As we enter the final month of the 2020 U.S. presidential race, election security and fraud is top of mind for many. With the memory of the 2016 Podesta breach still fresh, we are a nation braced for cyber-attack impact.
Experts agree that, while countless security improvements have been made since 2016, we should expect more vigorous phishing attacks, data theft, ransomware, and disinformation efforts in the coming weeks. And while legions of cyber security professionals work around the clock to protect this apparatus of our democracy, we must all be vigilant to defend against foreign adversaries or domestic actors who seek to sow chaos or tamper with election outcomes. The truth of the matter is that election security extends far beyond the political organizations themselves.
For years, Yubico has worked closely with state, local, and federal governments — recently in partnership with Defending Digital Campaigns (DDC) and Microsoft AccountGuard — to secure everything from bi-partisan campaigns to candidates’ email accounts with the YubiKey. Based on this extensive work to safeguard democratic electoral processes, there are three observations that underscore the pressing need for all of us — every business, every individual — to play a role in securing elections and re-infusing trust into our democratic process:
The conditions are perfect for phishing season
Hackers thrive on fear, anxiety, and confusion. They leverage these emotions to facilitate social engineering attacks. When emotions are running high, people are more likely to fall for a phishing attempt. To put it another way, they’re less likely to stop and question the authenticity of an email or text message before clicking on a link or offering up their credentials. This year, fear, anxiety, and confusion are in bountiful supply, making the conditions perfect for phishing.
Politically-motivated hackers exploit unsuspecting targets
In a phishing attack, a hacker can turn almost anyone into a weapon for use in their mission — whether that’s to help a particular candidate or simply cause unrest.
Take the latest Twitter breach for example. According to WIRED, hackers sent out thousands of phishing emails and phone calls to Twitter employees in an effort to gain access to accounts of well-known and influential users. The consequences of such an account takeover in the final days of an election campaign could be catastrophic. Even if the breach were recognized immediately, the damage would be almost impossible to contain.
In Twitter’s case, the company has focused intently on minimizing the chances of such an attack happening again — an exemplary effort that we would encourage other companies to mimic. Among other measures, the company recently announced it is rolling out phishing-resistant security keys.
Hackers can work their way from account to account in order to get closer to their target. For example, they might target an individual that is a friend of someone who works at a large, influential company, or target a campaign volunteer instead of the campaign manager. Ultimately, their final target could be anyone whose identity can be used to influence public sentiment.
Private companies see an increase in hacktivist threats
Experts report that private companies are seeing an increase in hacktivist threats in the run-up to the election. Media organizations, universities, and nonprofits are all at risk due to their profiles and roles in influencing the public, but almost any business could serve a purpose for a politically-motivated hacker.
The recent SendGrid breach illustrates this well. SendGrid customers distribute large volumes of email with a high delivery rate. If those account credentials get into the wrong hands, it’s easy to see how they could be used to deliver political disinformation to millions of voters, opposing candidate campaign members, or media organizations.
“Given the current climate in the U.S. and the amount of activism going on, I think it’s fair to assume that hacktivism activity would parallel community-level activities, since the web is just an extension of activities in real life,” said Michael Kaiser, president and CEO of Defending Digital Campaigns, and former executive director of the National Cyber Security Alliance in a recent SC Magazine article. “I fully expect disrupting a campaign, person or organization viewed as an opponent — in order to convey a message or do greater harm — would be part of the hacktivism playbook.”
The message is clear: any individual, in any organization can be an accessory to an attack. That’s why every organization — political or not — must ensure it is authenticating every user. Passwords are too easy to steal, while basic two-step authentication can be vulnerable to phishing and man-in-the-middle attacks. Making strong authentication available at scale, with physical hardware keys like the YubiKey, is a trusted way to ensure the identity of every user at every login point.
The stakes are high — we must do all we can collectively to protect individuals, protect organizations, and protect democracy.