Election Cyber Security - Considerations for Educational Institutions

David V Creamer, CTO-CISO, St. Petersburg College

Educational institutions must remain vigilant to assist in lowering the risk to our voting process and our democracy

This November, Americans will vote for the future leadership of the country. United States intelligence officials have stated that significant evidence indicates that foreign nation states sought to influence the 2016 elections and are currently working to do the same in the upcoming 2020 elections.  All Americans have a personal role to play to minimize the effect of any such interference in our elections. However, many of us who work at educational institutions may perceive that we have little to do with securing our elections. We indeed have a significant role to play in addressing cyber security vulnerabilities and protecting against threats to our democratic process.

Secured Polling Places

Many educational institutions serve their communities as polling precincts where election officials and the public mix with faculty, staff and students.  With so many different people in close proximity, physical access to voting equipment is difficult to control. During the 2019 DEFCON convention, one of the largest gathering of hackers and cyber security researchers in the world, a “Voting Machine Hacking Village” assembled over 100 voting machine models utilized across the country.  My observations and discussions with those researchers indicated that physical access to voting equipment and local networks by hackers would result in rapidly compromised voting machines potentially affecting vote counts. One of the hacks observed was simply connecting a flash drive to a USB port on a voting machine running Windows, introducing malware and compromising the voting equipment.

Special attention to securing any physical area where voting equipment is stored is extremely important. There should be limited and monitored access to storage areas including a minimal number of keys and the use of camera systems to verify access. If voting equipment is connecting to institutional data networks, those networks will likely require special configuration in order to provide adequate security.

Infrastructure and Accounts Used for Attacks

Hackers view infrastructure at educational institutions as a rich target, as many institutions have very robust internet connectivity and generally less restrictive policies regarding access to external sites. This is especially true in higher education institutions. Compromised computers and network accounts of staff, faculty and students are a springboard for hackers to attack and break into election-related websites of candidates, political parties, Political Action Committees (PACs) and media. The goal in many cases is to alter websites to misinform the public or simply make a website’s election information unavailable.

For institutions who operate TV or radio stations on campus, a compromised account could lead to a mass broadcast of incorrect or unauthorized political content, as seen during the 2016 election cycle.

Compromised accounts can also become sources of foreign nation-state sponsored or opposition sponsored social media misinformation campaigns.

An effective strategy that educational institutions can employ is minimizing the possibility of compromised accounts. Strategies include use of two-factor authentication requiring both a password and code sent to a smart phone in order to access an account. Increase security for campus media outlets such as TV and radio stations during the election cycle, such as staff monitoring of feeds prior to and during voting hours.  Initiate social media monitoring services providing alerts about posted content that is unusual. Staff and faculty should be aware of incident response processes at the institution and be provided security awareness training focusing on email phishing attacks related to election activity.

Encourage Civic Engagement-but Pay Attention

Higher education institutions encourage civic engagement for their students by sponsoring or allowing outside groups to sponsor “get out the vote” campaigns on campus. These include institutional sponsored campaigns like “Turbovote” or granting campus access to non-partisan groups like the League of Women Voters.  Unfortunately, the bad guys are watching this as well. Imitation registration campaigns, both on campus and online, seek to exclude parts or all of the electorate. Misinformation from hackers imitating an educational institution can redirect people trying to register to vote to a fake site eliminating them as a voter.

Institutions should be very aware of all voter registration campaigns on campus and be prepared with responsible policy and the ability to react quickly in cases where abuse occurs. Train campus police or security departments to enforce institution policies regarding voter registration groups. Information technology departments should deploy automated monitoring of access to sponsored websites like “TurboVote” using your institution’s monitoring software tools. This should alert when access becomes unavailable or if a redirect has occurred.

Time is Running Out

While we participate in our nation’s democratic process, work hand in hand with IT security professionals - either from your institution, state or federal government. Both foreign and domestic entities are trying to undermine the American democratic process, not necessarily by hacking the vote, but by destroying the confidence we have in our election process.  Educational institutions must remain vigilant to assist in lowering the risk to our voting process and our democracy.

Check out: Top Security Assessment Solution Companies

Information Technology

Storage