Election administrators across the country are vulnerable to cyberattacks that originate through malicious phishing emails, a report released Monday found.
The report, compiled by cybersecurity group Area 1 Security, found that over 50 percent of election administrators have “only rudimentary or non-standard technologies” to protect against malicious emails from cyber criminals, with less than 30 percent using basic security controls to halt phishing emails.
The study also found that around 5 percent of election administrators use personal emails, which are seen as less secure than government emails, and some election administrators use a custom email infrastructure known to have been targeted by Russian military hackers during prior elections.
Email phishing is a key way hackers infiltrate networks, with hackers attempting to trick individuals into clicking on malicious links or attachments or providing sensitive information in other ways that allows the hacker to access a network. Area 1 Security noted that 90 percent of cyberattacks begin with a phishing email.
The security researchers at Area 1 Security noted that while the diversity of election systems and infrastructure across U.S. election jurisdictions would make it “impossible” for a nationwide hacking incident to occur, the low email security standards could easily lead to localized cyber incidents.
“The disparate approaches to cybersecurity by state, local and county officials is such that should a cybersecurity incident occur in one small town, whether in a ‘battleground state’ or not, even if statistically insignificant, could cause troubling ripple effects that erode confidence in results across the entire country,” the researchers wrote in the report.
The researchers urged election administrators to stop using personal email accounts and custom email infrastructure, and advocated for Congress to send further election security funds to help states bolster cybersecurity prior to the November general elections.
Congress appropriated $425 million to states for election security in December as part of the 2020 spending bills, and another $400 million as part of the CARES Act coronavirus stimulus bill in March. Many officials and voting rights advocates have argued that more funds are needed to allow states facing huge budget shortfalls due to the pandemic to hold safe and secure elections this year.
“States are in different stages of cybersecurity readiness,” the researchers wrote. “Most are not very close to be able to ensure a safe election and it is only going to be exacerbated the longer it takes for them to get the resources and expertise needed to make changes.”
Email phishing attacks targeting campaigns have already taken place during the 2020 election cycle.
Staffers on both the 2020 presidential campaigns of President Trump and former Vice President Joe Biden have been targeted by foreign hackers in recent weeks. An Iranian-linked threat group also reportedly targeted the Trump campaign and other groups through attacking Microsoft email accounts during a 30-day period last year.
In 2016, Russian agents hacked into Democratic National Committee networks and email accounts of staffers on the presidential campaign of former Secretary of State Hillary Clinton, stealing thousands of pages of sensitive emails.