Election results websites have capacity to create ‘noise’
The websites on which local and state election officials will start posting unofficial vote totals Tuesday night will be heavily depended upon by the public to see which candidates are winning and losing, but they remain prone to potential disruptions that could create confusion about the election, a founder of an ethical-hacking firm told StateScoop.
Election and cybersecurity officials have issued ample warnings that results-reporting websites could be targeted by ransomware, defacement or distributed-denial-of-service attacks — or buckle under surges of legitimate network activity. But the best option for voters is to “tune out the noise,” said Casey Ellis, the founder and chief technology officer of Bugcrowd.
“My exhortation to people has been that if you want to vote, turn your blinkers on and vote,” he said in a phone interview.
Despite the many investments that states and counties have made in their election infrastructure over the past four years, Ellis said there are still great disparities in how well-protected results sites are from jurisdiction to jurisdiction.
“My general assessment is that they’re incredibly fragmented, as are a lot of the election systems,” he said. “These systems aren’t in the critical part of the voting infrastructure itself. But especially this year, their capacity to be leveraged to create uncertainty or even affect turnout, those are the sorts of concerns I’d have from a threat standpoint.”
Indeed, many county election offices around the country still do not employ two features that would bolster their websites — hosting on the federally administered .gov top-level domain, and using HTTPS, an encrypted protocol that protects data from being intercepted — according to research published last month by McAfee.
But it’s also the public’s reliance on results websites that heightens the risk for disruption, Ellis said.
“With election night reporting systems you’ve got not only the individual or unique systems of the state, you’ve got individual consumers in radio stations and TV stations and everyone else,” he said.
The vote totals that will be posted on these websites beginning Tuesday night are unofficial and incomplete, and election officials have stressed in recent days that no state completes its counting on Election Day. Results are not official until audited and certified, which often comes weeks after Election Day.
But Ellis said there have been signs of improvement. He credited in a particular the advisories, risk assessments and other services provided to state and local officials by the Cybersecurity and Infrastructure Security Agency. CISA also recently launched a new page, Rumor Control, aimed at batting down common misconceptions about election administration, which includes a reminder that results reported on election night “are always unofficial and are provided solely for voters’ convenience.”
Ellis also has a stake in helping states improve the security of their election-related websites. His company recently partnered with Iowa Secretary of State Paul Pate to launch a vulnerability disclosure policy to give legal liability protections to researchers who find and report flaws in websites operated by Pate’s office.
“This is an issue of trust and technology for the things we hold most important,” Ellis said. “The whole idea of being able to report security issues or things that are a potential threat to yourself or your family as a voter, I think that’s a logical thing to do.”