FBI, CISA warn of threats to election systems that could compromise voters’ PII
U.S. federal law enforcement and cybersecurity agencies issued a warning to election officials at all levels across the nation to be aware of the potential for insider threats during the 2024 election cycle that could compromise election officials and voters’ personal information in an effort to disrupt election processes and/or to spread false information in an attempt to discredit the electoral process and undermine confidence in U.S. democratic institutions.
The warning was made in the document, 2024 U.S. Federal Elections: The Insider Threat, that was issued by the Federal Bureau of Investigation (FBI) in coordination with the Department of Homeland Security’s Office of Intelligence and Analysis, the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Election Assistance Commission.
“Adversaries may attempt to blackmail or coerce an insider to leverage the insider’s access, collect insights on election security efforts and vulnerabilities, or direct the insider to perform malicious activity,” the document says.
“Prior to initiating contact,” the document cautions, “the foreign adversaries likely would collect information on the target to uncover anything they could use for blackmail or coercion. The type of information could include financial debts and potentially embarrassing or illegal activity.”
In addition, the advisory warns that “if an adversary gained access through an insider to election systems in a particular jurisdiction, such activity could expose voters’ personal information, hinder voters’ ability to access accurate information on election day or render these systems temporarily inaccessible to the pubic or election workers, all of which could slow, but would not prevent, voting or the reporting of results.”
CISA has stated that “voter registration databases are rich targets and may be an attractive target for computer intrusions.”
According to the National Association of Secretaries of State, all states collect the name, address, and certain Personally Identifiable Information (PII) of citizens who register to vote that includes full or partial social security number, drivers’ license number, and/or state ID number. Some states also collect political party affiliation, phone number, email address, voting history, and/or voting method.
The majority of states’ election infrastructures depend on and are intimately integrated with their voter registration systems, which is why the U.S. Election Assistance Commission says “safeguarding voter registration data is a multifaceted effort that involves both technical and procedural measures.”
The alert pointed out that “over the past several years, the election infrastructure community has experienced multiple instances of election system access control compromises conducted by insider threats. While there is no evidence that malicious actors impacted election outcomes, it is important that election stakeholders at all levels are aware of the risks posed by insider threats and the steps that they can take to identify and mitigate these threats.”
The Office of the Director of National Intelligence’s National Counterintelligence and Security Center had warned in 2019 that “foreign intelligence entities are … conducting malicious influence campaigns using cyber operations, media manipulation, covert operations, and political subversion to sow divisions in our society, undermine confidence in our democratic institutions, and weaken our alliances. Foreign threat actors have become more dangerous because, with ready access to advanced technology, they are threatening a broader range of targets at lower risk.”
The MITR Corporation noted in its November 2019 report, Recommended Security Controls for Voter Registration Systems, that “voter registration databases are of particular interest to sophisticated adversaries.”
James Turgal, Vice President of Global Cyber Risk and Board Relations at Optiv, has also warned that the internal databases of political campaigns are at risk. “Campaigns are made up of senior policy officials and tens of thousands of volunteers that don’t know much about cyber, and they have access to a lot of sensitive information,” he told Security Info Watch last week.
Also last week, CISA – in conjunction with the FBI, U.S. National Security Agency, the Australian Signals Directorate’s Australian Cyber Security Centre, and international partners – released the guide, Best Practices for Event Logging and Threat Detection to assist organizations in defining a baseline for event logging to mitigate malicious cyber threats.
CISA said public and private sector senior IT decision makers, operational technology operators, network administrators, network operators, and critical infrastructure organizations should “review the best practices in the guide and implement recommended actions,” which it said “can help detect malicious activity, behavioral anomalies, and compromised networks, devices, or accounts.”
CISA has warned that:
- Phishing attacks can lead to credential theft (e.g., passwords) or may act as an entry point for threat actors to … steal voter information;
- Injection flaw attacks typically are done “to obtain information contained inside a voter registration database;
- Cross-site scripting vulnerabilities can the attacker unauthorized access to voter information; and that
- Server vulnerabilities may be exploited to allow unauthorized access to sensitive information;
CISA said “access control systems should apply the principle of least-privilege, giving individuals access only to systems required to perform their essential functions. Digital access controls grant access only to necessary systems, assets, data, or applications related to an individual’s job or function. In both cases, access logs, control forms, and surveillance video provide auditable records of who accessed a physical or digital asset, as well as when it was accessed. Overall, access control systems prevent any one individual from gaining entry to all assets within an organization and reduce potential harm to physical or digital systems. If an incident is suspected, access logs and control forms can help with post-incident investigations and even serve as evidence.”
Further, CISA said, chain of custody procedures will track the movement and control of physical and digital assets by documenting each time an asset is handled or transferred and who was responsible for it. “This can help prevent unauthorized access to sensitive systems, detect the presence of an insider threat, provide evidence, and improve remediation time if an incident occurs,” the agency said. “It produces an auditable record of an asset’s transfers and transactions, enabling detection of a potential threat if there is a gap in the chain.”
“Establishing and maintaining necessary standard operating procedures, access controls, zero trust security, and chain of custody procedures are necessary facets of election administration,” CISA emphasized.
CISA also urges the use of Zero Trust Security, an approach that assumes that a breach has or will occur and verifies each request as though it is unauthorized. A zero trust approach explicitly verifies every request for access, regardless of where it originates or what resource it accesses.
“Many digital systems now include zero trust security features that can be turned on, such as always requiring users to enter their password rather than storing it in the device’s memory,” CISA pointed out, adding that “election infrastructure stakeholders may also consider procedures like implementing the ‘two-person rule’ or working in bipartisan teams when accessing sensitive resources.”
To enhance the U.S. election system’s resilience against insider threats, cybersecurity authorities say biometric technology can play a significant role. They strongly urge the following:
- Utilize biometric identification services provided by DHS and its Office of Biometric Identity Management to strengthen security measures and protect election integrity;
- Implementation of transparency and oversight in AI tools within election offices to ensure their utility and avoid harm;
- Collaborate with federal entities such as CISA, FBI, and Election Assistance Commission to prepare and address potential insider threats in the lead-up to elections.
By doing these things, the election system can be reinforced and the risk of insider threats undermining the election process can be significantly reduced.
Article Topics
biometric authentication | biometrics | CISA | cybersecurity | elections | FBI | multifactor authentication | U.S. Government | United States | voter registration
Comments