The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Swing state election websites aren’t secure against Russian hacking, McAfee says

with Tonya Riley


County election websites in two battleground states are highly vulnerable to hacking by Russia or another adversary that might seek to disrupt the 2020 vote by misleading voters about polling locations or spreading other false information. 

About 55 percent of county election websites in Wisconsin and about 45 percent in Michigan, both states that President Trump flipped from Democratic to Republican in 2016 lack a key and fairly standard security protection, according to data provided exclusively to me by the cybersecurity firm McAfee.

Without this protection, called HTTPS, it’s far easier for an adversary to hijack those sites to deliver false information, divert voters to phony sites that mimic the real ones or steal voters’ information, per McAfee. (You can often tell if a site has HTTPS protection if there's a small lock icon to the left of a Web address.) 

The repercussions could be huge if Russia or another country decided to manipulate sites in key counties to send voters to the wrong polling places or at the wrong times. They could even flood people seeking voting information with malicious software so they spend much of Election Day getting their phones and laptops fixed and have less time to actually go vote. 

In states with incredibly tight margins of victory in the last presidential election, a hacker who prevented just a few thousand people from voting in one of them in 2020 could swing an election or create broad doubt about the results. 

“If I use this type of attack and send people driving halfway across town, you don't need to do that to a lot of people ... to make a difference,” McAfee Chief Technology Officer Steve Grobman told me.

The threat is particularly dangerous because it would be far easier to manipulate dozens of underprotected websites than to hack a single voting machine, which typically requires physical access.

“The barrier to be able to tamper with the election becomes quite low because almost anybody can do it,” Grobman said. “I worry about this scenario actually more than the voting machines, because … to do an attack like this where you’re tampering with the election by suppressing the vote, that’s very easy to conduct at scale.”

The vast majority of those sites also don’t have .gov Web addresses, which means the federal government hasn’t vetted them and there's no clear indication for voters that information on them comes from a government agency. Just 11 percent of Michigan county election sites and 21 percent of Wisconsin sites have .gov addresses, McAfee found.

County election sites in Florida, another swing state, are almost entirely protected by HTTPS but only one county out of 67 has a .gov address.

The information McAfee gave me focused just on the three swing states, but there's reason to believe the problem is far more widespread. McAfee conducted a similar survey focused on all county websites across 20 states before the 2018 midterms and found a majority of sites in most of those states lacked both HTTPS and .gov protections. Sites in some were almost entirely unprotected by HTTPS, including West Virginia where 92 percent of counties lacked the protection and Texas where 91 percent lacked it.

The lack of protections is especially galling because converting to HTTPS and .gov is far easier and cheaper than most of the election security upgrades that officials and lawmakers have focused on for the past three years, such as replacing voting machines that are more than a decade old or converting to paper ballots.

“There are a lot of very difficult things to do to strengthen our election security, but getting [HTTPS] installed on the Web servers that the election boards run is not that much work,” Grobman told me. “We're a good 25 years into the Internet and this is the most basic form of Web hygiene. The fact that we're not using HTTPS for the preponderance of these websites that are all about telling you where to vote, that's a big problem.”


PINGED: The Homeland Security Department is floating proposed legislation to the Senate that would grant it subpoena power to force Internet companies to share the identities of large energy firms and manufacturing plants with vulnerable digital systems, Charlie Mitchell at Inside Cybersecurity reports. The proposal is aimed at making it easier for DHS to alert those companies before a hack that causes massive financial consequences or even physical damage.

Privacy advocates have expressed concerns the agency will use the powers to snoop on companies, as I previously reported.

The Senate Homeland Security Committee, meanwhile, is working on a bill that “will likely differ from the administration's proposal,” and aiming for “broad, bipartisan support,” a committee aide tells me. 

PATCHED: Sen. Ron Wyden (D-Ore.) is asking top Pentagon officials to conduct an audit to make sure mobile voting app Voatz is safe from hacking before U.S. troops stationed abroad use it to vote in the 2020 elections. Cybersecurity experts routinely warn that voting by mobile phone is far more vulnerable to hacking than in-person voting. 

“I also urge you to publicize the results of this audit so that state and local officials can make more informed decisions,” Wyden wrote in a letter to Defense Secretary Mark T. Esper and National Security Agency Director Paul M. Nakasone.

Voatz says that independent experts audit its app for vulnerabilities, but it has yet to publish those audits or say who conducts them.

“This level of secrecy hardly inspires confidence,” Wyden writes.

The FBI announced last month that it is investigating an attempted hack of Voatz while it was used by overseas and military voters during the 2018 midterms in West Virginia. The hack was likely tied to a student research effort rather than criminal or nation-state hackers, Kevin Collier at CNN reported.

PWNED: U.S. Chief Technology Officer Michael Kratsios called out Huawei in his first international speech yesterday, slamming the company for allegedly serving as a vehicle for Chinese spying and authoritarianism. 

“The [Chinese] government continues extending its authoritarianism abroad — and in no case is this more clear than with Huawei,” Kratsios said at the Lisbon Web Summit. 

Kratsios repeated news reports that Huawei transferred data from the headquarters of the African Union to servers in China as an example of the “disturbing espionage” the company facilitates.

He also echoed other Trump administration calls for European allies to cooperate in banning Huawei from next-generation 5G networks, arguing that Chinese leadership of technology will “not only undermine the freedoms of their own citizens, but all citizens of the world.” 

Huawei, which has steadfastly denied assisting Chinese spying, shot back, calling Kratsios's allegations “hypocritical and manifestly false.” 

“What the U.S. current administration is doing is an insult to European core values, and will result in slowing down Europe in its ambition to become a global hub of innovation,” the company wrote in a statement.


— Cybersecurity news from the public sector:

This New York Company Claimed Its Government Surveillance Tools Were ‘Made In The U.S.A.’—They Were Really Chinese Spy Tech, DOJ Says (Forbes)

ICE refuses to turn over internal documents on facial recognition tech and detention tactics, lawsuit says (Taylor Telford)

The financial industry just finished its annual 'doomsday' cybersecurity exercise — here's what they imagined would happen (CNBC)


— Amazon's Internet-connected doorbell Ring had a security vulnerability that allowed hackers to access users' WiFi network passwords and conduct broader surveillance on them, Zack Whittaker at TechCrunch reports

Amazon fixed the vulnerability in September, but it was disclosed only yesterday. (Amazon CEO Jeff Bezos owns The Washington Post).

Hackers would have needed to be in close proximity to the user's WiFi network to intercept any information, but the vulnerability still highlights the significant risks that unsecured Internet-connected devices can pose. Other home devices including Google Nest have been flagged for vulnerabilities in the past.

— More cybersecurity news from the private sector:

Capital One replaces security chief after data breach (TechCrunch)

Why Many People Got Mysterious Valentine’s Day Texts Today (Wired)

'Chronicle Is Dead and Google Killed It' (Vice)


— Cybersecurity news from abroad:

'Revenge porn' victim fights back with Mexican law to stem digital violence (Reuters)


Joe Kiniry, a data scientist focused on securing elections at the government contractor Galois, has a big idea for how to ensure the integrity of the 2020 contest: a nationwide risk-limiting audit.

Risk-limiting audits get less attention than other election protections such as paper ballots and cybersecurity scans, but election security experts say they’re just as important. The general idea is that auditors compare digital vote records with paper records for a percentage of ballots in every race based on how close the vote was.

If they find any mismatches, then they keep counting until they’re either confident those mismatches were flukes or until they’ve hand- counted the entire election.

Here’s more form Kiniry:

University of California at Berkeley Associate Dean Philip Stark was skeptical a nationwide audit was feasible, though.


— Coming up:

  • New York University’s Center for Cybersecurity, the Journal of National Security Law & Policy, and Third Way New York University will host an event titled “Catching the Cybercriminal: Reforming Global Law Enforcement” on November 18 at 10 a.m.