Sep 10, 2019

Elections officials flub some basic security tasks

Illustration: Sarah Grillo/Axios

State elections officials struggle with some of the basics of office cybersecurity, according to a new report from cybersecurity auditor NormShield.

Why it matters: With the 2020 elections looming, there is a massive push to button down election cybersecurity.

Details: NormShield audited how state election authorities in all 50 states, D.C. and the territories handled common security tasks not related to the specialized equipment used in elections. NormShield only evaluates what it can see externally, without breaching a system.

  • NormShield uses letter grades to denote how skilled a hacker would have to be to exploit red flags they found. "A C grade means an average hacker could take advantage," said Bob Maley, chief security officer at NormShield and a former chief information security officer for the state of Pennsylvania. "You'd want to see A or B grades for elections boards."
  • In a July scan, by the NormShield metrics, an average hacker would be able to breach 27 state's systems. States had particular trouble with keeping patches up to date — nearly averaging the lowest possible grade in tests — and in preventing stolen credentials from showing up on the dark web, although states by and large performed well in other areas of testing.
  • NormShield informed states of what they found, giving them a chance to mitigate vulnerabilities, and performed a new scan in August. In the follow-up scan, states preformed dramatically better, though 13 states would still be vulnerable to an average hacker.

The reason the patch management grades suffered: Election boards' web servers use older operating systems and programs that are at or near their end of life.

  • A hacked website may not sound as critical as a hacked voting machine, but it could create confusion about voting locations, times and procedures.
  • In July, 4 states used Windows Server 2003, which Microsoft ceased releasing security patches for in 2015; 4 states used a version of the Apache web server that hasn't been patched since 2017; and 9 states used unsupported versions of the NGNIX web server.

Leaked credentials can be a problem, Maley said, even if they don't provide access to official accounts. Election officials shouldn't be using their official email addresses to sign up for personal online accounts.

  • "I actually saw leaked credentials from one state's CISO," said Maley.

Go deeper

$250M for election security is a fraction of what's needed

Illustration: Aïda Amer/Axios

Last week, Senate Majority Leader Mitch McConnell offered his support for a $250 million election security fund. By experts' estimates, that's only around 10% of what states will need between now and 2024 in order to protect elections from security threats.

The big picture: The County Commissioners Association of Pennsylvania says it will cost $125 million to replace unsecure voting machines in its state alone, meaning half the new funds could be spent on one small aspect of election security in just one state.

Go deeperArrowSep 26, 2019

With Bolton gone, White House cybersecurity strategy may change

John Bolton arrives at Downing Street in London, Aug. 13. Photo: Tolga Akmen/AFP/Getty Images

With the ouster of national security adviser John Bolton this week, the White House loses a key cog in its cybersecurity and cyber warfare machine.

The big picture: Bolton was a hawkish national security adviser at a time when the Department of Defense was taking a more hawkish approach to cybersecurity. He also eliminated the position of White House cybersecurity coordinator, giving himself more control.

Go deeperArrowSep 12, 2019

Mitch McConnell backs $250 million election security deal

Mitch McConnell. Photo: Mark Wilson/Staff/Getty Images

Senate Majority Leader Mitch McConnell on Thursday announced his support to appropriate $250 million for election security.

The big picture: Despite bipartisan and Democrat-led bills crossing his desk, McConnell has regularly thwarted election security legislation. Per McConnell, the cash influx "will bring our total allocation for election security to more than $600 million since fiscal 2018."

Go deeperArrowSep 19, 2019