[Image via armytimes]

This week’s electionline newsletter folds two important stories into one: an announcement of a new survey of election officials by the Democracy Fund – and a primer on “phishing attacks” with CDT’s Joe Hall inspired by the effort to assure survey recipients that the request is genuine. Take a look:

Next week, the Democracy Fund, in partnership with Reed College, will release into the wild a new survey for local election officials (LEOs). The survey is looking to understand LEO’s views about roles, responsibilities and challenges of their work as well as amplify the voices LEOs in national, regional and state conversations about election administration.

Hours of work have gone into determine what information the survey will seek to find out and developing the questions.

And in today’s hyper sensitive cybersecurity environment, almost as many hours have gone into determining how the survey should be conducted so those who receive it feel secure in responding to unsolicited emails.

According to Joseph Lorenzo Hall, chief technologist with the Center for Democracy and Technology, phishing is one of the number one threats in cybersecurity, not just to election officials, but to everyone.

“It’s consistently the tactic used to get into systems around the world and we have evidence that it was likely how credentials to the Arizona voter registration database were stolen and then put up for sale on the dark web.” Hall said.

Hall said we know from the Reality Winner leak that around 120 state and local election officials were spear-phished — which is targeted phishing rather than opportunistic phishing — by Russian military intelligence (the GRU).

“Unfortunately, even with good training we are only able to reduce phishing attacks to about 50 percent, meaning there’s a good chance 60 or so election officials clicked on links or opened attachments sent by the Russians,” Hall said. “Hopefully those jurisdictions know now that they were targeted and have taken measures to mitigate phishing attacks.”

And phishing is so successful because as Hall said, it relies on social engineering. Essentially, rather than trying to find a flaw in the technical security of a system, ne’er-do-wells lean on the human element and try to get access to data, systems or install malware by tricking people into thinking they must click on a link or attachment or lulling them into a sense of security so that they click out of habit.

“Unfortunately, I don’t have to tell your readers that as more people come online, we can all expect to receive more email, meaning that the sheer scale of this problem is not going to get better as people are inundated in coming years with email,” Hall said. “And email, for all of its flaws — it is very difficult to secure — is still the lowest common denominator in terms of communicating online. As we move away from email and to messaging platforms like Signal/WhatsApp/Wickr/etc, email may become less of a problem.”

So how can you know if an email is safe to open and a link OK to click on? Short of picking up the phone and calling the sender — and who wants to do that?! — Hall had several things that people can do to ensure their online safety:

1. Be aware. Does a given email seem fishy? For example, did you just get an email that says, “Bob would like to share something on Dropbox” but you don’t use Dropbox to share files? That’s a good sign that you might want to wait and call Bob. Also, there may be obvious flaws in the message… for example, we once caught a phishing attempt from Chinese hackers because they misspelled the name of the staffer they were masquerading as.

2. Much more important than awareness is eliminating entirely the ability for you or your staff to get phished. It’s very important that for business systems and personal accounts that you turn on something called two-factor authentication. Two-factor is something you are probably already familiar with and may not realize it; for example, when you log into your bank while traveling, they may require you to enter in a temporary PIN number that they text to your phone. Why is this important? Because it’s highly unlikely that an attacker would have both your password and your phone, making it much harder for them to gain unauthorized access to your accounts.

Here is a handy list of all the online services that allow you to turn on two-factor. And common business operating systems (Windows/365, Google/Gsuite, Mac OS, Linux) all support some kind of two-factor so that you can enforce it across all your staff.

3. At some point, we all need to think hard about adopting an email standard called DMARC. DMARC, put simply, is a way to make sure that email from your domain cannot be spoofed. It essentially uses cryptography to “sign” good messages from all users on a domain like cdt.org. This means phishing attempts can’t provide that kind of mathematical proof (because they can’t log on to the system yet!) and all spoofing-based phishing attacks never even reach potential victim’s inboxes.

4. Finally, you may have seen some people have email programs that put a layer of indirection between the user and the URL… that is, some businesses use what is called “link rewriting” software like that provided by Proofpoint. This works by allowing their software to scan all email as it arrives and it replaces every URL with something that looks like https://proofpoint.com/check=http://example.com .

What happens here is that when someone clicks on it, there is a moment where Proofpoint can check the URL against know malware and phishing domains and warn the user or even prevent them from visiting the suspicious URL.

All of Hall’s recommendations are possible for personal and work email. He also recommended that elections officials put their own personal accounts into the Google Advanced Protection Program, which is designed to entirely eliminate phishing attacks—even from nation-states.

“This isn’t available for more than personal Google/GMail accounts right now, but personal accounts are often used to get access to institutional accounts, so this is a great place for election officials to start in terms of state-of-the-art protections,” Hall explained.

For the Democracy Fund/Reed College survey, administrators are taking a multi-pronged approach to reassure LEOs that the emails they will receive next week are legit.

In addition to the survey email, which will come directly from Qualtrics, the survey administrator, an email will come from Paul Gronke, director of the Early Voting Information Center and professor at Reed College, to let survey respondents know they have been selected to respond and they should keep an eye-out for the survey.

The Democracy Fund/Reed College team has been in direct contact with the National Association of State Election Directors and the National Association of Counties, who agreed to communicate with their members. They have also given a heads up to the U.S. Election Assistance Commission, the National Association of Secretaries of State and the International Association of Government Officials.

“We’ve reached out to several validators who can let LEOs know that the survey is coming, and more importantly, that the survey is from a trusted source,” explained Natalie Adona, senior research and learning associate for the Elections Program at the Democracy Fund. “We certainly respect that election officials across this country have real, ongoing concerns around cybersecurity–which includes (but isn’t limited to) email phishing attempts. We realize that some LEOs will not have heard of Democracy Fund or Reed College, and might be skeptical about opening-up a link contained in an email from someone/organization that they don’t know.”

This election survey is vitally important and so if you get that Qualtrics email, please respond! [If you have any questions or concerns about the survey, please contact Natalie Adona, senior research and learning association at the Democracy Fund 202.420.7931 (nadona@democracyfund.org) or Paul Gronke at Reed College 503.517.7393 (gronkep@reed.edu)]

Thanks to Joe Hall (who is a go-to for many of us on these issues, for obvious reasons) for sharing his expertise – and a tip of the ol’ electiongeek hat to Mindy Moretti for using the impending survey as an opportunity to talk about simple but important steps that election officials can take to better secure their email – and thus everything else they do online. Click carefully – and stay tuned …