November 5, 2019
Zero Trust

Why Worrying About Election Security Only During Election Season Is Part of The Problem

Corey Williams – Idaptive
Corey Williams Vice President, Marketing

Year-round awareness and careful communication, coupled with common sense cybersecurity practices like multi-factor authentication and a Zero Trust perimeter, are the best defense against the fluid combination of varied attacks, evolving vulnerabilities, and human error that comes into play during elections.

Election security

“But what about her emails!” 

It’s become an unfortunate joke now, but the 2016 presidential election was mired in a seemingly unrelenting string of scandals centered around personal online habits and cybersecurity. While opponents harped on about Hillary Clinton using her personal email for political use – and thus potentially endangering sensitive data – you also had the tangential but related story of John Podesta, former White House Chief of Staff and chair of Clinton’s campaign. He was compromised in a data breach and had thousands of emails – many relating directly to the campaign – stolen in what amounted to a run-of-the-mill phishing attack and simple human error that could have affected any number of non-political businesses or personal accounts. 

But while a lot of the noise around these stories was bluster and political posturing, the specter of cybersecurity breaches shaping a presidential election was raised, perhaps permanently. Data can be placed in jeopardy in a myriad of ways, even without hackers actively looking for it. Is election security even possible given the sheer amount of vulnerabilities? 

It Can’t Be Just an Election Season Concern

This is why a discussion about election security is really no different from any other conversation about the threats that face all individuals or businesses. It’s also why the notion of election security doesn’t – or shouldn’t – just bubble up when an election is near. It’s a year-round concern, one complicated by numerous vulnerabilities. 

And that’s because hackers aren’t necessarily interested in changing votes. Although that very idea was floated as part of Special Counsel Robert Mueller’s investigation into the 2016 election, the results were inconclusive. As Philip Bump wrote in the Washington Post regarding the Mueller probe, “It may be — and appears to be — true that Russia didn’t manipulate actual voting results, changing a county’s pro-Clinton votes into pro-Trump ones...But Russia’s efforts absolutely affected the vote, as they were intended to...”

By “as they were intended to,” Bump is referring to how the registered voter data that hackers collect can be used to sway opinion and affect votes through hyper-targeted misinformation campaigns. By engaging in this scary new kind of digital gerrymandering, hackers can feed incorrect voting dates or false voting locations in an effort to prevent people from reaching the polls at all. In a 2018 Fast Company article titled “How Facebook Blew It,” Alex Pasternack and Joel Winston wrote, “The [Trump] campaign would use Facebook in uglier ways too. Days before the election, Bloomberg reported, the Trump team was rounding out a massive Facebook and Instagram ad purchase with a ‘major voter suppression’ effort. The effort, composed of short anti-Clinton video ads, targeted the ‘three groups Clinton needs to win overwhelmingly . . .  idealistic white liberals, young women, and African-Americans’ with ads meant to keep them from voting.” 

And yet, adding or removing votes remains a common misconception when the subject of election security is broached. Election hackers are after personal data. There is always danger around centralizing too much data, and elections amplify this threat by offering a window during which massive amounts of personal data for large swathes of the country are gathered and recorded. In the 2016 election, according to a report in Bloomberg News, hackers hit at least 39 states, with breaches into software systems and voter databases. In Illinois, detectives found proof that intruders tried to delete or otherwise alter voter data. In at least one state, hackers accessed a campaign-finance database. 

This is why “election security” is such a frustrating issue in a lot of ways. It’s nearly impossible to police at a high level, especially when you’re dealing with the existential threat posed by social platforms like Facebook. How do you prevent the formation of an opinion based on misinformation? The truth is, you can’t – but you also don’t stand a fighting chance of limiting the potentiality if you only begin to act a few weeks before an election, or if you hope some “other” will fix the problem without any changes on everyone’s part.

Be Aware and Be Active

Election cybersecurity needs active participation from everyone. Waiting for someone else to Band-Aid the problem and guarantee a 100% secure election is folly. There are simply too many factors at play here. Year-round awareness and careful communication, coupled with common sense cybersecurity practices like multi-factor authentication and a Zero Trust perimeter, are the best defense against the fluid combination of varied attacks, evolving vulnerabilities, and human error that comes into play during elections. And when we refer to awareness and communication, we don’t mean between campaign managers and their IT personnel. We mean everyone. Get involved, because it’s the only way to ensure every county, precinct, and state is doing what they can. Each state manages its own elections, and we’re all only as strong as our weakest link. 

 

So the call to action is simple: Contact your state and local representatives and ask them these 3 questions: 

  • Do they have multi-factor authentication turned on for all email services, devices, and any system or application that manages voter registration or other constituent data? 

  • Do they have proper access controls in place, and can they prove that only allow authorized individuals access to voter and other constituent data? 

  • What proactive measures do they have in place to ensure that proper and vetted voting information (like polling dates and locations) are reaching their constituents?

Corey Williams

Corey Williams – Idaptive
Corey
Williams
Vice President, Marketing

Corey Williams is the Vice President of Marketing & Strategy and lead evangelist for Idaptive, leading all marketing functions, as well as market development and strategy. Corey served as the Senior Director of Products and Marketing for more than a decade at Centrify where he was the visionary behind, and the first product manager of, the set of products that were ultimately spun out of Centrify to become Idaptive, including leading SaaS services for Single Sign-on (SSO)Adaptive Multi-factor Authentication (MFA)endpoint and mobile context, and User Behavior and Risk Analytics (UBA).

 While at Centrify, Corey defined and brought to market seven net-new product offerings directly contributing to the growth of the existing customer base from less than 400 customers to over 5000 customers. He also led efforts with major industry analysts that directly resulted in Centrify being named as a leader in all of the major analyst reports including the Gartner Magic Quadrant and Critical Capabilities reports for Access Management, Worldwide; Forrester IDaaS Wave; KuppingerCole Cloud MFA Leadership Compass; and Network World Clear Choice Winner for Single Sign-on Solutions.

Corey is a frequent speaker and commentator on IT Security and IT Management. He has authored several publications, including “Zero Trust Security for Dummies”, a leading guide for enterprise managers.

Prior to Centrify, Corey led products and marketing for SpikeSource (acquired by Black Duck Software), Syndera (acquired by Tibco), and Journee Software (acquired by Initiate Systems). Earlier in his career, he managed pre- and post-sales consulting for Active Software (acquired by webMethods). 

Corey holds degrees in Mathematics (BS) and Computer Science (BS) from New Mexico State University, as well as an MS in Engineering and an MBA from San Jose State University. 

CHAMELEON-LIKE SUPERPOWER

If Corey could have any chameleon-like superpower, it would be the chameleon's tongue, which is ridiculously fast. Some of the world's smallest chameleons have the world's fastest tongues. In automotive terms, the tongue could go from 0 to 60 miles per hour in a hundredth of a second! “I would be able to complete webinars in 4.5 seconds instead of 45 minutes!”