Risk Assessment of Internet-Facing Infrastructure Finds Areas for Improvement Include Out-of-Date Operating Systems and Email Phishing Protections

VIENNA, VA, Sept. 10, 2019 – A new Black Kite cyber risk assessment of the election commissions for 50 states, the District of Columbia, and five U.S. territories finds that many commissions are focused on quickly adapting and updating their cybersecurity; however, commissions still need to dedicate resources to updating outdated operating systems and protecting their email domains from being spoofed.

The Black Kite report, which examined more than 100 items, focused on the broader picture — the internet-facing infrastructure that supports state election processes. Using the approach recommended by the Center for Internet Security (CIS) Handbook for Elections Infrastructure Security, Black Kite examined Network Connected Systems and Components that are exposed on the internet. Black Kite did not review the use of, nor the cyber hygiene for, voting machines; nor does the scope of the report include county voting infrastructure.

Black Kite conducted two risk assessments (July and August) of 56 election commissions and Secretaries of State (SoS) to identify the publicly available information that hackers could exploit to conduct an attack. After the first assessment, Black Kite privately provided its findings in July to the SOS and election commissions in order to empower them with the information needed to remediate vulnerabilities. Black Kite ran a second scan in August and found significant improvement in the security posture of several election commissions.

During the July assessment, 27 commissions received a C grade or worse with all commissions averaging a D- for the management of security and other update patches for their operating systems. Black Kite’s second scan in August found that 43 of 56 commissions earned an A or B for their security posture. Black Kite will continue to conduct monthly assessments and provide updates on progress at the state level.

“Limited resources coupled with the responsibility for a highly-attractive threat vector provide significant challenges to those responsible for the U.S. election infrastructure,” said Bob Maley, CSO of Black Kite. “With a little more than one year before a Presidential election, our nation’s election commissions still have the opportunity to secure their Internet-facing infrastructure to prevent hackers from finding a back door to a wide variety of critical data that includes voter registration data.”

Key findings from the Black Kite report include:

  • Use of Outdated Operating Systems – More than half of election systems use Windows Server 2008 r2 and Microsoft IIS 7.5 where Windows Server 2019 and Microsoft IIS 10.0 are available. Four commissions even use Windows Server 2003. Windows 2003 is an example of a legacy system that is no longer supported by its manufacturer. The U.S. Dept. of Homeland Security Cyber+Infrastructure Security Agency (CISA) sent out an alert that Windows 2003 would no longer be supported by Microsoft, including for automatic fixes, updates, or online technical assistance.
  • Susceptibility to Phishing — DMARC Records are essential to prevent spoofing attacks through email. DMARC prevents hackers from sending emails that look like they from a legitimate organization. However, 59% of commissions had missing DMARC records. In addition, more than 40% of the election commissions have at least one website with an invalid or expired SSL certificate. Adversaries can leverage this lack of security to penetrate websites.
  • Botnet and Spam Attack Risks — If a digital asset of an organization becomes a part of botnet or spam propagation, the organization’s IP addresses are listed in publicly available blacklists. Almost one third of the election commissions have at least one asset that is reported by blacklist databases

What Can Election Commissions Do?

In the short term, vulnerabilities and potential attack vectors on highest-risk systems have to be monitored on a real-time basis and addressed as they are discovered. In the long term, political leaders need to understand the complexity of the IT systems that have been put in place and support significant financial resources for technology and staffing to allow the CISOs and SOSs to stay ahead of hackers.

States can improve their understanding of what systems truly represent the most risk by becoming more aware of their cyber ecosystem footprint. Risk is not just present at the level of the Secretary of State’s website; but throughout the entire election ecosystem, which includes all of the underlying supporting infrastructure (and third-party services connected to and supporting that infrastructure).

However, awareness doesn’t create security. Critical infrastructure must be upgraded, patched, and replaced to give U.S. elections the best opportunity to remain secure.

Get the full report: The Cyber Hygiene Report

About Black Kite 

Black Kite enables enterprises to assess, prioritize, and address the third-party cyber risk of any company, located anywhere, within 60 seconds. Using easy-to-understand scorecards, we provide standards-based letter grades on various risk categories, along with data on how to mitigate each risk in priority order. Black Kite provides the speed, standards, and substance needed to combat the newest risks and threats facing organizations today. 

Learn more at www.blackkite.com.