CISA has released a new cybersecurity checklist as a primer for an expected uptick in hacking ahead of the 2024 presidential election, composed of just four pages of information that does not pack any surprises. The checklist is aimed primarily at counties and localities that likely have little to no specialized IT support to rely on, however, and serves as a good summary of critical basics for those overseeing election infrastructure that generally don’t spend much time thinking about computer security.
CISA cybersecurity checklist: MFA, segmenting and backups
CISA’s cybersecurity checklist is aimed primarily at election staff around the United States, a group often headed by election officials or boards that may well not have any particular technical knowledge. These are supported by a small army of short-term poll workers that are majority senior citizens, a demographic that also tends toward lacking awareness of cybersecurity best practices. All of these workers are vital to the election process, but also represent potential points of entry into election infrastructure for ill-intentioned foreign hackers.
Chris Hauk, Consumer Privacy Champion at Pixel Privacy, adds: “Unfortunately, many members of election boards around the country are senior citizens, who may not be as tech savvy as younger users. I am not criticizing senior citizens for being involved in the election process. Heck, I am a senior citizen myself! Unfortunately, this means they are more susceptible to social engineering attacks, such as phishing emails and texts. This is why it is important for election officials to enable multi-factor authentication on every account, system, or app used by their election officials. IT personnel need to harden their systems against attacks, such as DDoS attacks, while also ensuring that backup and restore procedures are in place and are being followed. They also need to make sure that all of their outside contractors have similar safety measures in place.”
The cybersecurity checklist notes that network defenders possess the ability to shut down these attempts. The list is aimed at election security officials and IT teams and covers standard email protections, DDoS mitigation, more advanced ransomware defense measures, and critical backups.
In terms of email security, the cybersecurity checklist recommends MFA for all accounts and enabling Domain-based Message Authentication Reporting and Conformance (DMARC). It also advises that election infrastructure staff be provided with updated training on the latest approaches used in phishing, as well as implementing email gateway filters to keep more of these messages from landing in inboxes in the first place.
The cybersecurity checklist provides very basic advice in terms of DDoS mitigation, mostly redirecting readers to an existing CISA page providing advice on no-cost protection services like CloudFlare. But it does note that election officials should have an alternative plan for information dissemination should systems unexpectedly be taken down.
In terms of ransomware advice the cybersecurity checklist recommends network segmentation, specifically not transferring election results on the business network. It also advises that Election Infrastructure Information and Analysis Center (EI-ISAC) members have access to some CISA-funded commercial endpoint detection and response (EDR) software provided at no cost. And it stresses the importance of a tested response plan, something that CISA also provides free resources to support (including virtual tabletop exercises).
CISA also offers free cyber hygiene vulnerability scanning to election infrastructure teams that provides weekly reports of all findings and ad-hoc alerts about specific and urgent risks (such as newly reported vulnerabilities).
Federal support to election infrastructure ramped up ahead of likely attacks
Potentially vulnerable election infrastructure includes voter registration systems, public-facing resources that provide information and updates on the process, and in some limited cases the voting machines themselves. Though the machines are supposed to be isolated from the internet, a 2020 investigation found that a small handful of voting systems at least have the capability of connecting built into them.
Attempts on the election infrastructure have seemed to be relatively quiet thus far, at least as compared to the activity during 2016 and even 2020. That does not mean that state-backed hackers are not sniffing around for opportunities, however, or that they might make a big late push to deliver an “October surprise” of their own. The one big attack thus far has come from Iran, which is being charged with a breach of the email accounts of some Trump campaign staff. However, the FBI has said that the hackers also attempted to breach the Biden and Harris campaigns, seemingly looking to leak any inside information they could obtain. The FBI and CISA also released a PSA last week warning that Russia and other threat actors are likely to spread false stories about voter registration databases being hacked.
The Biden administration has accused the Russian government of election interference, having the Department of State publish a formal warning about it, but that package of actions focuses mostly on disinformation campaigns headed up by Russia Today (RT) leadership on behalf of the Kremlin. This included an indictment against US publishing outlet Tenet Media, which employs a number of popular conservative commentators such as Dave Rubin and Tim Pool. Both the indictment and the commentators have stated that they were unaware they were being funded by nearly ten million dollars that originated from RT, provided to Canadian owners Lauren Chen and her husband Liam Donovan in return for allowing RT employees to disseminate Kremlin talking points and direct and edit the group’s video content.
On the cybersecurity checklist, Jeff Williams (co-founder and CTO at Contrast Security) notes that though the advice is very basic it is nevertheless a good compact primer that many are still in need of: “CISA has created yet another decent list of basic security practices. I hope they’re successful in getting the people that need it to read their guidance. When I wrote the OWASP Top Ten over 20 years ago, I thought we would gradually eliminate whole classes of vulnerability and raise the bar over time. But now it’s two decades later and the list hasn’t changed very much. So, I’m not sure that basic awareness is going to bend the curve. For what it’s worth, I wish the CISA list was clear about the threat model they envision. It’s not clear these practices will do much to slow down nation states and APTs. I would have liked to see more guidance on establishing strong authorization and accountability.”
Martin Jartelius, CISO at Outpost24, notes that the cybersecurity checklist will not help anyone that has not even begun to implement any of its measures at this point, but that it serves as a good reminder for election infrastructure officials to ensure that they’ve covered all possible bases in terms of defense: “This checklist from CISA is a good start as a guide to the more basic cyber security hygiene practices. MFA in place, no default passwords, and similar controls – these are of course prior well-established best practices and they have already been available to the key recipients in other forms, but it is a very sound list of recommendations. Additionally, it’s crucial for any contemporary cybersecurity infrastructure, especially those utilizing storage solutions, containers, or similar technologies, to secure its information storage and related services. If the system is scalable and automated, employing strategies that provide visibility into what is being exposed to the external environment is essential. It should also be noted that as stated, most of those things are well known. For anyone starting at the list from doing nothing, this is already too late – but it’s great to have a tool which enables organizations to ensure that indeed they are doing the right things with where they are currently spending their efforts.”