Last month, a grand jury issued a detailed indictment on international interference during the 2016 U.S. presidential election. Details in the indictment indicate that nation-state actors utilized encrypted tunnels to target vulnerabilities in election infrastructure, along with other attack methods.
Attacks that hide in encrypted tunnels are difficult to detect and block without a comprehensive machine identity protection program in place.
Security professionals have been discussing cyber attacks targeting election infrastructure well before July’s grand jury indictment. However, these concerns have come into sharp focus right now because there are many high-profile elections taking place this year.
Venafi recently surveyed over 400 IT security professionals in the U.S., U.K. and Australia to understand threats focused on the back end systems that support our election infrastructure. Unsurprisingly, the study reveals that 93% of security professionals are concerned about cyber attacks targeting election infrastructure and data.
Even more distressingly, 81% believe cyber criminals will target election data as it is transmitted between machines, software and hardware applications, and moved from local polling stations to central aggregation points.
“Security professionals clearly think that machine-to-machine communication in the electoral process is a high value asset for attackers targeting election results,” says Kevin Bocek, vice president of security strategy and threat intelligence for Venafi. “This is just one reason why governments around the world need to make the security of all encrypted, machine-to-machine communication their top concern.”
Additional findings from our study include:
- Election systems are critical infrastructure. 95% believe election systems—including voting machines, software and back-end systems—should be considered critical infrastructure.
- Voting machines are not the only vulnerable electoral assets. When asked what areas of election infrastructure were most vulnerable to cyber attackers:
- 54% say voting machines that collect election data.
- 52% say encrypted communications between polling stations and back-end election systems.
- 50% say systems that store voter registration data.
- Security professionals are not confident in protection. Only 2% are very confident in their local, state and federal governments' abilities to detect cyber attacks targeting election infrastructure. In addition, only 3% are very confident in their local, state and federal governments' abilities to block them.
- Attackers already have access to vulnerabilities and exploits. 64% believe vulnerabilities and exploits connected with election systems are available to cyber attackers on the dark web.
“Last year, attendees at DEF CON managed to find and take advantage of vulnerabilities in five different voting machine types within 24 hours,” says Jeff Hudson, CEO of Venafi. “While these findings were disturbing, conference attendees only examined a small portion of our election infrastructure. It’s clear to nearly all security professionals that the back-end systems that transmit, aggregate, tabulate, validate and store election data are at least as vulnerable to cyber attacks as voting machines.”
Are you concerned about cyber attacks on election infrastructure? Do you think election officials are prepared to defend against these attacks?