More than half of U.S. election officials could be vulnerable to email phishing scams

With less than 100 days left until what's likely to be one of the most contentious and consequential presidential elections in modern history, experts are tallying up the potential for interference.

Not only is the incumbent deliberately setting up the election as compromised before it begins, baselessly casting doubt on the integrity and security of mail-in voting (despite using it himself), but there are actual real-life vulnerabilities to be concerned about too.

A new report from cybersecurity provider Area 1 reviewed the emails of over 12,000 U.S. election administrators, who manage election processes that vary hugely from state to state, as part of a highly decentralized national network — creating what the official report describes as, in a partially-censored sentence, "a cluster[redacted] of vulnerability."

The report raises concerns that significant numbers of state and local administrators are potentially vulnerable to email phishing attacks that could give hackers access to systems involved in the running of elections.

The report found:

The majority (53.24 percent) of state and local election administrators have only rudimentary or non-standard technologies to protect themselves from phishing

Less than 3 out of 10 (28.14 percent) election administrators have basic controls to prevent phishing

Less than 2 out of 10 (18.61 percent) election administrators have implemented advanced anti-phishing cybersecurity controls.

As reported by the Wall Street Journal, officials in some counties were also using email clients that have been targeted by hackers in the past.

Some use non-enterprise email clients "designed for personal use," or worse, their own personal email addresses. Others, including officials in Michigan, Maine, Missouri, and New Hampshire, run their own custom servers on a version of mail transfer agent Exim with a critical vulnerability that's been targeted by hackers linked to Russian intelligence.

Addresses in some cases also have slightly less-than-official vibes, like "haveknifewilltravel" and an Indiana county network admin nicknamed "nigerian-prince." Cute.

The report's careful not to condemn the administrators themselves for the vulnerabilities, praising them for doing the work to keep the wheels of democracy turning. But, as the executive summary notes, the data "does reveal that diffuseness and complexity in election administration does nothing to ensure elections are free from cyberattacks" and that's a lot of little holes to patch. We know we have the tools to fix these things and make elections more secure — but counties need enough funding to facilitate voting both safely and securely during a pandemic and a tense political climate.

“The biggest danger in my view is not actual vote changing,” former White House cybersecurity official J. Michael Daniel told the WSJ. "That’s actually really hard to do at scale in a way that would actually have a significant impact. But what you would be concerned about is undermining people’s confidence. It starts to raise these questions about what you can trust."

Florida systems were breached in 2016, and Microsoft has also reported that it had blocked hacking attempts on three congressional candidates in the 2018 midterms. President Trump earlier this year took credit for an attack on a Russian troll farm on the day of these midterms, and there were been multiple reports of hacking attempts that year, successful or otherwise, on candidates and county networks from California, Missouri, and Florida. There have also been hacking attempts on both the Trump and Biden campaigns this year.

Elections administrators who are concerned by the report are being urged to contact Area 1 for more details. And the report's #1 recommendation for the 2020 election? "Vote!"