Few election offices have implemented a key defense against hackers
Below: The TSA announces an update to its rail cybersecurity rules, and Germany removes its cybersecurity chief. First:
Putting .gov domain at the end of websites could buttress election offices, but only 1 in 4 do
Just 1 in 4 local election office websites use the .gov domain, even though it improves security and makes visitors less likely to fall for fake sites that could leave them vulnerable to hackers or influence operations, according to a study out this morning.
The study, conducted by the Center for Democracy and Technology (CDT) in conjunction with researchers from Georgetown University’s Foo Law Lab and first reported by The Cybersecurity 202, found that of the 7,010 websites evaluated, only 1,747 — or 25 percent — use the Cybersecurity and Infrastructure Security Agency-sponsored .gov domain, available only to U.S.-based government entities.
Another, less-comprehensive study two years ago showed even lower use of the .gov domain. Between now and then, Congress passed legislation known as the DOTGOV Act to improve .gov adoption among government agencies, and CISA waived fees for applying for a .gov address.
But 25 percent “seemed a little low to me,” Will Adler, an election security technologist at CDT, told me — even if it “makes sense” that it would register at that level of adoption. “Government is slow to make changes. Election officials are strapped for time and money.”
The FBI in 2020 identified dozens of shady, illegitimate election websites designed to look like authentic ones that could be used to interfere in elections, according to a Department of Homeland Security bulletin. A subsequent FBI/CISA warning said foreign adversaries and cybercriminals could use spoofed election-related internet domains to spread fake information, steal personal or login information and disseminate malware.
Visitors to .gov websites can have more confidence that they’re visiting an authentic government website, rather than a fake one designed to trick voters.
- The .gov websites also have security features not always found in commercially available web addresses that end in .com or .org.
“We know that one of the most impactful ways to mitigate the spread of disinformation is to empower local election officials as trusted voices on election administration,” CISA’s senior election security adviser Kim Wyman told me in a statement. “Helping election officials move to a .gov domain supports this effort. The public can easily identify an official government website or email address when it ends in .gov.”
A 2020 McAfee examination of a smaller set of county-level election websites found that just 20 percent of them used .gov. When the CDT/Georgetown study out today pared down the numbers from the 7,010 unique domains held by election officials responsible for election administration (including municipalities) to county-only numbers, it found that 32 percent of county election websites used .gov. In other words, that part improved.
The combined county and city numbers overall, not just election offices, look to be in line with the election office numbers, according to another examination.
Congress’ decision to give sponsorship of the .gov domain to CISA from its previous custodian, the General Services Administration, and waive the previous $400 fee appears to have made an important difference. But at the current rate, it will still take a long time to get to full adoption.
- Another part of the CDT/Georgetown study offered more positive results for election offices. Of the 7,010 websites the study examined, 89 percent supported HTTPS, a more secure, encrypted way than HTTP to send data between a website and a browser. The rate was similar for county-only websites and an improvement on the 55 percent rate McAfee found in 2020.
- “For voters using an election website, encryption helps ensure, for example, that they are able to privately submit sensitive voter registration information and be sure the information about how to vote or about election results is genuine,” the study says.
Simply having a decent .gov website name was an early impediment for Weber County, Utah, Clerk/Auditor Ricky Hatch, he told me. He sought an exception when applying last year so that the website didn’t have to include both the state and county name, which he reasoned would be too long. Later, the feds dropped that requirement.
Even then, he had concerns. “We had heavily branded our WeberElection.com URL on all of our documentation, so we knew we’d have to change all that,” Hatch said. But the trade-off was worth it for the voter confidence that the site was authentic, he decided.
For other offices, branding is also likely a concern for a long-used website name, Hatch said. But another major impediment is probably awareness of the .gov option, said Hatch, who serves as chair of the election committee of the National Association of Counties. Many election jurisdictions are small, and the local election office might employ just one or two people.
Other election offices might want to use .gov, but it’s not up to them — county commissioners or mayors with oversight of their offices might be opposed, Hatch said.
The $400 application fee might be waived, but there are some other secondary expenses associated with moving to .gov. Recent additional state and local grants could help with that funding.
“My DOTGOV Act made transitioning to this domain more affordable and required CISA to provide additional information to help city and county governments migrate to .gov,” Senate Homeland Security and Governmental Affairs Chairman Gary Peters (D-Mich.), told me in a statement. “These changes, along with funding I helped secure as a part of the bipartisan infrastructure law, will help expand the adoption of this domain and bolster other efforts to strengthen state and local cybersecurity defenses.”
Offered Wyman: “Over the last several years, we have engaged state and local officials on the value of switching to a .gov platform, and sought ways to make the transition easier, such as eliminating the $400 registration fee that had served as a barrier of entry to smaller jurisdictions. We continue to encourage election officials to make this transition if they have not already done so.”
U.S. government announces cybersecurity update for railroad operators
Under the Transportation Security Administration’s revamped cybersecurity regulations, railroad owners and operators get guidance on building a cybersecurity plan with sections on segmenting their networks, adding multifactor authentication, monitoring their systems and updating their software.
The new guidance comes around a year after the Biden administration announced rail cybersecurity rules; the railroad industry pushed back at the time, saying it was already voluntarily following those cybersecurity practices. The TSA also issued cybersecurity rules for pipelines after the Colonial Pipeline cyberattack last year; the agency updated those rules in July.
- The new document also cites a U.S. government warning about potential Russian hacks of critical infrastructure in the wake of Russia’s invasion of Ukraine as evidence of the increased urgency for implementing the cybersecurity requirements.
The new rail directive uses a similar approach to the one the TSA used for pipelines, TSA surface policy division executive director Scott Gorton said, according to Inside Cybersecurity. Gorton also said the TSA used industry input to craft the latest rules.
“We got a lot of hate mail” on the first draft of the update to cybersecurity rules for pipelines, so “we worked with the sector — it was a real learning experience,” Gorton said, per Inside Cybersecurity. “We moved from prescriptive to outcome-based, and we’re preparing to do the same for rail.” The agency plans to post an advanced notice of proposed rulemaking for transportation sector cybersecurity, he said, kicking off a potential notice of proposed rulemaking next September.
Germany removes its cybersecurity chief
Arne Schönbohm’s removal comes after a satirical German show accused him of maintaining contacts with Russian intelligence through the Cyber Security Council Germany, which he helped found a decade ago, Loveday Morris and Vanessa Guinan-Bank report.
“Branding him a ‘cyber clown,’ the program ‘ZDF Magazin Royale’ pointed out that while running the government’s top cybersecurity agency, Schönbohm continued to maintain contacts with the foundation,” Loveday and Vanessa write. “That stirred controversy because of the foundation membership of Protelion, reported to be a rebranded German arm of the Russian cybersecurity firm Infotecs, founded by a former KGB agent.”
The allegations “have permanently damaged the necessary public trust in the neutrality and impartiality” of Schönbohm in his position, Interior Ministry spokeswoman Britta Beylage-Haarmann said. But Schönbohm is “presumed innocent” until details of the case are “thoroughly and vigorously investigated,” and his removal isn’t final, she said.
Mexican opposition lawmaker says he was hacked with Pegasus
The apparent hacking makes opposition congressman Agustin Basave Alanis the fourth alleged Mexican victim of NSO Group’s Pegasus spyware, which Mexican President Andrés Manuel López Obrador said in 2019 that he wouldn’t use, Reuters’s Daina Beth Solomon reports. The hacking apparently took place in September 2021, Animal Politico reports.
“López Obrador, who took office in late 2018, denied spying on opponents or journalists when asked recently about the three cases,” Solomon writes. “He added the military did conduct intelligence work, but that this was ‘not spying.’” His office didn’t respond to Reuters’s request for comment on the latest case.
NSO Group told Reuters that investigators from Citizen Lab can’t differentiate between spyware made by NSO and other firms. Citizen Lab rejects that claim, Reuters reports.
- National Cyber Director Chris Inglis and top Ukrainian cybersecurity official Viktor Zhora speak at Mandiant’s mWISE conference today.
- The Institute for Security and Technology hosts an event on the data transfer agreement today at 11 a.m.
- Rep. Jim Langevin (D-R.I.) and Dmitri Alperovitch, the co-founder and chair of Silverado Policy Accelerator, speak at a Washington Post Live event today at 11 a.m.
- CISA Director Jen Easterly speaks at Mandiant’s mWISE conference on Thursday.
Thanks for reading. See you tomorrow.