US County Election Websites (Still) Fail to Fulfill Basic Security Measures

By on Oct 07, 2020

In January 2020, McAfee released the results of a survey establishing the extent of the use of .GOV validation and HTTPS encryption among county government websites in 13 states projected to be critical in the 2020 U.S. Presidential Election. The research was a result of  my concern that the lack of .GOV and HTTPS among county government websites and election-specific websites could allow foreign or domestic malicious actors to potentially create fake websites and use them to spread disinformation in the final weeks and days leading up to Election Day 2020.

Subsequently, reports emerged in August that the U.S. Federal Bureau of Investigations, between March and June, had identified dozens of suspicious websites made to look like official U.S. state and federal election domains, some of them referencing voting in states like Pennsylvania, Georgia, Tennessee, Florida and others.

Just last week, the FBI and Department of Homeland Security released another warning about fake websites taking advantage of the lack of .GOV on election websites.

These revelations compelled us to conduct a follow-up survey of county election websites in all 50 U.S. states.

Why .GOV and HTTPS Matter

Using a .GOV web domain reinforces the legitimacy of the site. Government entities that purchase .GOV web domains have submitted evidence to the U.S. government that they truly are the legitimate local, county, or state governments they claimed to be. Websites using .COM, .NET, .ORG, and .US domain names can be purchased without such validation, meaning that there is no governing authority preventing malicious parties from using these names to set up and promote any number of fraudulent web domains mimicking legitimate county government domains.

An adversary could use fake election websites for disinformation and voter suppression by targeting specific citizens in swing states with misleading information on candidates or inaccurate information on the voting process such as poll location and times. In this way, a malicious actor could impact election results without ever physically or digitally interacting with voting machines or systems.

The HTTPS encryption measure assures citizens that any voter registration information shared with the site is encrypted, providing greater confidence in the entity with which they are sharing that information. Websites lacking the combination of .GOV and HTTPS cannot provide 100% assurance that voters seeking election information are visiting legitimate county and county election websites. This leaves an opening for malicious actors to steal information or set up disinformation schemes.

I recently demonstrated how such a fake website would be created by mimicking a genuine county election website and then inserting misleading information that could influence voter behavior. This was done in an isolated lab environment that was not accessible to the internet as to not create any confusion for legitimate voters.

In many cases, election websites have been set up to provide a strong user experience versus a focus on mitigating concerns that they could be spoofed to exploit the communities they serve. Malicious actors can pass off fake election websites and mislead large numbers of voters before detection by government organizations. A campaign close to election day could confuse voters and prevent votes from being cast, resulting in missing votes or overall loss of confidence in the democratic system.

September 2020 Survey Findings

McAfee’s September survey of county election administration websites in all 50 U.S. states (3089 counties) found that 80.2% of election administration websites or webpages lack the .GOV validation that confirms they are the websites they claim to be.

Nearly 45% of election administration websites or webpages lack the necessary HTTPS encryption to prevent third-parties from re-directing voters to fake websites or stealing voter’s personal information.

Only 16.4% of U.S. county election websites implement U.S. government .GOV validation and HTTPS encryption.

States # Counties # .GOV % .GOV # HTTPS % HTTPS # BOTH %BOTH
Alabama 67 8 11.9% 26 38.8% 6 9.0%
Alaska 18 1 5.6% 12 66.7% 1 5.6%
Arizona 15 11 73.3% 14 93.3% 11 73.3%
Arkansas 75 18 24.0% 30 40.0% 17 22.7%
California 58 8 13.8% 45 77.6% 6 10.3%
Colorado 64 21 32.8% 49 76.6% 20 31.3%
Connecticut 8 1 12.5% 2 25.0% 1 12.5%
Delaware 3 0 0.0% 0 0.0% 0 0.0%
Florida 67 4 6.0% 64 95.5% 4 6.0%
Georgia 159 40 25.2% 107 67.3% 35 22.0%
Hawaii 5 4 80.0% 4 80.0% 4 80.0%
Idaho 44 6 13.6% 28 63.6% 5 11.4%
Illinois 102 14 13.7% 60 58.8% 12 11.8%
Indiana 92 28 30.4% 41 44.6% 16 17.4%
Iowa 99 27 27.3% 80 80.8% 25 25.3%
Kansas 105 8 7.6% 46 43.8% 2 1.9%
Kentucky 120 19 15.8% 28 23.3% 15 12.5%
Louisiana 64 5 7.8% 12 18.8% 2 3.1%
Maine 16 0 0.0% 0 0.0% 0 0.0%
Maryland 23 9 39.1% 22 95.7% 8 34.8%
Massachusetts 14 3 21.4% 5 35.7% 2 14.3%
Michigan 83 9 10.8% 63 75.9% 9 10.8%
Minnesota 87 5 5.7% 59 67.8% 5 5.7%
Mississippi 82 8 9.8% 30 36.6% 5 6.1%
Missouri 114 8 7.0% 49 43.0% 7 6.1%
Montana 56 15 26.8% 21 37.5% 8 14.3%
Nebraska 93 35 37.6% 73 78.5% 32 34.4%
Nevada 16 3 18.8% 13 81.3% 2 12.5%
New Hampshire 10 0 0.0% 0 0.0% 0 0.0%
New Jersey 21 3 14.3% 11 52.4% 2 9.5%
New Mexico 33 7 21.2% 20 60.6% 6 18.2%
New York 62 15 24.2% 48 77.4% 14 22.6%
North Carolina 100 37 37.0% 69 69.0% 29 29.0%
North Dakota 53 3 5.7% 19 35.8% 2 3.8%
Ohio 88 77 87.5% 88 100.0% 77 87.5%
Oklahoma 77 1 1.3% 24 31.2% 1 1.3%
Oregon 36 1 2.8% 22 61.1% 0 0.0%
Pennsylvania 67 11 16.4% 40 59.7% 7 10.4%
Rhode Island 5 2 40.0% 3 60.0% 0 0.0%
South Carolina 46 15 32.6% 33 71.7% 13 28.3%
South Dakota 66 2 3.0% 14 21.2% 1 1.5%
Tennessee 95 23 24.2% 38 40.0% 12 12.6%
Texas 254 10 3.9% 86 33.9% 6 2.4%
Utah 29 8 27.6% 16 55.2% 7 24.1%
Vermont 14 0 0.0% 0 0.0% 0 0.0%
Virginia 95 33 34.7% 61 64.2% 35 36.8%
Washington 39 7 17.9% 26 66.7% 6 15.4%
West Virginia 55 18 32.7% 33 60.0% 16 29.1%
Wisconsin 72 16 22.2% 61 84.7% 11 15.3%
Wyoming 23 4 17.4% 15 65.2% 2 8.7%
Total 3089 611 19.8% 1710 55.4% 507 16.4%

We found that the battleground states were largely in a bad position when it came to .GOV and HTTPS.

Only 29% of election websites used both .GOV and HTTPS in North Carolina, 22% in Georgia, 15.3% in Wisconsin, 10.8% in Michigan, 10.4% in Pennsylvania, and 2.4% in Texas.

While 95.5% of Florida’s county election websites and webpages use HTTPS encryption, only 6% percent validate their authenticity with .GOV.

During the January 2020 survey, only 11 Iowa counties protected their election administration pages and domains with .GOV validation and HTTPS encryption. By September 2020, that number rose to 25 as 14 counties added .GOV validation. But 72.7% of the state’s county election sites and pages still lack official U.S. government validation of their authenticity.

Alternatively, Ohio led the survey pool with 87.5% of election webpages and domains validated by .GOV and protected by HTTPS encryption. Four of Five (80%) Hawaii counties protect their main county and election webpages with both .GOV validation and encryption and 73.3% of Arizona county election websites do the same.

What’s not working

Separate Election Sites. As many as 166 counties set up websites that were completely separate from their main county web domain.  Separate election sites may have easy-to-remember, user-friendly domain names to make them more accessible for the broadest possible audience of citizens. Examples include my own county’s www.votedenton.com as well as www.votestanlycounty.com, www.carrollcountyohioelections.gov, www.voteseminole.org, and www.worthelections.com.

The problem with these election-specific domains is that while 89.1% of these sites have HTTPS, 92.2% lack .GOV validation to guarantee that they belong to the county governments they claim. Furthermore, only 7.2% of these domains have both .GOV and HTTPS implemented. This suggests that malicious parties could easily set up numerous websites with similarly named domains to spoof these legitimate sites.

Not on OUR website. Some smaller counties with few resources often reason that they can inform and protect voters simply by linking from their county websites to their states’ official election sites. Other smaller counties have suggested that social media platforms such as Facebook are preferable to election websites to reach Internet-savvy voters.

Unfortunately, neither of these approaches prevents malicious actors from spoofing their county government web properties. Such actors could still set up fake websites regardless of whether the genuine websites link to a .GOV validated state election website or whether counties set up amazing Facebook election pages.

For that matter, Facebook is not a government entity focused on validating that organizational or group pages are owned by the entities they claim to be. The platform could just as easily be used by malicious parties to create fake pages spreading disinformation about where and how to vote during elections.

It’s not OUR job. McAfee found that some states’ voters could be susceptible to fake county election websites even though their counties have little if any role at all in administering elections. States such as Connecticut, Delaware, Maine, Massachusetts, New Hampshire, Rhode Island and Vermont administer their elections through their local governments, meaning that any election information is only available at the states’ websites and those websites belonging to major cities and towns. While this arrangement makes county-level website comparisons with other states difficult for the purpose of our survey, it doesn’t make voters in these states any less susceptible to fake versions of their county website.

There should be one recipe for the security and integrity of government websites such as election websites and that recipe should be .GOV and HTTPS.

What IS working: The Carrot & The Stick

Ohio’s leadership position in our survey appears to be the result of a state-led initiative to transition county election-related content to .GOV validated web properties. Ohio’s Secretary of State used “the stick” approach by demanding by official order that counties implement .GOV and HTTPS on their election web properties. If counties couldn’t move their existing websites to .GOV, he offered “the carrot” of allowing them to leverage the state’s domain.

A majority of counties have subsequently transitioned their main county websites to .GOV domains, their election-specific websites to .GOV domains, or their election-specific webpages to Ohio’s own .GOV-validated https://ohio.gov/ domain.

Examples:

https://adamscountyoh.gov/elections.asp
https://www.allen.boe.ohio.gov/
https://boe.ashland.oh.gov/
https://www.boe.ohio.gov/ashtabula
https://elections.bcohio.gov/
https://www.carrollcountyohioelections.gov/
https://boe.clermontcountyohio.gov/
https://crawfordcountyohioboe.gov/
https://vote.delawarecountyohio.gov/
https://votehamiltoncountyohio.gov/

While Ohio’s main county websites still largely lack .GOV validation, Ohio does provide a mechanism for voters to quickly assess if the main election website is real or potentially fake. Other states should consider such interim strategies until all county and local websites with election functions can be fully transitioned to .GOV.

Ultimately, the end goal success should be that we are able to tell voters that if they don’t see .GOV and HTTPS, they shouldn’t believe that a website is legitimate or safe. What we tell voters must be that simple, because the general public lacks a technical background to determine real sites from fake sites.

For more information on our .GOV-HTTPS county website research, potential disinformation campaigns, other threats to our elections, and voter safety tips, please visit our Elections 2020 page: https://www.mcafee.com/enterprise/en-us/2020-elections.html

About the Author

Steve Grobman

Steve Grobman is senior vice president and chief technology officer at McAfee. In this role, he sets the technical strategy and direction to create technologies that protect smart, connected computing devices and infrastructure worldwide. He leads McAfee’s development of next-generation cyberdefense and data science technologies, threat and vulnerability research, and internal CISO and IT organizations. ...

Read more posts from Steve Grobman

Subscribe to McAfee Securing Tomorrow Blogs