January 7, 2025
January 7, 2025
Editor’s note: This post is the latest in Security Outliers, a series of interviews with people who are tackling big security problems while questioning the status quo. Today’s Q&A is with Oren J. Falkowitz, Founder of Area 1 Security.
Four years ago the U.S. was in the final months of the 2016 presidential campaign season when hackers linked to Russia leaked thousands of emails stolen from the Democratic National Committee and John Podesta, Hilary Clinton’s campaign chairman. The leaks, along with disinformation and influence operations on social media attributed to Russia, played a significant part in turning a contentious election into chaos. This year, hackers are at it again, with Chinese and Iranian phishing attacks targeting personal email accounts of Democratic Presidential Candidate Joe Biden’s staffers. And in a sign that Russia has been ramping up its election hacking, the NSA publicly accused Russia of exploiting vulnerabilities in servers running the open source Exim email software internationally.
Email accounts of election officials are also at risk. Area 1 Security recently released a report that shows that state and local election administrators are vulnerable to phishing. The company helps protect businesses, government agencies and nonprofits against phishing and is the only company to have the Federal Elections Commission approve its offering to candidates and campaigns. I recently spoke to Oren Falkowitz, founder of Area 1 Security, about the report and what it means for the November election. Below is an edited version of the conversation.
The report couldn’t have come at a more opportune time. What did you find out about election official security that people should know?
We analyzed more than 10,000 state and local election administrators’ susceptibility to phishing and while we know that for any organization cybersecurity practices are an evolution, there’s work left to do. When it comes to defense against phishing, most of the administrators are using only rudimentary practices, 28% have basic controls and only about 18% have implemented advanced anti-phishing controls. A surprising number — 666 to be exact — are using personal email or technologies designed for personal use, which don’t offer the same level of security protection as enterprise technologies do. Meanwhile, some election administrators are running their own custom email infrastructure, like Exim or Postfix. Not only do Gmail and Office 365 get updates and are generally more diligent about security, Exim has vulnerabilities that have been targeted by Russian hackers. But beyond the professional email providers there are additional security layers that administrators and others dealing with highly sensitive systems and data can use.
How did you get the data?
We went county by county and city by city and figured out who their election administrators were and we performed an analysis on that. It was complicated because a town might have three or four different administrators and they don’t share the same title across counties or states. We’ve been working on this for years, ever since we were asked by federal candidates to secure their runs for office. We’re working with the Federal Election Commission to offer the service we do for candidates to election officials under the same terms and without violating federal finance laws.
Given what you found in your recent report, how bad are things for election officials’ email systems at this point in time?
My hope is that someone will read the report and take it as a mirror and say, “Huh, is there something I can do better?” I don’t think we’re making a critique, just encouraging people to really understand the cybersecurity issues they may be open to.
We’re focused on the people who are involved in the democratic process, whether it’s running for office or administering it. From my perspective, and our shared experiences, that's the greatest risk.
Are things any better than in 2016?
There’s certainly more awareness. But the data shows there’s more work to be done. And there are a lot of views as to what the problem is. There’s the phishing problem. Others talk about social media influence. And others talk about hacks to voting machines. We’re focused on the people who are involved in the democratic process, whether it’s running for office or administering it. From my perspective, and our shared experiences, that's the greatest risk.
Can the problems you identified be fixed in time?
It’s never too late. Every day matters and it’s certainly not the time to throw up your hands. Elections administrators need more resources. That’s really the bottom line. They need access to experts to help them make progress against the issues we identified. Also, you can not run your own infrastructure, especially Exim. And the use of personal email accounts is not appropriate when it comes to conducting these types of important democratic administrative functions.
So, if hackers can’t change votes via email compromise, what is the potential harm?
I don’t know that that is true. The risk is different but it’s possible that if you are responsible for setting up a voting machine and need to keep track of the configuration, where you got it from, where it’s stored, what IP address it will be connected to, and updating it via thumb drive, those are all things that could be gleaned from phishing. If the voting machines are supposed to not be connected to the internet but they require updates, that means you have to carry software to them, which is typically done through an external drive. You might be downloading the software update from the same computer you got phished on and the drive could be infected with malware. That's well within the realm of possibility.
How is the pandemic impacting things? Is it taking personnel and budget away from security issues?
When you have limited resources they get divided across multiple issues and it creates a challenge. In talking to local election administrators, they're often volunteers, trying to make sure poll lines are short, that they can check poll books, that people can vote securely, and they can report results well. There's a lot going on and almost none are cybersecurity experts.
What can you tell me about the level of security within the candidates and campaigns you’re working with?
From the looks of it during the primary, people were definitely more aware of the issues and more folks than ever were investing in a wide range of technologies, from secure messaging to encryption and email security. That's happening at the campaigns at the presidential, senate, house and governors’ level. No matter the outcome, we all want to wake up on November 4th 2020 and know that cybersecurity played no part in the outcome.
Photo credit: Seth Rosenblatt
