Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Report Highlights Cyber Risks to US Election Systems

Election systems in the U.S. are vulnerable to cyber intrusions similar to the one that hit federal agencies and numerous businesses last year and remain a potential target for foreign hacking, according to a report released Wednesday.

Election systems in the U.S. are vulnerable to cyber intrusions similar to the one that hit federal agencies and numerous businesses last year and remain a potential target for foreign hacking, according to a report released Wednesday.

The report by the Center for Internet Security, a nonprofit that partners with the federal government on election security initiatives, focuses on how hardware and software components can provide potential entryways for hackers.

“We have to continue to get better,” said Aaron Wilson, a co-author of the report. “We have to improve our defenses, as those that are on the other side are likely honing their attack strategy, as well.”

The 2020 election was deemed the “most secure” in history by a coalition of government cybersecurity experts and state and local election officials. There also is no indication that any election system was compromised as part of the hacking campaign that exploited an update of network management software from a company called SolarWinds. It was the largest cybersecurity breach of federal systems in U.S. history.

[RelatedResearchers See Risks in Online Vote System for 3 US States]

Despite that, election systems are vulnerable to the same risks exposed by the SolarWinds hack, the report said. It describes the risk of such an attack, in which hackers might infiltrate the hardware or software used in election equipment. Even if voting results aren’t affected, such an attack could lead to confusion and undermine confidence in U.S. elections.

The nation’s decentralized system of election administration means voting technology varies from state to state and even county to county, providing multiple ways for malicious actors to gain access. The systems generally rely on components from third-party suppliers or use commercial, off-the-shelf hardware. Most also use proprietary software that may not be subjected to rigorous security testing.

“It’s a complex mix of parts and suppliers, which creates very real supply chain risks,” said Eddie Perez, global director of technology development at the OSET Institute, a nonprofit election technology research corporation.

Advertisement. Scroll to continue reading.

The use of foreign suppliers for voting technology and related supply chain security has long been a concern. During a congressional hearing last year, executives with the three major voting machine vendors faced repeated questioning from lawmakers about the sources of the parts used to manufacture their voting machines, what steps they have taken to secure their products from tampering and what, if anything, can be done to use American-made parts.

The executives said the machines they manufacture include, to some extent, components from China but said using foreign suppliers isn’t unique to the voting equipment industry.

SolarWinds, a Texas company, was breached by suspected Russian hackers to deliver malware and gain access to networks of businesses and governments, including the U.S. departments of Commerce, Treasury and Justice as part of a large-scale cyberespionage campaign.

Brandon Wales, the acting director of the U.S. Cybersecurity and Infrastructure Security Agency, said recently there was “no evidence that any election systems were compromised” as part of the hack.

Election officials have spent years working to boost their cybersecurity defenses after it became clear in late 2017 that Russian hackers had scanned state and local voter registration systems in the run-up to the 2016 election — and penetrated a few. Tens of millions of dollars have been spent to educate and train state and local election officials, add security defenses such as firewalls, and conduct security reviews and testing.

Also Wednesday, the U.S. Election Assistance Commission approved the first update in 15 years to a series of voluntary guidelines used by most states to certify voting machines. The guidelines include several security improvements, including a recommendation for states to adopt a strategy to reduce supply chain risks.

Learn More at SecurityWeek’s Supply Chain Securty Summit March 10th

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.