Elections Special Interest Group 

Democracy depends on free and fair elections. The digitization of voting machines and the general reliance on digital communications have introduced new digital threats complicating the election landscape. With the advent of the internet, digital communications have increased across all sectors creating a host of new vulnerabilities. Most major data breaches begin with social engineering designed to steal someone’s login credentials, generally executed through email. Compromises using these credentials then circumvent many of the high walls designed to keep attackers out because the credentials are in fact legitimate. Elections security in today’s context is so much more than the security of the voting systems—everyone involved in elections must now be equally engaged in Cybersecurity.

The Messaging, Malware and Mobile Anti-Abuse Working Group (M³AAWG) has spent over a decade dealing with problems related to messaging abuse. M3AAWG has brought together a community of experts and organizations that include the largest mailbox providers on the planet, social networks, cybersecurity professionals, vendors, law enforcement, policy makers and a cadre of highly dedicated individuals  donating their time and expertise to finding solutions to problems on a global scale. Over the years M3AAWG’s mission has continued to expand to cover other abuse vectors, many directly relevant to securing election systems. 

Numerous agencies have created best practices documents based on their unique expertise and focus. These documents span a wide variety of disciplines and address everything from the physical hardware used to cast votes to encryption methodologies and best practices for polling places.

Amongst the various guidance, there are a few key technologies that are consistently recommended that make a significant impact on preventing abuse and compromise of elections systems, key amongst them are the use and application of Multi-Factor Authentication (MFA), email authentication, and encryption. If there are two things elections officials, or their designates can do to secure the upcoming 2020 general election in the United States, and those abroad they should consider doing the following:

1. Mitigate the impact of stolen access credentials by using MFA across all of their systems and accounts related to elections work. MFA should also be deployed across personal social and communications accounts to ensure that a compromise of a personal account could not be used in a social engineering effort to dupe a colleague in hopes of gaining further access to more sensitive and protected systems.
2. Mitigate spear phishing and eavesdropping by securing email communications through signing and publishing email authentication records and enabling encryption in transit. Our society, both the private and public sector, relies heavily on email as a means of communicating and coordinating businesses operations and sales. Studies have shown that a vast number of data breaches start by compromising insecure emailing domains and systems and then obtaining credentials to more sensitive systems. Email security should be on top of the minds of elections officials. To that end they should consider deploying Sender Policy Framework (SPF) records, Domain Keys Identified Mail (DKIM) records, publishing a Domain Messaging and Reporting Conformance policy (DMARC) that rejects mail that fails a SPF or DKIM check to secure their email communications, and enabling STARTTLS. 

This guide is a distillation of these various documents, M³AAWG best common practices (https://www.m3aawg.org/published-documents), and relevant news and research, intended to help election officials understand the need for these technologies in a manner that is digestible and actionable. This guide covers topics relevant to elections officials including:

1. Benefits of Multi-Factor Authentication (MFA)
2. Securing Email Communications
3. Web and General Security Guidance

The guide attempts to use plain language for election officials who may not be cybersecurity experts. Specific, actionable steps are included with a level of technical detail suitable to pass on as guiding details in the hopes of informing if not the reader, then those parties that can take decisive action to prevent and avoid certain threats and attacks. 

Click here to download the full post.