Virtual Event Now Live: Zero Trust Strategies Summit! - Login for Access
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Report Highlights Cyber Risks to US Election Systems

Election systems in the U.S. are vulnerable to cyber intrusions similar to the one that hit federal agencies and numerous businesses last year and remain a potential target for foreign hacking, according to a report released Wednesday.

Election systems in the U.S. are vulnerable to cyber intrusions similar to the one that hit federal agencies and numerous businesses last year and remain a potential target for foreign hacking, according to a report released Wednesday.

The report by the Center for Internet Security, a nonprofit that partners with the federal government on election security initiatives, focuses on how hardware and software components can provide potential entryways for hackers.

“We have to continue to get better,” said Aaron Wilson, a co-author of the report. “We have to improve our defenses, as those that are on the other side are likely honing their attack strategy, as well.”

The 2020 election was deemed the “most secure” in history by a coalition of government cybersecurity experts and state and local election officials. There also is no indication that any election system was compromised as part of the hacking campaign that exploited an update of network management software from a company called SolarWinds. It was the largest cybersecurity breach of federal systems in U.S. history.

[RelatedResearchers See Risks in Online Vote System for 3 US States]

Despite that, election systems are vulnerable to the same risks exposed by the SolarWinds hack, the report said. It describes the risk of such an attack, in which hackers might infiltrate the hardware or software used in election equipment. Even if voting results aren’t affected, such an attack could lead to confusion and undermine confidence in U.S. elections.

The nation’s decentralized system of election administration means voting technology varies from state to state and even county to county, providing multiple ways for malicious actors to gain access. The systems generally rely on components from third-party suppliers or use commercial, off-the-shelf hardware. Most also use proprietary software that may not be subjected to rigorous security testing.

“It’s a complex mix of parts and suppliers, which creates very real supply chain risks,” said Eddie Perez, global director of technology development at the OSET Institute, a nonprofit election technology research corporation.

Advertisement. Scroll to continue reading.

The use of foreign suppliers for voting technology and related supply chain security has long been a concern. During a congressional hearing last year, executives with the three major voting machine vendors faced repeated questioning from lawmakers about the sources of the parts used to manufacture their voting machines, what steps they have taken to secure their products from tampering and what, if anything, can be done to use American-made parts.

The executives said the machines they manufacture include, to some extent, components from China but said using foreign suppliers isn’t unique to the voting equipment industry.

SolarWinds, a Texas company, was breached by suspected Russian hackers to deliver malware and gain access to networks of businesses and governments, including the U.S. departments of Commerce, Treasury and Justice as part of a large-scale cyberespionage campaign.

Brandon Wales, the acting director of the U.S. Cybersecurity and Infrastructure Security Agency, said recently there was “no evidence that any election systems were compromised” as part of the hack.

Election officials have spent years working to boost their cybersecurity defenses after it became clear in late 2017 that Russian hackers had scanned state and local voter registration systems in the run-up to the 2016 election — and penetrated a few. Tens of millions of dollars have been spent to educate and train state and local election officials, add security defenses such as firewalls, and conduct security reviews and testing.

Also Wednesday, the U.S. Election Assistance Commission approved the first update in 15 years to a series of voluntary guidelines used by most states to certify voting machines. The guidelines include several security improvements, including a recommendation for states to adopt a strategy to reduce supply chain risks.

Learn More at SecurityWeek’s Supply Chain Securty Summit March 10th

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

Omkhar Arasaratnam, former GM at OpenSSF, is LinkedIn's first Distinguised Security Engineer

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.