Ransomware predicted to target U.S. 2020 election – and local governments are not pre

[harlan4096]

On December 12th, 2019, we warned that the risk of data exfiltration had elevated the ransomware threat to crisis level and called on governments to act immediately to improve their security. Since that time, data has been stolen from multiple organizations and published online. Those organizations include at least one government (the City of Pensacola), Allied Universal, Southwire, Medical Diagnostic Laboratories, Bird Construction, Artech, as well as law and accounting firms and multiple other businesses.

We now feel it necessary to issue a similar warning in relation to the threat ransomware presents to the 2020 election and again call on governments to act immediately to improve their security.

Ransomware a credible threat to 2020 election

As the 2020 U.S. election looms near, many fear that foreign interference may once again disrupt the electoral process and potentially impact the outcome of the presidential race.

In 2016, it was Russian hacking and disinformation campaigns. In 2020, we believe election interference may come in the form of a different type of cyberattack: ransomware.

The use of outdated operating systems by election jurisdictions, widespread disregard for cybersecurity practices among local governments and low levels of public faith in the integrity of the election system have created a near-perfect storm for ransomware attacks to both disrupt the election and undermine the public’s confidence in the result.

While many discussions about election security center on the integrity of voting machines and voter databases, there are other aspects of the electoral process besides the election systems themselves that are much more vulnerable to ransomware-style attacks.

Specifically, we believe threat actors could use ransomware to tamper with the 2020 election process by attacking county-level entities and lower-level election officials who may not have the resources to maintain robust anti-ransomware practices. Successful attacks on the systems used by election administrators could potentially disrupt local voting infrastructure, stifle access to information, leak voter data and ultimately undermine public trust in the election system during what is expected to be a highly contentious presidential race.

This is not a far-fetched scenario. According to our figures, U.S. local governments have fallen to ransomware at a rate of one every other day since the beginning of 2020.

This report examines the risk factors and implications of ransomware attacks on local governments in the lead-up to the 2020 presidential election.

Ransomware risk factors for 2020 U.S. election

Disregard for cybersecurity

Local authorities (typically an individual or a commission of elections) are usually tasked with administering the election for their local electorate. This is problematic given that local governments have proven to be vulnerable to ransomware. In our State of Ransomware report, we found that 113 state and municipal governments were affected by ransomware in 2019.

What makes local governments so susceptible to ransomware? Research suggests it’s largely a matter of money. A 2019 University of Maryland, Baltimore County (UMBC) report stated that “Governments are under constant or near-constant cyberattack, yet, on average, they practice cybersecurity poorly” and cited lack of funding as the underlying cause of four of the top five barriers to cybersecurity. Findings included:

* More than a quarter of local governments did not know how frequently they were attacked.
* Almost 60 percent of attacks were ransom-related.
* Less than half of local governments had a “very good” or “excellent” ability to recover from a ransomware attack.
* Fewer than half of respondents said that they cataloged or counted attacks.

Cybersecurity audits at the state-level are relatively rare, but the audits that are conducted often reveal severe deficiencies. For example, a report issued by the State Auditor of Mississippi in October 2019 found that many Mississippi government institutions were not complying with the Mississippi Enterprise Security Program, which is required by law. The report identified a number of issues, including:

* More than 15 percent of institutions did not have a security policy plan or disaster recovery plan in place.
* 30 percent had not conducted a security risk assessment in the last three years.
* 38 percent reported not encrypting sensitive information.

The auditor concluded by stating that “State government cybersecurity is a serious issue for

Mississippi taxpayers and citizens” and “Many state agencies are operating as if they are not required to comply with cybersecurity laws.”

The results of the survey described above show that Mississippians’ personal data may be at risk. Many state agencies are operating as if they are not required to comply with cybersecurity laws, and many refused to respond to auditors’ questions about their compliance.
– Shad White, State Auditor of Mississippi.

Variation in election administration

State officials are often leery of federal involvement in election administration procedures. The federal government leaves the running of elections to states and municipalities, which results in significant variation in how election systems are administered and protected against cybersecurity threats.

While there are some advantages to this – a decentralized design means there’s no central database or voting equipment that could be vulnerable to attack and allows for more innovation among jurisdictions – it also means there’s a general lack of oversight and auditing.

“The crossover between election security, disinformation, and local government cybersecurity in the U.S. presents numerous vulnerabilities for our democracy,” explain UMBC Research Assistant Laura Mateczun and UMBC Professor and Chair of Public Policy Donald F. Norris who, along with UMBC Center for Cybersecurity Director Anupam Joshi, cowrote the previously mentioned UMBC research paper. “Although elections systems operate under state law and regulation, they are administered at the local level in roughly 10,500 local voting jurisdictions. This means that the potential for cyber disruption is a huge concern.”

The inconsistent application of cybersecurity practices between counties and states has rendered some jurisdictions more vulnerable to ransomware attacks than others – and a few vulnerable entities is it all it would take to potentially undermine the election. In a close and polarizing race, a successful ransomware attack on even a few counties could be enough to create doubt and affect voters’ perception of the election’s legitimacy, even if the attack didn’t directly affect the voting system itself.

It should also be noted that ransomware attacks are no longer limited to single targets. In August 2019, threat actors launched a large-scale ransomware attack on 22 Texas towns and counties by exploiting software used by an MSP that provided products and services to the affected entities. A similar coordinated attack on multiple jurisdictions could interrupt the flow of information, create widespread confusion and disrupt the election process.

Use of outdated technology

According to the Cybersecurity and Infrastructure Security Agency (CISA), machines running outdated applications and operating systems are the target of most ransomware attacks.

* The vast majority of the 10,000+ election jurisdictions in the U.S. rely on Windows 7 or an older operating system to run the election, according to the results of an Associated Press analysis.

* As of July 2019, about 31 percent of federal civilian agency computers were still running on Windows 7, according to a CISA official, as reported by Federal Times.

Windows 7 reached the end of its product life cycle on January 14, meaning Microsoft will no longer provide security updates or support for devices running Windows 7. Known vulnerabilities will not be fixed, leaving Windows 7 users substantially more vulnerable to ransomware and other cybersecurity threats. About 98 percent of computers affected by the devastating WannaCry attack in 2017 were running Windows 7.

Microsoft will provide election officials with free security updates for voting systems running Windows 7 through 2020 to ensure election systems are secure. However, this offer only applies to federally certified voting systems. The thousands of other Windows 7 systems still in use in local government entities (due to funding and compatibility requirements of legacy applications) are not eligible for the free security updates and will remain vulnerable, which could indirectly affect the election. Microsoft is offering paid security updates for Windows 7 enterprise users for the next three years, but it is uncertain whether cash-strapped jurisdictions will pay for the updates.

“I’m the person who’s supposed to be defending against these nation-state actors. It’s not that we’re not up to the task. But there are certain things we are unable to defend against. When someone has unlimited resources, they have unlimited power to try to find vulnerabilities in the system.”
– Kammi Foote, Inyo County local election official, as quoted by Rolling Stone.

...

Continue Reading