75% of all 56 US states and territories show signs of vulnerable election IT infrastructure, report finds

The report comes as officials in Georgia revealed more information about a ransomware attack that affected a digital voter database.

Voting booths at Hermosa Beach City Hall during California Primary

hermosawave, Getty Images/iStockphoto

Editor’s note: Since this article was first published, TechRepublic has received information that some state IT security officials have questioned the findings and methodology of SecurityScorecard’s ‘State of the States’ report as well as the company’s claim that state IT offices were notified prior to the report’s release. TechRepublic is reaching out to the states and SecurityScorecard for comment and will update this story accordingly.

Voting has already started ahead of Election Day on Nov. 3, but there are concerns about the state-level cybersecurity posture of election infrastructure after officials in Hall County, GA revealed that a ransomware attack took down a voter signature database and a voting precinct map that was hosted on the county’s website.

The attack, which was the first one announced this election season, highlights the precarious, patchwork nature of cybersecurity when it comes to how each state protects digital election tools.

SecurityScorecard released a report earlier this month that pored through the overall cybersecurity posture of all 56 US states and territories leading up to the presidential election. The study found that 75% of all states and territories had IT infrastructures that are vulnerable to a variety of cyberattacks.

The report gives each state a grade, from A to F, and noted that 75% were rated at a C level of below, meaning they are three times more likely to experience a breach or ransomware attack like what was seen in Georgia on Oct. 7. More than 30% garnered a D or below in the report, which makes those states or territories five times more likely to face an attack of some kind.

“The results are not surprising, and vulnerability management remains a challenge for many organizations. As this analysis shows, security gaps can be amplified by resource constraints, interconnected support systems, and a remote workforce that may increase the vulnerability footprint,” said Matt Ashburn, who served as CISO for the White House’s National Security Council from 2017 to 2019.

“Teams with limited resources many times have the unenviable position of defending systems against the world’s most persistent and well-resourced adversaries. Organizations must prioritize their security investment, ensure user awareness of threats, and develop backup procedures in case critical processes fail.”

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Researchers with SecurityScorecard put the scores together using publicly available data and based it on the weighted average of 10 “Factor Scores” in different categories: Network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leaks, and social engineering.

American Samoa, Puerto Rico, Guam, Northern Mariana Islands, and the US Virgin Islands were included in the ranking because they are full of US citizens and, while they are not involved in presidential elections, do take part in the party primary process.

The report found that Kentucky, Kansas, and Michigan all had scores above 92, while states like North Dakota, Illinois, and Oklahoma all garnered scores around 60.

For the most part, most battleground states like Michigan, Wisconsin, Texas, Pennsylvania, and Arizona had scores above 80. But others, including Georgia, New Hampshire, Nevada, Florida, Iowa and Ohio had scores in the 70s and 60s.

“The IT infrastructure of state governments should be of critical importance to securing election integrity. This is especially true in ‘battleground states’ where the Department of Homeland Security, political parties, campaigns, and state government officials should enforce vigilance through continuously monitoring state voter registration networks and web applications for the purpose of mitigating incoming attacks from malicious actors,” said Alex Heid, chief research and development officer at SecurityScorecard.

“The digital storage and transmission of voter registration and voter tally data needs to remain flawlessly intact. Some states have been doing well regarding their overall cybersecurity posture, but the vast majority have major improvements to make.”

The study notes that many of the scores have changed since the beginning of the year, due in no small part to the coronavirus pandemic, which has forced many election teams to work remotely.

“Many states’ scores have dropped significantly since January. For example, North Dakota scored a 72 in January and now has a 59. Why? Remote work mandates gave state networks a larger attack surface (e.g., thousands of state workers on home Wi-Fi), making it more difficult to ensure employees are using up-to-date software,” the report said.

“SecurityScorecard observed significant security concerns with two critically important ‘battleground’ states, Iowa and Ohio, both of which scored a 68, or a ‘D’ rating,” it noted, adding that half of all states considered “battlegrounds had lackluster IT infrastructure.

The report notes that while the focus was on election cybersecurity, the scores do reflect on the larger security posture of the state and its local offices.

The issue most states had issues with was endpoint security, which was the lowest-scoring category of all 10 measured in the survey, at an average of 61.

Researchers “measured detected versions for operating systems, web browsers, and other notable data points that comprise endpoint security.”

“Massachusetts rates last in endpoint security with nearly 2,000 outdated operating system findings. Illinois comes in second-lowest with over 1,000 findings. Outdated software is vulnerable against the latest security threats, making it easier for attackers to deploy malware, either via a drive-by-download attack or spear-phishing attack,” the report said, adding that states can easily fix this by updating web browsers and operating systems to the latest available versions.

Andrew Homer, head of security strategy at Morphisec, said his company has done its own research finding that of the 16 million employees that work in state and local government today, nearly 40% of them are still working from home. This means there at least 6 million endpoint devices that employees are working on outside of traditional IT oversight.

“This only compounds existing issues with state and local governments when it comes to weak endpoint protection. These IT departments are often underfunded, short-staffed, and are not often a fit for costly and complex solutions,” Homer said. “That can leave state governments solely reliant on legacy antivirus solutions, which are increasingly ineffective against endpoint threats because they cannot detect advanced attacks.”

Malware was also a major problem, particularly for states like West Virginia, Idaho, and Indiana, which all had the highest counts of malware present across multiple malware families.

Researchers generally found a variety of malware types in state infrastructure ranging from Conficker, Emotet, Trickbot, Matsnu, and Qrypter.rat. One of the most worrying sections of the report notes that cyberattackers looking for access to state networks could easily purchase access “from criminal groups that have gained a foothold through pre-existing malware infections.”

The analysts behind the report added that there was a high volume of Server Message Block observed at the state level, specifically SMB protocols exposed to the public internet.

“This enables applications and users to access files (or other resources like printers) on remote servers. When this is exposed to the public internet, actors can quickly and easily gain access to a network,” the report said.

“This is how the infamous WannaCry and Petya ransomware attacks were executed.”

For the states with low scores, the consequences are particularly dire considering the ever-widening attack landscape. Cybercriminals are already leveraging an array of targeted phishing and malware delivery tools through email and other mediums to both ” infect networks and spread misinformation.”

According to the report, attackers sometimes sell their access to a system to other people after infiltrating a network or infecting devices.

Dozens of states also use third-party vendors for a variety of tools and often contract with the same companies, meaning one breach could allow access to multiple state systems.

“In fact, third parties are the primary area of focus for political campaigns because a significant amount of information is held by mom-and-pop ad-buying shops and pollster outfits. It’s not about the campaigns being attacked themselves, but one of their vendors,” the report said.

“Voter registration databases could be impacted, but more information about a state’s IT infrastructure would need to be uncovered to determine how such information is maintained within the state’s overall IT architecture, i.e., a low score may not necessarily mean that such information is easily compromised. In the worst-case scenario, attackers could remove voter registrations or change voter precinct information or make crucial systems entirely unavailable on Election Day through ransomware.”

The report’s authors took pains to remind readers that the rankings are not intended to shame states and they noted that SecurityScorecard does provide both political parties with cybersecurity products and services at no cost.

In terms of solutions, the report said states should create voter and election websites under official state domains to avoid typosquatting. There should be dedicated IT teams whose sole goal is to protect the confidentiality, integrity, and availability of all voter information and bolster election website cybersecurity.

No state should ever have a single person in charge of updating information and every state election authority should implement the “two-person” rule for any changes. Vendors and equipment suppliers for elections need to go through rigorous vetting as well, according to the report.

It also notes that states cannot handle a task this massive alone. Congress and the federal government, the study said, should provide more funding and resources to states specifically for IT services.

“While this report shines a light on some of the gaps in state security, there are paths to remediation,” said Sachin Bansal, general counsel at SecurityScorecard. “We’re on the same side of the fight against malicious actors who threaten the safety and security of our national cyber infrastructures.”