By Khalida Sarwari
The U.S. government is expected to announce a new program next month intended to shore up voter registration databases against ransomware attacks ahead of the 2020 presidential election. That’s a good start, says Northeastern professor Engin Kirda, who studies network security.
But it’s not enough.
Ransomware is a type of malware that threatens to release an individual or organization’s data on a computer or blocks access to it unless a ransom is paid. Hackers have perpetrated coordinated ransomware attacks in dozens of municipalities across the U.S.—including 23 cities in Texas last month—targeting the systems of local governments.
While much of the voting process is conducted with paper ballots, voter registration systems, which are used to validate the eligibility of voters, are typically maintained online because they’re frequently updated. Intelligence officials worry that those systems could be targets for ransomware attacks in 2020. So the Department of Homeland Security is creating a program that will allocate more resources toward countering ransomware-style cyberattacks.
Intelligence officials as well as former Special Counsel Robert Mueller’s office have said that Russian hackers breached voter registration databases in Arizona and Illinois in 2016.
“You need to secure these systems; you need to harden them,” says Kirda, a professor who holds joint appointments in Northeastern’s Khoury College of Computer Sciences and College of Engineering. “I think they’re taking this seriously. Maybe they’ll give the states more money; maybe they’ll provide more FBI support, maybe NSA support. The know-how is there. I would say it’s a lack of resources, and where to invest these resources.”
Citing current and former U.S. officials, Reuters reported last week that the program is meant to help state election officials prepare for a ransomware scenario. The program uses educational materials, remote computer penetration testing, and vulnerability scans. Officials will also be provided with guidelines on how to prevent and recover from such attacks.
Because every state and jurisdiction has its own computer network, one challenge will be to determine how to secure each one of those systems, says Kirda. But in general, electronic systems are problematic, he says, because they have been shown to be vulnerable to manipulation, and prone to errors and malfunctions.
“As automation becomes increasingly popular, e-voting systems are increasing in popularity as well because they promise to make things easier,” he says. “However, automation also means that there is a higher risk of exploitation and manipulation.”
What is easier to do, he adds, is to use information leaked from voter databases “to launch disinformation campaigns against voters.”
In the world of cyberattacks, while ransomware is a serious problem, Kirda suggests that there are even more serious problems such as targeted, stealthy attacks that remain below the radar, and are not detected for a long time. The damage caused by such attacks can be “unfathomable,” he says.
Looking ahead to the 2020 election, Kirda is also concerned about the influence of fake news and disinformation attacks by domestic and foreign sources. Much of the fake news that pervaded the internet during the 2016 election season consisted of articles, photos, and videos that promoted false information or spread conspiracy theories.
While some federally funded research initiatives aimed at targeting the deployment of misleading or false information have been introduced since then, these problems are not nearly getting the attention—and resources— they deserve, he says. He is working with other researchers at Northeastern to gain a better understanding of fake news in order to help people learn how to detect it.
“As a part of our research, we’re actually trying to answer the question: Why do people fall for fake news? How do they typically verify the source of the news? It’s very tough,” he says.
Likening the fight against cybercrime to policing a city, Kirda suggested there is no fool-proof defense yet against cyberattacks and disinformation campaigns. Even banks, which have some of the most impenetrable systems and networks, find themselves grappling with the problem.
“You’re not going to get rid of crime, right? You need the police,” he says. “But if you have less crime, or you have more sophisticated crime, in a way that’s a good thing. It means that your police is actually doing good work. Right now we just have lots of easy crime going on. It’s like the Wild West a little bit.”