Secure the Vote — Emailing Ballots and the Risk involved
In 2020, election security will be the most significant topic of discussion leading up to the 2020 Presidential election. All over the United States election offices, government officials, researchers, observers, activists, political campaigns, and voting vendors will all be scrutinized for any sign that our electoral integrity could be at risk. Throughout all this scrutiny, there is one method of ballot delivery that is commonly overlooked and oft not discussed when recommendations are made to increase security in our elections. The technique I want to bring attention to is the use of email for the electronic transmission of ballots for UOCAVA (Uniformed and Overseas Citizens Absentee Voting Act[1]) voters.
For information on the size and scale of the number of US citizens using email as a method of ballot transmission, we looked into the 2016 Presidential Election as a guide for how many US citizens vote using this method. In our research, we found that of the approximate 930,156 votes that were transmitted to UOCAVA voters in 2016, approximately 399,932 of these votes were transmitted and received via email[2]. In the United States, there are 24 states (Plus the District of Columbia) that allow for the electronic transmission of ballots to voters residing overseas[3].
In these states, the conventional method used for transmitting ballots over email is a PDF ballot sent along with a waiver form that a voter must sign to permit that their right to a secret ballot is waived. This email is sent from a computer within the election office to a UOCAVA voter who has been approved to vote via the FPCA (Federal Post Card Application[4]). The voter then prints out, scans, and returns both the waiver and the ballot back to the email address provided by the election office. This method is used by almost all election offices that offer email as a method of electronic ballot transmission.
Email is the most used digital communication in the world. In 2020 it is projected that over 4 billion people will actively use email as a form of communication. The technology itself is incredibly useful and is widely seen as the first killer app of the internet age. Still, we must talk about the same problems that the average citizen and the business community face every single day. Email is still the number one way that a hacker can attempt to get access to your entire digital life. In businesses, attacks to an employee’s email via phishing represent more than 70% of the attacks the average business faces[5]. These same problems apply to election administrators sending ballots and to the voters receiving them as well.
Election administrators and the voters share a unique relationship that is not seen anywhere else in society. There is a distinct trust that is placed between the two that the person who is sending a ballot, whether physically or digitally, is the official they say they are and vice versa to the voter. When this relationship is compromised it violates the premise that the system is trusted and private. When hackers attempt to violate this premise, they typically have one of three goals in doing so: a rogue activist trying to gain support or attention to their cause by disrupting your activity, a black hat hacker who is trying to gain control over your systems for financial benefit, or lastly the nation-state hackers who are employed by their country to gain access and either create chaos for media attention or attempt to get information for intelligence operations.
These hackers typically will attempt to use the following types of attacks, all of which can be used on either the election office or on an individual voter (This list is not exhaustive, these are the top threats for a potential attack to a voter or election office):
- Phishing – This method attempts to gather your personal information by using deceptive emails and websites[6]. An example of this is an email from a fake official asking you to send them your voted ballot or an individual attempting to impersonate the government. This is the most common way a hacker may try to get your information.
- Man in the Middle attacks – This is an attack method where the attacker secretly relays and possibly alters the communications between two parties who believe they are directly communicating with each other[7]. An example of this is the use of things like one-time codes for logging into a website or sending confidential information over emails, such as wire transfers or ballots. This method requires more sophistication and is commonly used in conjunction with other forms of attacks listed here.
- Sim Swapping – This method, also commonly called simjacking, is a type of takeover where an attacker exploits the use of two-factor authentication and two-step verification where the second factor is sent via a text or call to a mobile device. An example of this is when an attacker attempts to intercept a one-time pin to reset a password for a user’s account[8]. This method requires a user to use one or more of the other methods listed here to gain enough information to discover a user’s phone number.
- Malware – Short for “malicious software,” this method relies on using fake websites, infected USBs, external links, and downloads via email attachments. When malware has successfully infiltrated a user’s device, the typical results would be things like cryptojacking[9], the corruption of data, the theft of credentials and accounts, and keylogging[10]. The goal of malware is typically to either disrupt the user or to gain finances from you. An excellent example of this is the famous “Trojan virus,” which is a program designed to look like an application or file you intended to download but is actually a secret program designed to execute malicious functions. This is most commonly used in conjunction with a phishing attack.
All of the previous attack methods can be used in conjunction with each other to disrupt the election office or voter. A few suggestions and recommendations can be made to the election office and the voter to mitigate these issues so as not to cause any suspicion of impropriety and to decrease the likelihood that votes would be compromised.
- Election offices should first start by taking a self-assessment on the health of their election security. The National Association of Election Officials has a checklist that should give most election offices the opportunity for them to find and mitigate most issues that would allow for some of these attacks to occur[11].
- Election offices should be encouraged to share tips and tricks to UOCAVA voters and post information that would encourage voters to use best practices in securing their email (such as encouraging strong passwords, enabling two factor authentication, not allowing for the use of one-time pins or using an alternate email address for creating accounts)[12].
- Election offices should be encouraged to use a mailed ballot when possible but also pursue other technologies such as a secured ballot return like Colorado or to examine pilots like the ones used in West Virginia or Utah for alternatives to email.
- Election offices and Voters should actively educate themselves on how to secure their email and better understand what items like phishing or malware are, how to identify it, and ways to report it.
Background
The National Cybersecurity Center (NCC) is helping secure the world using knowledge, partnerships, and education to solve global cybersecurity challenges and develop a protected cyber ecosystem. In 2016, recognizing the growing threat of cyber-attacks on government agencies and businesses, the Colorado legislature passed House Bill 16-1453, which led to the creation of the NCC. Incorporated as a 501(c)3, the NCC is located in Colorado Springs, Colorado.
As a leader in cybersecurity, the NCC provides cybersecurity training and a cybersecurity community for public officials, higher education, business executives, and the workforce. The NCC also manages and operates research projects and initiatives, including Secure the Vote, which aims to secure elections, the Space ISAC which provides a forum for sharing cyber threats in the space industry, and a Student Alliance, which is preparing the cybersecurity workforce of the future.
[1] https://www.fvap.gov/info/laws/uocava
[2] https://www.fvap.gov/uploads/FVAP/Reports/PEVS_EAVS_TechReport_Final.pdf
[3] https://www.ncsl.org/research/elections-and-campaigns/internet-voting.aspx
[4] https://www.fvap.gov/guide/chapter2
[5] https://www.cpomagazine.com/cyber-security/personal-email-security-guide/
[6] https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-and-how-to-prevent-it.html
[7] https://krebsonsecurity.com/2019/07/the-unsexy-threat-to-election-security/
[8] https://krebsonsecurity.com/2019/07/the-unsexy-threat-to-election-security/
[9] https://www.csoonline.com/article/3253572/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html
[10] https://securelist.com/keyloggers-how-they-work-and-how-to-detect-them-part-1/36138/
[11] https://www.electioncenter.org/election-security-infrastructure-elections-security-checklist.html
[12] https://www.cpomagazine.com/cyber-security/personal-email-security-guide/