Interview: Len Shneyder, Co-Chair, Election Security Working Group, M3AAWG

The information security implications surrounding electoral processes has been a major area of discussion across the infosec industry in recent years. Various reports and incidents have brought to light the significant cyber-risks that threaten elections and given rise to widespread fears that election infrastructures are in danger of exploitation by cyber-attackers who seek to target and influence voting data.

As a result, the industry has turned its sights to bolstering the cybersecurity mechanics of electoral processes, particularly with key elections taking place around the world this year.

Len Shneyder is co-chair of the election security working group at the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) where industry comes together to work against botnets, malware, spam, viruses, DoS attacks and other online exploitation to fight online abuse.

Infosecurity met with Shneyder to learn more about the cybersecurity risks that are currently threatening electoral processes, how elections can be targeted by attackers and gain his unique insight on what must be done to ensure the safety of voting procedures across the globe.

How and why have security risks around elections evolved in recent years?

The election system has undergone a digital transformation similarly to how much of the private sector has embraced digital transformation. As systems and processes move to digital platforms, new risk factors can and are introduced. However, the US elections are particularly robust because of their non-homogeneity. US elections are conducted at the state and county level, creating a much broader attack surface. The same isn’t true in other parts of the world. US elections are somewhat insulated because of the numerous companies behind the machines and non-standard processes they follow. Today’s electoral systems are not the only ones under attack; the entire process of learning about and engaging in political discourse is threatened by the proliferation of fake news, bot accounts spreading misinformation through social media, account takeovers, hacking and phishing of email and all of the other threats that have been by-products of the internet’s growth and proliferation into nearly every aspect of our daily lives. Running an election isn’t just a matter of casting and recording a ballot – it’s everything that surrounds the election that is also at risk. 

What are the main cyber-risks that currently threaten the security of elections?

If we put the voting systems and machines aside as a discrete and unique element in the election process, we then can look at elections as leveraging the same tools that businesses use during the course of normal operations. Election officials use email as individuals, in an official capacity and as part of how systems operate and people engage with one another. Email phishing is a social engineering attack that really hacks the person more than the physical attack. The notion that someone is deploying a complex algorithm to undermine a strong password, or exploiting a system’s backdoor, is the stuff of Hollywood. Hacking people and convincing them that they’re communicating with someone they know, or think they know, is far simpler and significantly more effective. Thus decreasing the likelihood of elections officials or government actors from having their emails compromised and exploited is key to securing an election. 

How do cyber-attackers target electoral processes for malicious gain?

One of the common refrains is that it’s not necessary to hack an election in order to sway it. Quite the contrary, the mere suggestion of impropriety is enough to inject fear and doubt as to the legitimacy of an election. Misinformation rises to the top as a highly exploitable way to affect the electoral process – the question of gain is interesting because it depends on who is doing the exploiting. Generally speaking, election interference is the bailiwick of nation-state actors, thus the gain is generating chaos and who knows what else.

What must be done to improve the security of electoral processes?

Since election officials use many of the same tools you and I do in our personal and business lives, we have to approach security in terms of addressing the big 98% of the attack surface. M3AAWG just outlined some advice for election officials (most of whom are not cybersecurity experts) to consider.

Ensure that you use multi-factor authentication (MFA) for all of your accounts, devices and anything else that is mission critical – but why stop there? Even if it isn’t mission critical, secure it. MFA has been proven to be 99% effective at thwarting bad actors from compromising user accounts. 

Secure email communications by employing email authentication standards such as SPF, DKIM and DMARC at enforcement, and ensuring that email in transit is sent with STARTTLS enabled. Email authentication standards have evolved over the last 15 years – by applying these standards to outbound communications, legitimate senders can decrease the likelihood that someone can spoof their domains, brands, etc.

Email has proven to be the primary attack vector in a vast majority of the large scale data breaches we read about day in and day out. Securing it is crucial to maintaining trust in our digital communications and protecting sensitive data. 

Use good judgement. If it sounds at all off then confirm and reconfirm using other channels. We’re all working at a million miles an hour, making quick work of our inbox is how most of us get through the day. If an email asking for things out-of-bound raises even the smallest amount of uncertainty then call the sender and ask them on the phone if that is what they really meant. Understanding that the threat is real and that identities can be faked or stolen should give us all a reason to slow down and more thoroughly assess what others are asking of us through digital methods, and the actions we take in response to them.

Infosecurity Magazine will be further exploring the security issues surrounding elections on Day Two of the Online Summit, taking place Thursday 26 March. Find out more and register here

What’s Hot on Infosecurity Magazine?