Election offices should take note of a recent cyber attack last week on Stryker, a Michigan medical technology company. The attack is believed to have originated in Iran. This serves as a reminder that geopolitical conflicts can put digital targets, including election offices, in the crosshairs.
Why Election Officials Should Be Concerned
While this attack targeted a medical firm, Iranian-linked groups are believed to have been behind a number of cyber attacks on election offices, including the replacement of candidate photos on an Arizona campaign finance reporting system with a picture of Ayatollah Khomeini last June, as well as the “Enemies of the People” campaign encouraging harassment of election officials in 2020.
Loss of Access to Systems and Data
In the attack on Stryker, hackers took control of a system administrator account and used it to delete programs and data, erasing information not only on corporate systems, but even on the personal phones of many employees.
Cyberattacks, staff mistakes, weather events, and other mishaps can all lead to loss of access to election systems and data.
We don’t know exactly how hackers got into Stryker’s systems yet, but strong passwords and phishing awareness can often prevent such attacks before they start.
Voting systems should be “air-gapped”, meaning completely disconnected from the internet and from other government systems. Non-voting election systems, such as voter registration and e-pollbook systems, should sit behind their own firewall, separate from the rest of your government network.
Within those systems, apply the principle of least privilege: every staff member, vendor, and software application should have access to only what they strictly need to do their job, nothing more. For example, a vendor updating one system shouldn’t have a key to everything else. Limiting access this way means that if one account is compromised, the damage is more likely to be contained.
When ransomware hit Baltimore County, Maryland, many county systems were shut down for weeks, but election systems were back up within a day because they had been kept separate. Segmentation and least privilege work the same way. They may not stop every attack, but they can stop one breach from becoming a larger problem.
(Ransomware happens when hackers take control and change access, blocking the owners from their own systems. They request that the owner pay a ransom to regain access, but access is not always restored even if the ransom is paid.)
Always Have a Backup Plan
No county, big or small, wealthy or resource-restrained, can consider itself immune to loss of system access. Utility repair was the cause of the loss of the online registration system in the state of Virginia on the final day of voter registration in 2020.
No office can prevent every disruption. The best protection is making sure you can recover quickly. Back up your data and software regularly, store them offline and offsite, and test restoration regularly.
The Situation Room focuses on real security incidents and threats in the news relevant to election security. To review previous issues, see the newsletter archive.