As Election Day approaches, the threat of a cyberattack jeopardizing the reliability of vote counts — the overwhelming majority of which are backed up with auditable paper trails — remains hypothetical.
But the rising trend of ransomware, in which criminals freeze victims out of networks and, increasingly, steal data as well, does raise the risk of attacks on election infrastructure that could delay the tallying and verifying of votes or cause other types of confusion that influence campaigns aimed at attacking trust in the integrity of the results could seize upon, cybersecurity experts say.
"The scenario that worries local election officials is that their data is encrypted, causing a delay that a disinformation campaign could use to say, 'Hey, you can't trust these results,'" said Allan Liska, threat intelligence analyst at the private cybersecurity company Recorded Future Inc.
Attackers linked to the Russian government targeted election systems in all 50 states in 2016, probing for vulnerabilities to potentially exploit and, in Illinois, putting themselves in position to change or delete voter database records, according to a July 2019 report from the Senate Intelligence Committee. The Kremlin-backed Internet Research Agency also set up organized campaigns to spread disinformation to millions of American voters on Facebook, Twitter and Instagram in the runup to the election, according to a 2019 report released by special counsel Robert Mueller.
U.S. authorities have warned local election officials that Russia and other nations plan to interfere in the 2020 elections as well, including by trying to sow doubt in the legitimacy of the results. At the same time, local governments in recent years have been some of the top targets of ransomware hackers, who have found a sweet spot of victims willing to pay more and more to access frozen computer networks or retrieve stolen data.
"Where ransomware fits in is as a tool to complement the disinformation campaigns that are already running," said Ed McAndrew, a cybersecurity partner at DLA Piper and former federal cybercrime prosecutor.
"The biggest concern is that someone could execute a ransomware attack in or around Election Day that can function as 'perception hacking,' and make people believe that voting systems are down or that the data is not reliable," McAndrew said. "Targeted attacks that cause outages or delays in reporting vote tallies in battleground states could inflict significant damage."
Most ransomware attacks come from cybercriminals who primarily seek financial gain and are not sponsored by nations, cybersecurity experts say, but the distinction between those backed by foreign governments and those with no national allegiance has become increasingly murky, as both groups often use the same methods.
The pace of ransomware in general has exploded since the last presidential election in 2016, and in particular in 2020 as more employees work remotely during the COVID-19 pandemic. Analysts from IBM, for example, reported last month that they responded to more than triple the number of such incidents between April and June than in the previous quarter.
One eyebrow-raising episode occurred in September, when Texas-based Tyler Technologies Inc., which sells software that cities and states use to display election results, announced that it had been hit by ransomware. And more recently the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, or CISA, and the FBI warned Thursday that a Russian state-sponsored hacking crew has targeted "dozens" of state and local U.S. governments since September as part of a campaign that has successfully nabbed data from at least two victims.
Earlier in October, the same authorities warned that organized teams of "advanced persistent threat" cyberattackers have targeted the election ecosystem. CISA said it "is aware of some instances where this activity resulted in unauthorized access to elections support systems," but with "no evidence to date" that attacks compromised the integrity of elections data.
"What we've seen in recent weeks certainly paints the picture that ransomware presents a real threat to election systems," said Mark Ostrowski, the East Coast regional director of engineering at cybersecurity company Check Point Software Technologies Ltd.
The systems most threatened by a potential ransomware attack or other malicious cyberactivity are related to "not the voting process itself, but everything that surrounds it," Ostrowski said. "They'll be thinking of ways to take advantage of any device that is part of the election process and to create a disruption during a window that is critical to the credibility of state and local governments."
Other cybersecurity professionals noted that attacks on the state and local governments that handle election results would likely have limited "scalability" in the long run, unless they are combined with election-related disinformation campaigns spreading quickly online.
"Nothing can scale faster than something that can be distributed through the media," said Michael Rezek, vice president of cybersecurity strategy at the IT network intelligence company Accedian. "That presents a greater threat than something that can be done through cyberattacks alone."
--Editing by Jill Coffey and Brian Baresch.
For a reprint of this article, please contact reprints@law360.com.
