By Steve Grobman, CTO, McAfee
With Election Day set to begin there are any number of methodologies cybercriminals, nation-state actors or any hacker could use to disrupt the U.S. election. Here is one possible scenario.
A malicious actor, foreign or domestic, could take advantage of the lack of .gov validation and SSL protection to spread misinformation in such a way that voters seeking information from official county websites could be presented false election information.
One or two days prior to the election, malicious actors could set up hundreds of bogus county websites that use .com, .net or .org domain names, rather than the official U.S. government-validated .gov domain names.
The actors could use the plethora of voter information already available for purchase on Dark Web marketplaces to send thousands of misinformation email messages to specific voters associated with a political party or demographic groups that could influence the vote in critical battleground counties.
These email messages could provide recipients “reminders” of where their voting locations are located, and provide them incorrect addresses. Or, the messages could direct voters to the bogus websites and provide this false location information.
Similarly, the lack of SSL protection on established county websites would make it possible for voters to be presented with false information when they are browsing to legitimate websites. This data tampering is possible through a wide range of cyber-attack techniques that SSL was designed to protect against.
Whatever the approach by the hackers, the incorrect voting location addresses could send voters to the wrong official voting locations so that when they arrive there on Election Day, they are not eligible to vote there. Or, the incorrect addresses could send them to locations where there are no voting stations at all.
Because these bogus websites and emails would appear just a few days before the election, thousands of voters in key battleground counties and districts could receive false information that confuses, misinforms, and misdirects their efforts to vote.
Furthermore, because these bogus websites and misinformation emails would appear just 1-2 days before the election, it would be impossible for states and counties to detect and take action to correct the confusion before a substantial and perhaps pivotal number of votes have been essentially suppressed.
Detection of misinformation emails directing users to a false election sites would be a clear sign of election tampering. Tampering based on attacks that utilize lack of SSL would be much more difficult to detect and likely would not be detected at all.
Taken together, the combination of the lack of .gov domain validation and SSL protection on county websites, provides bad actors a wide range of options to present false information to voters.
What we need to do from this point forward is move to a model where all official government websites use .gov based domains such that clear guidance can be given to the general public to only trust .gov domains. Unfortunately, this is something we’re not able to do in 2018.