Security, trust and accuracy issues have bedeviled voting and elections from the day after elections moved beyond a simple “can we get a show of hands?” And perhaps at no time in our country’s recent history have issues surrounding election security been more prominent.
Ahead of the midterm election 45% of U.S. adults said they were “very concerned” the U.S. voting system might be vulnerable to hackers. So, what can be done to secure elections across the country? This simple question opens a can of hanging chads because the U.S. election system is the opposite of a monolithic regime. Under the U.S. Constitution each state is primarily responsible for setting the “times, places and manners of holding elections for Senators and Representatives - although Congress can “at any time by Law make or alter such Regulations, except as to the places of chusing [sic] Senators.”
Given our Constitutional federal system, U.S. election are characterized by a very decentralized election administration system. On the one hand this means that there’s no single point of failure or ability to easily “hack” a national election. On the other hand, there’s no easy fix or single solution to secure all of the more than 10,000 election administration jurisdictions in the U.S. While earlier this year Congress approved $380 million in grants to states for election security as part of the Help America Vote Act’s Election Security Fund, the majority of that money allocated to date has been earmarked by state election officials to address “standard security measures.”
Tech to the Rescue
While technology can’t solve every election or voting issue, cyber security and technology companies are stepping up to introduce free election security services to cash-and personnel-strapped state and local election officials and campaigns. As part of its broader push to better secure democratic voting systems, Symantec is extending its “Project Dolphin” anti-spoof proofing service at no cost to administrators of both business and organizational websites, including election-related offerings of state and local election officials. The free service is available here.
In rolling out the free version of Product Dolphin out last month, Symantec’s CEO, Greg Clarke, noted that the issues that plagued the 2016 election remain prevalent “and are likely to continue to persist through the midterm elections, into 2020, and into elections globally.” Given the often-high success rate of carefully-targeted phishing efforts, spoofing websites of election candidates, election officials and other election-related websites and groups marks a potentially prime channel for cyber criminals or those seeking to infiltrate, influence or otherwise disrupt elements of our elections.
According to Symantec, Project Dolphin calls upon the company’s AI-driven, patented technology to target and identify web spoofing and phishing efforts. Chris Larsen, Architect and Research Engineer on Symantec’s WebPulse threat research team, quipped that the service is called Dolphin "because dolphins are smart and eat phish."
While Dolphin started out as an extension of Symantec’s WebPulse system, Larson explained further that, “through a combination of Web, endpoint, and e-mail intelligence; cloud infrastructure; and image processing, analysis, and comparison, driven by a machine learning system, Dolphin identifies spoofed pages of an ever-widening ecosystem of phishing targets -- both traditional and new.”
In practice, Dolphin users submit the URLs and websites they want monitored for spoofing and phishing campaigns. Symantec’s service then automatically and continuously analyzes it against the steadily updated websites in Symantec’s phishing telemetry database. When a spoofed version of an actual legitimate site is discovered, Symantec notifies the website’s authorized contact with details and recommendations for how to remove discovered malicious sites. The free service continues to perform its monitoring and notification functioning until a user unsubscribes.
Spoofing is just one potential attack vector against elections, voters and campaigns. So, Symantec further created an entire website devoted to election-related security education, including discussions on specific issues and generally applicable recommendations for election officials and personnel.
Even after the midterms, the broader concerns around voting and elections are not likely to disappear anytime soon. Increasingly it will likely fall to technology and security vendors to lead the way in identifying security gaps, educating voters and election officials and ultimately developing solutions to safeguard our complex local, state and national election systems.