With only three months left until U.S. voters head to the polls, most state and local election administrators are inadequately armed to fight off phishing tactics used by hackers intent on breaking into networks, a new report said.
States vary widely in their cybersecurity readiness, Area 1 Security found in its report entitled Phishing Election Administrators, for which it collected data on phishing vulnerabilities from more than 10,000 U.S. state and local election administrators. Inasmuch as hackers regularly use phishing emails to lure victims into activating malware, the quality of email protection used by organizations has an “inordinate bearing” on overall cybersecurity posture, the Redwood City, California-based, anti-phishing specialist said.
Most state and local election administrators are “not very close to ensuring a safe election,” Oren Falkowitz, Area 1 Security co-founder, said. “This challenge is going to be exacerbated the longer it takes for them to get the resources and expertise needed to make changes,” he said. Falkowitz's background includes senior positions at the National Security Agency and the U.S. Cyber Command.
The study’s key findings suggest the need for more resources and planning to lock down election systems:
- 53% of state and local election administrators only have rudimentary or non-standard technologies to protect themselves from phishing.
- 28% of election administrators only have basic controls to prevent phishing.
- 19% of election administrators have implemented advanced anti-phishing cybersecurity controls.
- 5% of election administrators rely on personal email accounts or technologies designed for personal email to conduct their duties.
- The study also found a number of election administrators independently managing their own custom email, and in some cases using versions of Exim mail transfer software containing a vulnerability (CVE-2019-10149) exploited by the Russian-backed Sandworm crew.
Area 1 has offered state and local election administrators three recommendations to secure voting systems from phishing attacks.
Discontinue using Exim email servers.
While upgrading alone does not mitigate exploitation, administrators can update Exim Mail Transfer Agent software through their Linux distribution’s package manager or by downloading the latest version.
Transition to cloud email infrastructure.
Use a cloud-based email infrastructure such as Google’s GSuite or Microsoft’s Office 365 in combination with a cloud email security solution.
Don’t use personal email technologies for election duties.
Under no circumstances should election administrators use personal email for the conduct or administration of elections.
Area 1 in June 2020 landed $25 million in venture funding and appointed Patrick Sweeney as CEO. Sweeney previously led ,Talari Networks and was a senior executive at Dell and SonicWall.