(This is part three in our "Understanding the Election Cybersecurity Landscape" series.)
As we rapidly approach the 2024 U.S. elections, the human element remains one of the most vulnerable aspects of our electoral system. While technological defenses continue to evolve, state actors and cybercriminals in general are increasingly turning to phishing and social engineering tactics to exploit human psychology and gain unauthorized access to sensitive information or systems. These attacks pose a significant threat to election integrity by targeting election officials, campaign staff, and voters alike.
The Anatomy of Election-Related Phishing Attacks
Phishing attacks during election seasons often exploit the heightened emotions and time pressures associated with political campaigns. Attackers craft convincing emails, text messages, or social media posts that appear to come from trusted sources such as election boards, political parties, or candidates themselves. These messages typically create a sense of urgency or importance to prompt quick, unthinking responses from targets.
For example, an election official might receive an email that appears to be from a voting machine vendor, claiming there's a critical security update that needs immediate attention. The email could contain a malicious link or attachment that, when clicked, installs malware or captures login credentials. Similarly, voters might receive text messages with false information about polling place changes or registration requirements, containing links to fraudulent websites designed to steal personal information.
Social Engineering: Exploiting Trust and Authority
Social engineering attacks go beyond simple phishing by leveraging more complex psychological manipulation. These attacks often involve multiple touchpoints and can unfold over extended periods, making them particularly insidious.
In the context of elections, a social engineering attack might involve an attacker posing as an IT support technician, contacting county election workers with offers of assistance. Over time, the attacker builds trust and may eventually request remote access to systems or sensitive information under the guise of providing support. This type of attack exploits the often-overworked and under-resourced nature of many local election offices.
Another common tactic is impersonating authority figures. An attacker might pose as a high-ranking election official or party leader, using this perceived authority to pressure lower-level staff into bypassing security protocols or divulging confidential information.
The Cascading Impact on Election Security
The consequences of successful phishing and social engineering attacks can be far-reaching. A single compromised account or system can serve as an entry point for broader network infiltration, potentially leading to:
- Disruption of election management systems, including those that are responsible for updating public-facing results on and after election day
- Theft or manipulation of voter registration data
- Unauthorized access to voting machine software or configurations
- Leaks of sensitive campaign strategies or communications
- Spread of disinformation from trusted sources
Moreover, even unsuccessful attacks can erode public confidence in the electoral process. The mere perception that election systems or officials might be compromised can fuel doubts about election integrity, which could be especially problematic this year.
Defending Against the Human Factor
Mitigating the risks posed by phishing and social engineering requires a multi-faceted approach that combines technological solutions with robust human training and awareness programs.
Technical Safeguards
- Implement strong email filtering and anti-phishing tools
- Use multi-factor authentication for all critical systems
- Regularly update and patch software to address known vulnerabilities
- Employ network segmentation to limit the potential spread of breaches
Human-Focused Defenses
- Conduct regular, scenario-based training for election officials and staff
- Develop clear communication protocols for sharing sensitive information
- Establish verification procedures for requests involving system access or data transfers
- Create a culture of security awareness where staff feel empowered to question suspicious or urgent requests
Public Education
- Launch voter education campaigns on recognizing election-related phishing attempts
- Provide clear, authoritative sources for election information
- Encourage critical thinking and verification of election-related messages
- Ensure there is a clear way for voters to recognize legitimate municipal communications, and provide straightforward ways for them to validate potentially illegitimate ones
The Road Ahead
As we move ever closer to the 2024 elections, the sophistication of phishing and social engineering attacks is likely to increase. The rise of AI-generated content, including deepfakes, will make it even more challenging to distinguish legitimate communications from fraudulent ones (something we will cover in the final installment).
However, by focusing on the human element – both in terms of vulnerabilities and strengths – we can build a more resilient election security ecosystem. Empowering election officials and voters with knowledge and critical thinking skills is our best defense against these evolving threats.
The integrity of our elections depends not just on secure technology, but on a vigilant and informed populace. By recognizing the central role of human factors in election security, we can work towards elections that are not only technologically sound but also trusted and resilient in the face of increasingly sophisticated attacks.