Election security groups are sounding the alarm about emailed ballots ahead of the November midterm elections, warning in a new report that PDF and JPEG ballot attachments sent to election officials could be exploited by hackers.
The organizations, including watchdog group Common Cause, issued a report Wednesday that found election workers who receive emailed ballots are at risk of clicking on unsafe attachments, sent from unknown sources, that could contain malware.
{mosads}”In jurisdictions that receive ballots by PDF or JPEG attachment, election workers must routinely click on documents from unknown sources to process emailed or faxed ballots, exposing the computer receiving the ballots — and any other devices on the same network — to a host of cyberattacks that could be launched from a false ballot laden with malicious software,” the report says. “An infected false ballot would enter the server like any other ballot, but once opened, it would download malware that could give attackers backdoor access to the elections office’s network.”
The Association for Computing Machinery’s Technology Policy Committee, the National Election Defense Coalition and the R Street Institute were among the report’s co-authors.
Experts from both the private and public sector have warned about the vulnerabilities of online voting for years, but the report comes at a time of heightened alarm about election interference from hostile nation-states or cyber criminals.
Trump administration officials have said that Russia targeted election-related systems in 21 states leading up to the 2016 presidential election. They have also maintained that hackers did not target systems involved in vote-tallying, and that there is no evidence any vote tallies were changed.
At least 100,000 people voted online in 2016, according to data collected by the U.S. Election Assistance Commission.
Hackers could attempt to damage or disrupt elections through internet voting through server penetration, client-device malware, distributed denial of service attacks or disruption attacks, according to Wednesday’s report.
“Receiving ballots by email or fax can also expose a state or county election system to systemic election system attacks,” the report says. “Sophisticated attackers can spoof a legitimate voter’s emails and use fake ballots to deliver malware that can be used to gain entry into county or state election infrastructure.”
Agencies and entities like the Department of Homeland Security and the National Association of Election Officials have not provided sufficient guidance for workers who are dealing with emailed ballots, according to the report, which recommended that election administrators ensure that computer networks being used to receive ballots are not connected to the voting machine network, in the event they fall victim to a spear-phishing attack.
And if they receive a ballot by electronic means, administrators should print them out for counting “and not electronically transmitted to the [Election Management System] for tallying,” the report recommends, while also calling for voters to instead mail in their ballots or print out copies of electronically submitted ballots.