Insight by Recorded Future

3 ways ransomware could threaten election infrastructure

This content is provided by Recorded Future.

As the country careens headlong into the most chaotic election season in recent history, cybersecurity specialists are raising the alarm about potential threats. Topmost among these are ransomware attacks, designed to hold critical networks hostage for payment, which have been rising in frequency at the levels of state and local government over the past several years. Because state and local governments control election infrastructure, that may well be the next target of opportunity for cyber criminals and adversarial nation states.

“You have the combination of sensitive infrastructure that is already being heavily targeted and ransomware actors who are getting a lot smarter about the timing of their attacks,” said Allan Liska, Solutions Architect at Recorded Future.

Liska said there have been 356 reported ransomware attacks against state and local government since 2013. But 110 of those occurred in 2019, and 2020 has already seen 95. That kind of escalation is troublesome, Liska said, especially as the attacks themselves evolve.

Originally, ransomware attacks only sought to encrypt files across as many machines as possible on a network. Pay enough money, you get the files back. But now they’ve moved to what Liska called a double extortion model: they also steal files, and threaten to publish sensitive data on their extortion sites unless you pay the ransomware actors to delete the stolen data.

So it’s not hard to imagine the kind of trouble cyber criminals or adversarial nation states could get up to around election infrastructure. Liska specifically outlined three areas of attack.

“The first and most obvious one is ransomware attacks against voter registration databases. If a ransomware actor times an attack very well, that can disrupt the distribution of mail-in voting, because states or counties need to query the voter registration database to send mail-in ballots,” he said. “You could also disrupt the ability of people to vote in person if you encrypt that voter registration database a week or a few days before an election when the state or the counties are getting ready to distribute voter registration information to the local precincts.”

This is the most likely scenario, and also most likely to threaten the public’s confidence in the election’s results. But a ransomware attack could also hit the poll books, which are electronic in 41 states. Most of the time, those are iPads, which aren’t themselves vulnerable. But the database they update from is, which could prevent the iPads from updating their information, which could disrupt poll workers from doing their jobs.

The same thing could occur with the results database on the day of or day after the election in order to prevent the results from being tabulated or shared on time.

But that’s not even the biggest concern around each of these scenarios for state and local election officials.

“What they’re much, much more worried about is even if a ransomware attack is unsuccessful, a disinformation campaign could result from the attempted attack,” Liska said. “For example, if a ransomware actor is able to encrypt the results database, but the state is able to quickly restore from backup and continue publishing results that is not going to stop a malicious actor from using that information to launch a disinformation campaign about how voters can’t trust the results from state our county because of the ransomware attack.”

At their most basic level, elections rely on transparency around the methods and results. If that transparency is damaged, trust in the election itself is damaged.

So what’s the good news?

Honestly, there isn’t much. For one thing, ransomware actors have been in position to conduct these kinds of operations against our elections before, and they didn’t do it. If that happens again, that might be the best scenario.

But the Cybersecurity and Infrastructure Security Agency is also working with state and local governments, offering assistance to help secure their elections infrastructure.

“What we have to hope is that the additional monitoring and infrastructure that CISA and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) have offered to state and local governments as well as the additional security measures that these localities have put in place since the 2016 election is going to be enough to detect ransomware attacks. Right now, so many state and local governments can’t afford to do anything else, because of COVID-19,” Liska said. “Budgets have been slashed; often that includes IT and security budgets and personnel. There isn’t a sudden influx of cash readily available for most of these state and local governments to be able to implement new security features, and, with less than 30 days until the election, even if the money was readily available there isn’t time.”

Comments

Sign up for breaking news alerts