Many of the thousands of county and local election officials who will be administering November’s presidential election are running email systems that could leave them vulnerable to online attacks, a new report has found.
Cybersecurity vendor Area 1 Security Inc. tracked more than 12,000 local officials and determined that over 1,600 used free or nonstandard email software that often lacks the configuration and management protection found with large cloud-service providers. More than half of the officials used email systems with limited protection from phishing attacks, Area 1 said. The findings underscore problems with the country’s diverse, locally administered election system that attracted the attention of state-sponsored hackers four years ago.
In 2016, Russian hackers targeted dozens of election systems in the U.S. and breached two counties in Florida. And while security officials and election officials say that much has been done to improve the security of these systems, email could be another avenue of incursion, especially for attackers looking to disrupt or undermine confidence in the November election, according to Oren Falkowitz, Area 1’s chief executive.
Often, all it takes for a cyber intrusion is a single software bug or misconfigured system, Mr. Falkowitz said in an interview. “When you run your own service and you don’t partner with someone to professionally manage it, it means you have to be perfect every single day,” he said. “That’s really hard.”
Area 1 found that officials in six small jurisdictions in Michigan, Missouri, Maine and New Hampshire, for example, were using a buggy version of a free software product called Exim, which has been linked to online attacks conducted by the Russian intelligence service known as the GRU. In May, the National Security Agency warned that this version of Exim had been targeted since 2019 in online attacks by the GRU.
An NSA spokesman declined to comment.
There is a range of systems used by election officials that could be hacked, all with varying results. The most sensitive of all are the vote-registration, tallying and reporting systems that are critical to election night. Then there are the computers and servers, such as email servers, used by the election officials for their day-to-day business.