The 2020 U.S. presidential primaries are right around the corner. As people gear up to cast their ballots for party candidates, they may not realize that website security shortcomings could leave the U.S. elections susceptible to digital disinformation campaigns or possibly worse seeking to influence and /or manipulate the democratic process.
McAfee recently conducted a survey of county websites and county election administration websites in the 13 states projected as battleground or “tossup” states in the U.S. presidential elections in November. According to the survey results, the majority of these websites lacked official U.S. government .GOV website validation and HTTPS website security measures to prevent hackers from launching fake websites disguised as legitimate county government sites.
You might be wondering what the significance of a .gov website domain is. Well, a .gov website name requires that buyers submit evidence to the U.S. government that they truly are buying these names on behalf of legitimate local, county, or state government entities.
On the other hand, a website using a .COM, .NET, .ORG, or .US can be purchased by anyone with a credit card from any number of legitimate website domain vendors. The lack of a .GOV in a website name means that no controlling government authority has validated that the website is a legitimate government site.
HTTPS: browse the web securely
In the same vein as a .GOV web domain, HTTPS and a lock icon in the address of a website helps establish its validity. When a visitor sees these icons, it means that their browser has made a secure connection with the website, which means the website and the user can be confident of who they are sharing information with.
This means that any personal voter registration information that a user shares with the site cannot be intercepted and stolen by hackers while they are on the site. Additionally, HTTPS and a lock icon tell the user that they cannot be re-routed without their knowledge to a different site.
How this could impact elections
Hackers typically look to carry out their attacks with the least amount of effort and the fewest resources. Instead of hacking into local voting systems and changing vote counts, hackers could conduct a digital disinformation campaign to influence voter behavior during the elections. These attacks would seek to suppress or disrupt the voting process by setting up bogus websites with official sounding domains and related email addresses. From there, hackers could use those bogus email addresses to send mass email blasts intended to feed unsuspecting voter email recipients false information on when, where, and how to vote.
Example disinformation email:
On top of that, social media promotions could be used to lure voters to the fake websites and provide them with the same false information.
By telling voters that they should register to vote in the wrong places, or merely vote at the wrong times, the hackers could misdirect, confuse, and frustrate voters on election day. This could ultimately impact vote counts or at least undermine voter confidence in the electoral process.
McAfee’s survey of the external security measures for county election websites included Arizona, Florida, Georgia, Iowa, Michigan, Minnesota, Nevada, New Hampshire, North Carolina, Ohio, Pennsylvania, Texas, and Wisconsin. Together, these states account for 201 of the 270 electoral votes required to win the U.S. presidential election.
Our research found that Minnesota and Texas ranked the lowest among the surveyed states in terms of .GOV county coverage with 4.6% and 5.1% coverage respectively. Arizona ranked the highest in .GOV county coverage with 66.7%. Yet, this still left a third of the state’s counties uncovered.
Texas ranked the lowest in terms of HTTPS protection with only 22.8% of its county websites protected. Arizona again led in county HTTPS protection with 80.0%, followed by Nevada (75.0%), Iowa (70.7%), Michigan (65.1%), and Wisconsin (63.9%). Again, these “leader” states still lacked HTTPS coverage for approximately a third of their counties.
Tips to help secure your vote
So, what can citizens do to help protect their votes and the electoral system overall leading up to the 2020 election? Check out these tips to securely cast your ballot:
- Stay informed. Remind yourself to confirm the site you are visiting is a .GOV website and that HTTPS security protection is in place to ensure that the information accurate and is safe.
- Look out for suspicious emails. Carefully scrutinize all election related emails. An attacker seeking to misinform can use phishing-techniques to accomplish their objective. McAfee’s general warnings related to phishing emails (e.g. here), where an attacker can create emails that look as if they come from legitimate sources are applicable.
- Go directly to the source. If in doubt, visit your state’s elections website to receive general election information on voter registration and contact information for your county’s election officials. Contact the local county officials to confirm any election instructions you receive via email, social media, or websites leading up to Election Day.
- Keep it old school. Trust the official voting literature sent through the traditional mail first, as the U.S. Postal Service is the primary channel state and local governments use to send out voting information.