With the Presidential Election only days away, the question remains: Will the election be hacked? In this case, a cyber breach can lead to two major issues. The first is stolen data of registered voters; the second issue and perhaps the more frightening one – manipulation of the election results.
FBI Director James Comey spoke at the Intelligence and National Security Summit in September 2016, noting, “The beauty of the American voting system is that it is dispersed among the 50 states, and it is clunky as heck. A lot of people have found that challenging over the years, but the beauty of that is it’s not exactly a swift part of the 'Internet of Things,' and so it is hard for an actor to reach our voting process.’’ Comey went on to say, “There is no centralized computer system or technology tabulating votes. Much of the vote-counting is still done by people, not machines.”
Experts have noted that in some jurisdictions, local rules allow election results to be transferred to central tally sites via Wi-Fi instead of in-person delivery on a thumb drive. The non-profit, non-partisan California Voter Foundation, which promotes responsible technology use in elections, has pointed out that some jurisdictions simply use outdated machines.
As of a month ago, 33 states approached the Department of Homeland Security for cyber risk and vulnerability assessments. That’s somewhat encouraging.
There are several takeaways from this information that can be applied to cyber security in any organization:
There is no centralized computer or security system for the election process – Having a centralized system allows security experts to track equipment assets (computers and devices), deploy security measures and patches and backup information. When it is decentralized, there is little to no control over hardware and data.
Depending on the jurisdiction, outdated equipment and security systems are being used – Generally, once hardware or software reaches “end of life,” the manufacturer stops releasing security updates and patches for the system. For example, organizations still using Windows XP computers are more susceptible to a breach since Microsoft ended support of the product in April 2014. Organizations should ensure that their systems are patched on a consistent basis to limit vulnerabilities.
There is no defined data security process in place – Some jurisdictions are delivering voting result data over Wi-Fi and some by hand. The lack of a well-defined, centralized process can lead to mismanagement and, ultimately, lost data.
Data/Network segregation is actually a good thing – Some voting jurisdictions are still utilizing paper ballots. While this certainly has it downsides, paper records are not part of the IoT (Internet of Things) which essentially makes them unhackable. Organizations can utilize a similar tactic by segregating their networks or data. Payment Card Information (PCI) should not be transmitted over the same network as corporate data. In addition, some organizations may utilize a hybrid cloud approach where critically confidential information is only hosted on the local network and never in the cloud. Less sensitive data is stored and shared in the cloud.
While it seems the Presidential Election is too discombobulated to be hacked at the national level, it is certainly vulnerable at the local level. Organizations should use this information to bolster their own security processes and procedures to limit their vulnerability to a cyber attack.
Click here to request more information about The ALS Group or on limiting your cyber risk exposure.