How to Fortify Elections and Election Campaigns Against Human Hacking

In this interview for Help Net Security, James Turgal, Vice President of Cyber ​​Risk, Strategy and Board Relations at Optiv, talks about election cybersecurity and how to secure elections and campaigns. elections.

Mid-terms are approaching and electoral cybersecurity is once again in the spotlight. What makes him so vulnerable?

After the results of the last presidential election were nearly overshadowed by so-called Holocaust deniers and those who continue to expose vote fraud, all eyes are on the midterm elections in November. Social media platforms are awash with manipulated information, and threat actors are getting good at creating narratives with a few simple searches mixed with deception and social engineering techniques.

Threat actors aim to create “fake news” to manipulate communications and those who devour them. Nation states and dedicated proxy groups target not only electoral systems and infrastructure, but also electoral volunteers and people who might not recognize a cyberattack during their work. After all, people are the weakest link when it comes to these social engineering techniques and other hacking attempts.

Are people the weak link in campaigns and why?

As with many cybersecurity breaches, unfortunately, people are the weakest link in the electoral system. Tens of thousands of volunteers answering phones and emails, making banners, canvassing, etc. compromise the system.

All it takes is one person within an organization (especially campaigns) to click on the wrong link in an email and allow hackers to enter the system, thereby compromising treasure troves of information and data, such as credit card numbers from donations and personal information. These volunteers and employees have varying degrees of cyber acumen, knowledge and experience, making them a prime target for nation states and proxy groups to hit with social engineering tactics.

What should campaign and election officials keep in mind and watch out for?

The hacking attempts that nation-state threat actors will deploy have become much more sophisticated and harder to spot. Gone are the days when phishing and social engineering messages contained misspelled words, poor grammar, and obvious clues that they were fake. These days, phishing attempts might closely resemble an organization the campaign might be working with, such as a vendor or local association. They may also refer to current events to sound more legitimate, or convey a sense of urgency in their messages, such as stating a deadline, so victims act quickly before being vigilant about verifying the source.

Additionally, we have observed consistent patterns of attacks that not only target these candidates and campaign staff, but also political and legislative experts who can consult on key issues and topics. Therefore, detection and vigilance are essential on the part of all staff and partner organisations.

Is there anything specific that campaign and election officials can do to ensure campaigns are safe?

Election officials and campaigns should be especially vigilant to detect social engineering hacks. All staff should participate in social engineering training that includes information on all forms of attack vectors, including in-person, telephone, and electronic attempts. Volunteers should also be trained to exercise caution when providing information online and to outside entities – including on social media posts – as threat actors will aggregate this information to create hacks. more personal social engineering.

Finally, campaigns should prioritize hiring cyber experts, create cyber-focused defense and resilience plans, and secure volunteer cyber warriors who understand threat actors, their tactics, and their skills. techniques, and can then detect anomalies in emails, text messages, phone calls or other interactions. Just as experts are hired to consult on legislative, policy and foreign issues, cybercrime is now big business, so organizations need expertise in this area to proactively defend themselves.

How are cybercriminals evolving in this area?

While cybercriminals have become more sophisticated in how they position attacks to make them more convincing, they haven’t changed much in their techniques because they still work. Simple phishing attempts such as sending the wrong hyperlinks and emails still give hackers access to sensitive information in companies’ databases, so until they no longer earn money with these types of attacks, we expect to see more of the same. Therefore, businesses should implement basic cyber hygiene practices – even simple tasks like using a 12-character password or verifying email addresses after receiving suspicious emails can prevent hackers from entering systems.

Comments are closed.