Most security pros concerned about election infrastructure

Although 93% of more than 400 security professionals polled in the UK, the US and Australia are concerned about cyber attacks targeting election infrastructure and data, few are confident in their governments’ defences against such attacks.

Only 2% said they are “very confident” in their local and central governments’ abilities to detect cyber attacks targeting election infrastructure and only 3% said the same about their governments’ ability to block such attacks, according to survey by security firm Venafi.

The survey showed that 81% of those polled believe cyber criminals will target election data as it is transmitted by machines, software and hardware applications, from local polling stations to central aggregation points.

When asked what areas of election infrastructure are most vulnerable to cyber attackers, 54% said voting machines that collect election data, 52% said encrypted communications between polling stations and back-end election systems and 50% said systems that store voter registration data.

Just over one-third (35%) believe vulnerabilities and exploits connected with election systems are “definitely” available to cyber attackers on the dark web, while 64% believe that they are “probably” available.

As a consequence, 95% of survey respondents believe that election systems – including voting machines, software and back-end systems – should be considered critical infrastructure and protected accordingly.

“Last year, attendees at the Defcon security conference managed to find and take advantage of vulnerabilities in five different voting machine types within 24 hours, but voting machines form only a small portion of election infrastructure,” said Venafi CEO Jeff Hudson.

“It is clear to nearly all security professionals that the back-end systems that transmit, aggregate, tabulate, validate and store election data are at least as vulnerable to cyber attacks as voting machines.”

Earlier this month, a US grand jury issued a detailed indictment relating to international interference during the 2016 US presidential election. Details in the indictment indicate that nation-state actors used a variety of attack methods, including encrypted tunnels to target vulnerabilities in election infrastructure, making the attacks difficult to detect and block without a comprehensive machine identity protection capability.  

“Security professionals clearly think that machine-to-machine communication in the electoral process is a high-value asset for attackers targeting election results,” said Kevin Bocek, vice-president of security strategy and threat intelligence for Venafi.

“This is just one reason why governments around the world need to make the security of all encrypted, machine-to-machine communication their top concern.”

In March 2018, Computer Weekly reported that security concerns had re-emerged to frustrate the Finnish government’s plans to launch a national e-voting system, forcing the project to enter a problem-solving phase to identify advanced, effective and best-practice solutions to protect a future e-voting system.

The Finnish government said the system must be able to guarantee the operating integrity of the election process while being technically robust to combat a wide range of external threats, particularly those emanating from the cyber domain.

Online voting is also being held back in the UK because of fears that cyber criminals could influence the results, according to a survey published in June 2017, which showed that 40% of Britons feared that the UK general election on 8 June 2017 might be targeted by hackers.

“Claims that Russian hackers had some influence on last year’s US presidential elections have sparked a wave of scepticism around the safety of electronic voting here in the UK,” said Pete Turner, consumer security expert at Avast, which carried out the survey.

However, Computer Weekly reported that 30% of the Brits surveyed were in favour of electronic voting, their reasons being increased turnout and making it easier for Brits abroad to vote.

“The move to digital is a necessary part of evolving the electoral process for the benefit of the public,” said Turner. “Rather than simply abandoning the move to e-voting, politicians need to reassure the public that, when the move to e-voting does take place, that the proper security measures are in place to ensure the democratic process is not open to abuse.”