Aug 29, 2019

Dime-a-dozen ransomware attacks could mess with elections

Illustration: Aïda Amer/Axios

State and city election boards have spent the better part of 3 years hardening their systems for a 2020 hacker invasion. Yet all that work may not be enough to keep out ransomware.

Driving the news: On Monday, Reuters was first to report that the Department of Homeland Security would begin helping elections officials prepare for ransomware attacks.

  • Ransomware typically locks users out of their own files until they pay a ransom. Across an election office's network, those files could range in sensitivity from trivial vacation schedules to essential voter data.

Background: DHS has been aiding local officials since 2016, trying to prevent a repeat of that year's election interference campaigns.

  • Voting machines often dominate the public conversations around election security. But DHS and localities have to take a much more holistic view of security. Russia did not attack voting machines in 2016, but it did conduct reconnaissance on accessing and altering voter registration databases.

The big question: Accessing and altering data is technically all that most ransomware does, and the criminals behind ransomware are at least notionally less sophisticated than the militaries and spies that states are gearing up to protect against. So why is ransomware still a problem for elections?

  • Many states have made defending against motivated, strategic actors their election security priority. But ransomware is deployed by opportunistic criminals, and fighting it can be more akin to fighting a force of chaos.

When Russia probed voter databases in 2016, it approached them through the easiest access point — vulnerabilities in web applications that connect to the database. So states concentrated on shoring up defenses around the web applications and databases, said Dylan Owen, senior manager for cyber services at Raytheon.

  • But less critical systems that access the secure database may not be as well protected.
  • Elections officials might be left with the time-consuming task of restoring dozens of office systems in their entirety in a ransomware attack. That could impair their ability to provide services, even if the ransomware never reaches the voter database.
  • "This is more about defending the [systems] that connect to those databases, in my mind," Joseph Lorenzo Hall, an election security expert serving as chief technologist of the Center for Democracy & Technology, speculated in an email.

What they're saying: Homeland Security describes both the databases and the systems retrieving data as potential concerns.

  • "Voter registration databases could be an attractive target for these attacks," said Christopher Krebs, who directs the cyber-focused wing of DHS, in a written statement. "A successful ransomware attack at a critical point before an election could limit access to information and has the potential to undermine public confidence in the election itself."

States have made strides in protecting voter databases, but not all states are entirely there yet.

  • "In a utopian world, that’s how the process would work," said Brian Varner, a researcher at Symantec who recently discovered at least one instance where the utopia never came to fruition.
  • Varner presented research at the DEF CON conference about a state that inadequately separated its elections computers and databases from other state systems. Hackers who infected one of those other systems could hypothetically work their way back to the election systems.

Go deeper

Trump says he will campaign against Lisa Murkowski after her support for Mattis

Trump with Barr and Meadows outside St. John's Episcopal church in Washington, D.C. on June 1. Photo: Brendan Smialowski/AFP via Getty Images

President Trump tweeted on Thursday that he would endorse "any candidate" with a pulse who runs against Sen. Lisa Murkowski (R-Alaska).

Driving the news: Murkowski said on Thursday that she supported former defense secretary James Mattis' condemnation of Trump over his response to protests in the wake of George Floyd's killing. She described Mattis' statement as "true, honest, necessary and overdue," Politico's Andrew Desiderio reports.

31 mins ago - World

The president vs. the Pentagon

Trump visits Mattis and the Pentagon in 2018. Photo: Brendan Smialowski/AFP via Getty

Over the course of just a few hours, President Trump was rebuffed by the Secretary of Defense over his call for troops in the streets and accused by James Mattis, his former Pentagon chief, of trampling the Constitution for political gain.

Why it matters: Current and former leaders of the U.S. military are drawing a line over Trump's demand for a militarized response to the protests and unrest that have swept the country over the killing of George Floyd by police.

New York Times says Tom Cotton op-ed did not meet standards

Photo: Avalon/Universal Images Group via Getty Images)

A New York Times spokesperson said in a statement Thursday that the paper will be changing its editorial board processes after a Wednesday op-ed by Sen. Tom Cotton (R-Ark.), which called for President Trump to "send in the troops" in order to quell violent protests, failed to meet its standards.

Why it matters: The shift comes after Times employees began a coordinated movement on social media on Wednesday and Thursday that argued that publishing the op-ed put black staff in danger. Cotton wrote that Trump should invoke the Insurrection Act in order to deploy the U.S. military against rioters that have overwhelmed police forces in cities across the country.