Three quarters of U.S. states and territories are bogged down by IT infrastructures vulnerable to cyber breaches, including a number of battleground states that could affect voting systems in the upcoming election, a new report found.
IT security firm SecurityScorecard examined the cybersecurity profiles of 56 states and territories based on 10 categories, including voter and election information on websites, and network, application and endpoint security, where weaknesses could--and might be expected to--lead to cybersecurity breaks ahead of and following the presidential election. The data are recent, compiled in September and October, 2020.
States were scored on an A to F scale, resulting in 75 percent rated at a C or below and 35 percent pegged at a D and below. Based on SecurityScorecard’s three-year historical data, states with a grade of C are three times more likely to experience a breach or incident as compared to those with an A rating. Those with a D are nearly five times more likely to experience a breach, the rater said. Among states and territories, there are as many with F ratings as there are those with an A rank.
Some states that could ultimately determine the election, including Florida, Georgia and Nevada, scored a C while Iowa and Ohio both scored a D, the data showed. On the other hand, Michigan, a key battleground state, scored an A and five other swing states, including Arizona, North Carolina, Pennsylvania, Texas and Wisconsin, were rated a B. Kentucky and Kansas joined Michigan with the three highest scores, while the three lowest rated states were North Dakota, Illinois and Oklahoma.
While some states have built a strong cybersecurity profile, the majority need to make “major improvements,” said Alex Heid, SecurityScorecard’s chief research and development officer. “The IT infrastructure of state governments should be of critical importance to securing election integrity,” he said. Held called upon the Department of Homeland Security, political parties, campaigns and state government officials to closely monitor state voter registration networks and web applications to mitigate cyber attacks.
In a worst-case scenario, attackers could remove voter registrations or change voter precinct information or make crucial systems entirely unavailable on election day through ransomware infections.
A number of states scored considerably lower since January, a finding the researcher attributed to the coronavirus (COVID-19) pandemic. In addition, the increasing number of remote workers on home Wi-Fi networks has made it more challenging for employers to update system software. “The pandemic has brought significant challenges to states with many facing hiring freezes and significant budget deficits. States cannot do this alone,” the report said.
SecurityScorecard offered four best practices for states to improve voting system cybersecurity:
- Create dedicated voter and election-specific websites under the domains of the official state domain, rather than using alternative domain names which can be subjected to typosquatting.
- Deploy an IT team specifically tasked and accountable for bolstering voter and election website cybersecurity, defined as confidentiality, integrity, and availability of all processed information.
- States should establish clear lines of authority for updating the information on these sites with no single individual able to update information without a second person authorizing it.
- States and counties should continuously monitor the cybersecurity exposure of all assets associated with election systems, and ensure that vendors supplying equipment and services to the election process undergo stringent processes.