Security News

Election hacking: A September update

David Strom, 21 September 2020

In this month's update on U.S. election hacking, state-sponsored efforts fail, New Jersey goes all mail-in ballots

As we approach the November general U.S. elections, things are heating up, with both candidates now making actual campaign appearances. We have also seen an increase in cyberattacks and other threats to our elections. This includes efforts to hack into campaign staff’s accounts by foreign governments, physical threats during these campaign stops, and changes to how votes will be recorded.

Douglas Jones, a computer science professor who has studied various election hacking efforts, recently wrote an update for The Conversation here, providing new details about the extent of these hacks.

We've written several previous blog posts about the state of elections security. In March, we began our series on tech and the vote, followed by this post on the ​Iowa and LA primary voting issues​. We also wrote about some of the more recent election-related developments from speakers at the Black Hat and DEFCON conferences in August.

Let’s review the latest in election interference news. First up is a report from Microsoft, who has discovered a series of unsuccessful attacks on people associated with both presidential campaigns. That blog post describes efforts from state-sponsored groups from Russia, China and Iran on various campaign staffers and networks. The attacks include credential harvesting and malware-laced copycat websites to track key campaign staffers. Microsoft has witnessed these groups are improving their tactics, using new reconnaissance tools and new techniques to obfuscate their operations, such as compromising the personal email accounts of staffers and using Tor networks. The Russian group, for example, targeted 6,912 email accounts at 28 organizations. This isn’t completely unexpected, since the same groups all have been active in earlier US election hacking efforts. Still, the warnings are worth heeding. 

But wait, there's more!

Last week the FBI sent warnings to various local law enforcement about potential violent threats at various campaign events, both in the guise of protests and counter-protests. “There’s real concern that violence is going to escalate with these domestic terrorist groups with the election coming up,” said Nate Snyder to Yahoo News. He was a former Obama counter-terrorism official. These actions could intimidate voters.

That news, combined with an unease from some people about sharing crowded indoor spaces, has resulted in an increase in early and mail-in voting. “About six in 10 registered voters nationwide say they want to cast their ballots before Election Day, a significant departure from previous years,” according to a Washington Post-University of Maryland poll conducted by Ipsos. By way of comparison, in the 2016 presidential election, about 4 in 10 ballots were cast early.

Some states are scrambling to adjust their mail-in practices. This is the result of several reasons coming together:

  • First, many states are concerned about their rising Covid infection rates and want to make it safer for their citizens to vote.
  • Second, some states have not replaced early electronic voting machines that were found to be easily hacked. Whether this was a budgetary issue or just delays in the political process, the result is having more mail-in ballots is a simpler and cost-effective way to shore up their vote.
  • Finally, some states have had major vote tally problems in their earlier primaries and wanted to resolve those issues with more mail-in ballots.

Perhaps the best example of this is New Jersey, which announced that it will become an all-mail-in ballot state for its 6 million registered voters last month. It touched all three issues above. Of course, voters can still cast their votes in person. The state’s election board has put together this infographic (a portion is shown below) that describes some of the online safety measures they have implemented, along with enumerating potential cyber threats and how to report incidents.  

One issue for the state is that in-person votes will be considered provisional, and will be examined by election workers after November 3 to ensure that voters didn’t already vote by mail. That is usually the opposite of current practice, where mail-in votes aren’t tabulated until after election day.

The takeaways

Here are some things to take away from these events. First, voters should consult guides such as the one produced by the Washington Post that describes the steps you need to take to register to vote and what are the deadlines for absentee and mail-in applications and ballots. Another good source is Ballotpedia. Based on these timelines and your personal preference, you should plan your voting option, whether online, by mail or in person. It can be confusing to be sure: with some states, there is a difference between mail-in ballots and absentee ballots, for example.

Second, be hyper-vigilant about phishing lures. Are you getting emails or connection messages through social media from people you haven’t heard from in a long time? Or that have mismatched names and accounts? These could be harmless, or they could be steps towards compromising your own identity and computers.

Finally, be aware of your news feed. Our April guide to spotting fake news and being more skeptical about what you read online is worth reviewing.