Election website security a mess for states and candidates alike

Joshua Franklin entered the voting technology space in 2004, when he helped the state of Georgia to fix, maintain and repair its 20,000 touchscreen election machines. Franklin went on to work for the Election Assistance Commission, which is the U.S.-governed agency responsible for testing and certifying voting systems, and then the NIST where he helped lead the cybersecurity aspects of its voting project and helped develop the next-generation voting machine standards expected later this year.

While in graduate school in 2012, Franklin and his father started a project focused on campaign cybersecurity, researching malicious online activity related to elections and candidates. Through the 2012, 2014, 2016 and now 2018 elections, Franklin has been gathering data on fake election websites and typosquatting activity, and he has recently begun scanning online voter registration infrastructure and investigating election website security in 50 states, five territories and Washington, D.C.

Franklin spoke about the state of election website security at DEF CON 26 in Las Vegas last month.

Editor's note: This conversation has been edited for length and clarity.

Based on your research, how would you rate election website security in the districts you studied?

Joshua Franklin: They were suboptimal. About 20% of the 56 states and territories had some sort of critical cybersecurity issues that needed to be addressed for their state and election websites. For the voter registration systems, only about 37 states have online voter registration systems. A couple don't even have online voter registration at all, which definitely simplifies things.

We've found two that had relatively critical errors or really bad misconfigurations that needed to be addressed promptly and one that had a medium, middle-of-the-road issue. We did responsible disclosure with all of the states and affected jurisdictions.

We think we're the first people ever to gather these sorts of stats. And it should be very useful going forward to have measurable cybersecurity information that we can baseline against and say, 'Are we doing better than last year or last election?' I don't think anyone's ever done that before.

What other election website security issues did you investigate?

Franklin: We also took a look at Congress and all of the folks that are running for Senate. And we looked at all of the incumbents who are running for election for the House and then most of the key races. The total number of folks who were running for the House was in the thousands, and so I watched probably 13 Marvel movies trying to get all of these -- first name, last name, party and the election website. It was terrible.

For the first time -- we think ever -- we have measurable cybersecurity information here, taking a look at how secure these candidate and incumbent sites are. About 30% of the House had some sort of issues that needed to be resolved.

The Senate fared significantly better. And that might make sense, because there's often more money inside of a Senate campaign -- they're longer; they're sort of expecting, if they get elected, they're going to have this site up for at least six years.

We've been working with parties and other folks in the federal government to get this information to all of the candidates. Again, it's very difficult to disclose this information in a responsible way. To find who to contact for 153 individual campaigns, it would be almost 200 people or a little bit less. Maybe in 10 years when Marvel has made another 13 movies, that's fine. But now, DC hasn't made enough.

What part of election website security is overlooked the most?

Franklin: Typosquatting is a very serious issue that, in my opinion, campaigns don't take seriously enough. In 2012, when we first started this project, we actually found a fake Democratic National Committee site where someone was taking donations on behalf of the DNC.

There was [a National Republican Congressional Committee, or NRCC] corollary, as well. We reported this to the FBI and got it quickly sorted. But [the malicious actors] just bought democraticnationalcommittee.org, because that website was not taken.

In 2014, I believe we found 12 sites put up by the NRCC that, in my opinion, were intentionally made to confuse voters. The site appears to be a pro-Ann Kirkpatrick [a former Democratic Party congresswoman from Arizona] site, but if you clicked to donate here, the money would not go to Ann Kirkpatrick; this money would go to the NRCC.

Is that legal?

Franklin: Hashtag not a lawyer, [but] there is a federal statute about typosquatting and cybersquatting and using domains in bad faith. There are also First Amendment concerns, though, as well. So, perhaps this is free speech.

For instance, [there was] a 'Gillibrand Sucks' site [referring to Sen. Kirsten Gillibrand (D-N.Y.)], and they redirected to the Democratic Socialists of America webpage. It's kind of funny. 

Maybe someone puts up [an] 'I hate this candidate' site again, and perhaps that's a free speech issue. I don't have the credentials to ultimately decide whether or not it is.

I imagine taking donations would push that over the edge?

Franklin: I tend to agree with you. It is possible these were not put up by the NRCC, but there's a nice box at the very bottom that says, 'Paid for by the NRCC.'

Did you check the WhoIs data on those?

Franklin: We did. It was all private. It's not always the case, though. In 2014 and 2016, a number of candidates put personal information into the WhoIs database. We were able to identify the houses on Google Maps of very high-profile candidates, because they put their house into this database. And that's probably an operational security issue; that's an OPSEC failure that could lead to some really negative outcomes. So, candidates need to be aware of that. 

Another argument for why typosquatting is really a danger: In the most recent [Robert] Mueller indictments, they showed that foreign adversaries hacked into the DCCC [Democratic Congressional Campaign Committee] and DNC. They got into the actual websites and redirected pages from ActBlue, which is their primary fundraising platform. It's like a widget you can embed into your site if you're a Democratic candidate. The Russians purchased actblues.com and we noticed this in 2016. We went to actblues.com, looked at the site, it looked to be a copy or it looked to be the same site as actblue.com.

Typosquatting is a very serious issue that, in my opinion, campaigns don't take seriously enough.

We looked at the WhoIs information, didn't think it was anything worthwhile and thought, 'This is just the ActBlue organization covering its bases and defensively typosquatting.' It was not. We considered this a big failure in our six-year-long project so far.

It's good to know that we can at least get that first stage of detection -- that our tool will accomplish that. But it shows that we need to do a better job of sifting through the data and doing a better job of identifying when something is malicious. These are very well-funded, intelligent adversaries.

Then, you have some candidates [who have] all of these different websites that redirect to one website. Pete Stauber [a candidate for the House of Representatives in Minnesota] or someone purchased over 30 sites defensively -- the only person we've seen like that. I don't know why they've gotten so intense.

A lot of candidates have nice-looking new pages, but if they previously ran for office, they'll just leave those pages out. This is Carly for CA from I believe 2000 or 2002, I don't know who is paying for hosting and who purchased that domain for 20 years.

We have a tool [Election Buster] that helps prevent this. We want parties and candidates of both sides to use it and defend themselves against foreign adversaries.