Majority of county election websites in 20 key swing states use non-.gov domains

Many county election websites also found to be lacking HTTPS support.

Election hacking: getting the words right Cyber defense requires public and private cooperation, as Niloofar Howe of RSA Security explains lessons from the 2016 election with ZDNet's Tonya Hall.

The vast majority of county election websites in 20 key swing states use commercial top-level domains such as .com, .net, and .us rather than the government-validated .gov, making them vulnerable to easy attempts of identity spoofing, a recent report from US-based cyber-security firm McAfee revealed.

"Our study focused primarily on the swing states, or the states that were most influential in the election process, and thus the most compelling targets for threat actors," said Steve Grobman, CTO of McAfee.

"Our findings essentially revealed that there is no official U.S. governing body validating whether the majority of county websites are legitimately owned by actual legitimate county entities," Grobman added

He argues that there's nothing stopping a threat actor from registering a commercial domain with a similar name to the legitimate non-.gov election site and using it to spam locals with incorrect information related to voter eligibility requirements, early voting schedules, deadlines to register, voting hours, and other critical information, and potentially influencing elections in disputed counties.

Spamming local voters is a real threat because most voter records include email addresses, are openly available in many states, and if they're not, threat actors can purchase them off hacking forums for small fees.

The McAfee CTO says that securing county-level election websites should be a critical task because "county websites are typically the first place a citizen would go to look up information," and hence, should be among the best protected against tampering or foreign influence campaigns.

The first to place to start would be the use of official .gov domains, which would legitimize local county election websites, a practice that few counties currently follow, according to McAfee's findings.

Following its investigation, the cyber-security firm says that it found the states with the largest percentage of county election websites running on non-.gov domains were Minnesota (95.4%), Texas (95%), Michigan (91.2%), New Hampshire (90%), Mississippi (86.6%), and Ohio (85.9%).

On the other side of the spectrum, the state with the largest percentage of county election sites with .gov domains was Arizona, but the percentage was small --only 66.7%.

election-websites-mcafee-investigation-results.png
Image: McAfee

McAfee found similarly bad percentages when it also inspected the county election websites for the use of HTTPS, a core technology that prevents third-party observers from snooping or modifying traffic between a user and the election website.

McAfee said that of all the 20 swing states it analyzed, Maine had the most county election websites that used HTTPS, approximately 56.2%.

West Virginia (92.6%), Texas (91%), Montana (90%), Mississippi (85.1%), and New Jersey (81%) were the states that had the largest percentage of county election sites still loaded via the insecure HTTP protocol, a technology that most browsers will soon mark "Not Secure" in the future.

These two factors --lack of use of .gov domains and HTTPS-- put US elections in real danger, Grobman argues.

"Influencing the electorate through false communications is more practical, efficient and simpler than attempting to successfully hack into hundreds of thousands of voting machines," Grobman said. "Such a scenario is much easier to execute than tampering with voting machines themselves, and it scales to achieve the broad election objective any malicious actor might desire."

"While it might be difficult to pass a federal law that would mandate things like .gov naming standardization or utilizing SSL protection, an organization like the U.S. Department of Homeland Security could take a leading role by recommending these best practices," Grobman said.

However, passing around DHS security advisories won't help, as there are also other factors at play.

"The root cause of these sites' insecurity are increasingly strapped budgets that prevent government organizations from replacing legacy systems and machines with new ones or making needed updates. When it comes to budget cuts, county governments feel the pinch the most," Mike Bittner, Digital Security & Operations Manager of The Media Trust, told ZDNet in an email.

Fortunately, cyber-security firms, including McAfee, have been stepping up lately, many providing free services to election officials.

RELATED COVERAGE: