Secure the Vote — Emailing Ballots and the Risk involved
In 2020, election security will be the most significant topic of discussion leading up to the 2020 Presidential election. All over the United States election offices, government officials, researchers, observers, activists, political campaigns, and voting vendors will all be scrutinized for any sign that our electoral integrity could be at risk. Throughout all this scrutiny, there is one method of ballot delivery that is commonly overlooked and oft not discussed when recommendations are made to increase security in our elections. The technique I want to bring attention to is the use of email for the electronic transmission of ballots for UOCAVA (Uniformed and Overseas Citizens Absentee Voting Act[1]) voters.
For information on the size and scale of the number of US citizens using email as a method of ballot transmission, we looked into the 2016 Presidential Election as a guide for how many US citizens vote using this method. In our research, we found that of the approximate 930,156 votes that were transmitted to UOCAVA voters in 2016, approximately 399,932 of these votes were transmitted and received via email[2]. In the United States, there are 24 states (Plus the District of Columbia) that allow for the electronic transmission of ballots to voters residing overseas[3].
In these states, the conventional method used for transmitting ballots over email is a PDF ballot sent along with a waiver form that a voter must sign to permit that their right to a secret ballot is waived. This email is sent from a computer within the election office to a UOCAVA voter who has been approved to vote via the FPCA (Federal Post Card Application[4]). The voter then prints out, scans, and returns both the waiver and the ballot back to the email address provided by the election office. This method is used by almost all election offices that offer email as a method of electronic ballot transmission.
Email is the most used digital communication in the world. In 2020 it is projected that over 4 billion people will actively use email as a form of communication. The technology itself is incredibly useful and is widely seen as the first killer app of the internet age. Still, we must talk about the same problems that the average citizen and the business community face every single day. Email is still the number one way that a hacker can attempt to get access to your entire digital life. In businesses, attacks to an employee’s email via phishing represent more than 70% of the attacks the average business faces[5]. These same problems apply to election administrators sending ballots and to the voters receiving them as well.
Election administrators and the voters share a unique relationship that is not seen anywhere else in society. There is a distinct trust that is placed between the two that the person who is sending a ballot, whether physically or digitally, is the official they say they are and vice versa to the voter. When this relationship is compromised it violates the premise that the system is trusted and private. When hackers attempt to violate this premise, they typically have one of three goals in doing so: a rogue activist trying to gain support or attention to their cause by disrupting your activity, a black hat hacker who is trying to gain control over your systems for financial benefit, or lastly the nation-state hackers who are employed by their country to gain access and either create chaos for media attention or attempt to get information for intelligence operations.
These hackers typically will attempt to use the following types of attacks, all of which can be used on either the election office or on an individual voter (This list is not exhaustive, these are the top threats for a potential attack to a voter or election office):
All of the previous attack methods can be used in conjunction with each other to disrupt the election office or voter. A few suggestions and recommendations can be made to the election office and the voter to mitigate these issues so as not to cause any suspicion of impropriety and to decrease the likelihood that votes would be compromised.
Background
The National Cybersecurity Center (NCC) is helping secure the world using knowledge, partnerships, and education to solve global cybersecurity challenges and develop a protected cyber ecosystem. In 2016, recognizing the growing threat of cyber-attacks on government agencies and businesses, the Colorado legislature passed House Bill 16-1453, which led to the creation of the NCC. Incorporated as a 501(c)3, the NCC is located in Colorado Springs, Colorado.
As a leader in cybersecurity, the NCC provides cybersecurity training and a cybersecurity community for public officials, higher education, business executives, and the workforce. The NCC also manages and operates research projects and initiatives, including Secure the Vote, which aims to secure elections, the Space ISAC which provides a forum for sharing cyber threats in the space industry, and a Student Alliance, which is preparing the cybersecurity workforce of the future.
[1] https://www.fvap.gov/info/laws/uocava
[2] https://www.fvap.gov/uploads/FVAP/Reports/PEVS_EAVS_TechReport_Final.pdf
[3] https://www.ncsl.org/research/elections-and-campaigns/internet-voting.aspx
[4] https://www.fvap.gov/guide/chapter2
[5] https://www.cpomagazine.com/cyber-security/personal-email-security-guide/
[6] https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-and-how-to-prevent-it.html
[7] https://krebsonsecurity.com/2019/07/the-unsexy-threat-to-election-security/
[8] https://krebsonsecurity.com/2019/07/the-unsexy-threat-to-election-security/
[9] https://www.csoonline.com/article/3253572/what-is-cryptojacking-how-to-prevent-detect-and-recover-from-it.html
[10] https://securelist.com/keyloggers-how-they-work-and-how-to-detect-them-part-1/36138/
[11] https://www.electioncenter.org/election-security-infrastructure-elections-security-checklist.html
[12] https://www.cpomagazine.com/cyber-security/personal-email-security-guide/
Colorado Springs, CO–The National Cybersecurity Center (NCC), a nonprofit offering a range of cybersecurity resources,…
In July 2024, a routine software update brought global systems to a halt. A bug…
COLORADO SPRINGS, CO — The National Cybersecurity Center (NCC) is thrilled to announce a generous…
Saturday, March 2, 2024 // 10:00AM – 3:00PM MT National Cybersecurity Center, 3650 N Nevada…
Colorado Springs, CO - January 16, 2024 The Space Information Sharing and Analysis Center (Space ISAC)…
Colorado Springs, CO - January 16, 2024 The National Cybersecurity Center (NCC) was thrilled to announce…