Report: Majority of U.S. States, Territories Vulnerable to Potential Voting Hacks

Three quarters of U.S. states and territories are bogged down by IT infrastructures vulnerable to cyber breaches, including a number of battleground states that could affect voting systems in the upcoming election, a new report found.

IT security firm SecurityScorecard examined the cybersecurity profiles of 56 states and territories based on 10 categories, including voter and election information on websites, and network, application and endpoint security, where weaknesses could–and might be expected to–lead to cybersecurity breaks ahead of and following the presidential election. The data are recent, compiled in September and October, 2020.

States were scored on an A to F scale, resulting in 75 percent rated at a C or below and 35 percent pegged at a D and below. Based on SecurityScorecard’s three-year historical data, states with a grade of C are three times more likely to experience a breach or incident as compared to those with an A rating. Those with a D are nearly five times more likely to experience a breach, the rater said. Among states and territories, there are as many with F ratings as there are those with an A rank.

Some states that could ultimately determine the election, including Florida, Georgia and Nevada, scored a C while Iowa and Ohio both scored a D, the data showed. On the other hand, Michigan, a key battleground state, scored an A and five other swing states, including Arizona, North Carolina, Pennsylvania, Texas and Wisconsin, were rated a B. Kentucky and Kansas joined Michigan with the three highest scores, while the three lowest rated states were North Dakota, Illinois and Oklahoma.

While some states have built a strong cybersecurity profile, the majority need to make “major improvements,” said Alex Heid, SecurityScorecard’s chief research and development officer. “The IT infrastructure of state governments should be of critical importance to securing election integrity,” he said. Held called upon the Department of Homeland Security, political parties, campaigns and state government officials to closely monitor state voter registration networks and web applications to mitigate cyber attacks.

In a worst-case scenario, attackers could remove voter registrations or change voter precinct information or make crucial systems entirely unavailable on election day through ransomware infections.

A number of states scored considerably lower since January, a finding the researcher attributed to the coronavirus (COVID-19) pandemic. In addition, the increasing number of remote workers on home Wi-Fi networks has made it more challenging for employers to update system software. “The pandemic has brought significant challenges to states with many facing hiring freezes and significant budget deficits. States cannot do this alone,” the report said.

SecurityScorecard offered four best practices for states to improve voting system cybersecurity:

  • Create dedicated voter and election-specific websites under the domains of the official state domain, rather than using alternative domain names which can be subjected to typosquatting.
  • Deploy an IT team specifically tasked and accountable for bolstering voter and election website cybersecurity, defined as confidentiality, integrity, and availability of all processed information.
  • States should establish clear lines of authority for updating the information on these sites with no single individual able to update information without a second person authorizing it.
  • States and counties should continuously monitor the cybersecurity exposure of all assets associated with election systems, and ensure that vendors supplying equipment and services to the election process undergo stringent processes.
Return Home

1 Comment


    Kelly Ivahnenko:

    To DH Kass,

    This comment is a response by the State of North Dakota to Security Report Card’s report. This statement can be attributed to Chief Information Officer Kevin Ford. I’m happy to answer any questions or discuss further. – Kelly

    Any conclusions made regarding election security in this report are baseless and irresponsible in a time when citizens expect and deserve confidence in the integrity of their elections. The State of North Dakota observes the following:

    – The company issuing this report sells cybersecurity services. They didn’t validate their findings, and have an established pattern of misattributing findings to try to incentivize the purchase of their services. The practice of publishing superficial findings in the interest of selling monitoring services has been highly criticized by reputable companies in this space.

    – Their report also draws inaccurate conclusions around ‘security vulnerabilities’ tied to ‘election security.’ In North Dakota’s case, the IP addresses on which they are reporting are overwhelmingly devices on our guest Wi-Fi networks as well as other networks that have no meaningful interaction with State Government devices, especially our highly insulated and protected election systems.

    – Their scoring methodology doesn’t take into account network size and therefore puts the credibility of the ranking structure in question. North Dakota has one of the largest centralized state networks in the nation with over 250,000 devices including K-12, Higher Education, and County and City Governments. The report’s findings are pertinent to less than one half of one percent of the systems on the state network – most of which do not reside within the State’s trusted security boundaries.

    – This organization is a for-profit company and should not be considered a neutral security observer or watchdog. The company has not sought to work with the leadership of the Elections as Critical Infrastructure subsector (Government Coordinating Council) or the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC). When it comes to election administration and the performance of the State of North Dakota, we recognize MIT’s Election Performance Index.

    – North Dakota is seen as a leader in cybersecurity by multiple third parties and has invested significantly in cybersecurity from a unified, statewide approach (Senate Bill 2110 is a key milestone). North Dakota works with dozens of stakeholders across the state to continuously elevate our collective cybersecurity posture and have been recognized for our national leadership in recent years.

    We would encourage MSSP Alert’s authors and editors to closely examine the factual accuracy of assertions being made and seek comment from additional security experts or the states themselves.

Leave a Reply

Your email address will not be published.