“Just because you’re paranoid does not mean they are not out to get you,” was one of the many bon mots left by statesman Henry Kissinger, and during this election season, it has never rung more true. There has been much discussion over the possibility that the upcoming elections could be hacked – that the databases containing voter information could be compromised and that hackers could get to the actual databases where election results are stored, with fears that information could be manipulated and, ultimately, change the results of the 2016 presidential election.
There’s little the two major parties agree on this year, but both believe that a hacking incident that could upset the election is possible – perhaps even likely. In an August speech, Donald Trump expressed fears that the election could be “rigged” against him, while Hillary Clinton has already marked “Russian intelligence services” as the culprits behind the July hack of Democratic National Committee computers.
{mosads}While most voters might have in the past dismissed these claims as run of the mill smear campaigning, the problem is that voter databases have already been hacked in at least two states. After the breach of voter data in Illinois and Arizona, the FBI determined that “an unknown actor scanned a state’s Board of Election website for vulnerabilities” using various techniques (specifically, via an SQL injection on text boxes on the site that generated a data dump from databases).
Success breeds ambition, and with the success of hackers in reaching two state voter databases, there’s no reason they won’t try again. Voter databases are a juicy target; besides being able to brag that they “took down” the U.S. election, hackers also get access to private information, such as name, address, voting history, party affiliation – and the documentation they use to register and verify their identity, typically a driver’s license or other official document with proof of residency. It’s not as good as a social security number (usually not included in voter databases), but it’s good enough to open bank accounts and apply for credit cards.
The bottom line is that security on many of these state servers is pretty lousy, according to industry experts. While the specific vulnerabilities behind these recent incidents have been shored up, hackers’ tastes have been whetted and they are likely to seek out other ways of hacking into databases. If all else fails, there’s the tried and true method of using spear-phishing techniques to take advantage of state workers and campaign employees to spread malware that will compromise servers and networks. Hackers understand well that employee endpoints are the biggest attack surface and the hardest one to protect in any organization. According to industry statistics, over 90% of data breaches have their origins in a spear-phishing message with a rogue attachment or javascript that, once opened, activates a process that enables hackers to install malware that eventually lets them steal login credentials or take direct control of computers. With that kind of access, hackers can make their way to the “crown jewels” – the voter database, stealing data or manipulating it as they wish.
One way to prevent hackers from getting this kind of access is to prevent user access to attachments, or to warn them not to click on links. But experience shows that this is not feasible; phishing attacks have been going on for a long time, and they show no signs of slowing, despite efforts by tech teams to educate workers.
A more effective way of preventing hacker invasions is to keep users away from the tools they use to invade networks. Network segregation and virtual containers can help keep problematic code out of the internal network, while enabling users to connect with web sites and open email attachments needed for work. For example, attachments are kept in the segregated area, and although they can be viewed by users, by remaining in a different area, it ensures that the background code that allows hackers to install malware cannot make its way to a computer or a network. Ditto for connections to “drive-by download” sites that install malware when users click on links. As a result, endpoints – the most common portal for hack attacks – are protected
A system like that could have saved officials in Arizona a great deal of grief. Last June, officials discovered a username and password allowing access to the state’s voter database – and traced it to a phishing e-mail sent to a county employee. The employee opened an attached Word document loaded with malware-ridden macros. The macros installed a trojan which contacted a server, and downloaded the malware that recorded the desired log-in information.
The rest could have been history, with Arizona facing de-certification of its election results, if a hacker had gotten hold of the password and tampered with voter data (according to state officials, there is no evidence that the data was manipulated or even accessed).
With all the issues raised and dirt thrown by both candidates, the American electoral system is still a wonder – a system that for 250 years has allowed for the peaceful transition of power between leaders every four years. Messing with that could be very attractive to a panoply of international players. Protecting endpoints that lead to voter databases isn’t just about computer security – it’s about protecting our political system.
Israel Levy is CEO of BUFFERZONE.
The views expressed by authors are their own and not the views of The Hill.