backup this data. An attack on voter registration databases could cause significant confusion and delays. History shows us that this is more than a theoretical threat: voter registration systems used to validate the eligibility of voters were compromised by Russian hackers in 2016.
Conclusion
It is highly likely that foreign threat actors will attempt to influence the 2020 U.S. election. We believe that this influence could come in the form of ransomware attacks, which may be used to undermine the election process by disrupting election administration processes, manipulating voters’ access to media and exfiltrating voters’ personally identifiable information.
While local governments have a responsibility to make their systems as resilient as possible, voters also have a role to play in maintaining the integrity of the election process. In addition to having a strong understanding of their voting rights, voters should always get their information from trusted sources and avoid sharing content that cannot be verified.
The 2020 U.S. presidential election must be decided fairly by the voting public, not foreign forces who seek to sabotage the nation’s democratic processes. We urge local governments to take immediate action to enhance their security.
“We’ve got to be prepared and resilient as a people, as a democracy, as voters, to not let someone else … decide the outcome of this election. American voters should decide American elections, and that’s why we’re putting as much effort into this as we are.”
– Christopher Krebs, leader of the Cybersecurity and Infrastructure Security Agency, as quoted by WITF.