The security risks around the 2020 presidential election aren’t limited to direct attacks on the voting systems. Research firm Area 1 Security has published a report (via Wall Street Journal) warning that many election officials are using email systems that leave them vulnerable to phishing attacks and hacks. Out of more than 10,000 state and local officials, about 53 percent only had “rudimentary or non-standard” defenses against phishing. Only 18.6 percent had “advanced” safeguards in place, and 5.4 percent were using personal email addresses.
Small jurisdictions in Maine, Michigan, Missouri and New Hampshire were using a flawed version of Exim, software that’s free but has also been targeted by state-sponsored Russian hackers.
This wouldn’t necessarily let intruders compromise the voting process. The Cyber Threat Alliance’s J. Michael Daniel told the WSJ that it would be “really hard to do” digital vote manipulation at a meaningful level. However, ransomware and other phishing-based campaigns could make it difficult for election administrators to do their job, and might cast doubt on the results even if the voting infrastructure is safe.
This could still be an improvement over security levels in past years. However, this still leaves many officials susceptible. Russia and other countries were reportedly trying to phish high-profile targets in 2018 — it’s difficult to rule out similar campaigns in 2020, particularly against election staff who don’t have the same resources to protect themselves. It may be a long while before email security is consistently strong.