With the 2022 election season around the corner, campaigns of all sizes need to be prepared for a widened set of potential cybersecurity risks, experts and a top intelligence official said.
“The worry in all of election security is trust and confidence — that we’ve delivered a safe and secure election,” National Security Agency cyber director Rob Joyce told CyberScoop at a media roundtable at the 2022 RSA Conference on Wednesday. “And if you know if elections are subject to ransomware, or if there’s a botnet that runs a denial of service, what you’ll find is that’s probably going to, in this day and age, escalate and be an issue of trust.
Joyce noted that NSA tends to play a supporting role to the Department of Homeland Security’s CISA, but both botnets and ransomware fall within the agency’s technical lane and are cause for concern ahead of 2022.
Security strategists at top tech companies shared similar concerns at an RSA panel earlier in the day
“A risk that I am most fearful of is the growing trend of ransomware attacks,” said Ethan Chumley, senior security strategist for critical institutions for Microsoft.
Chumley says that while so far the threat hasn’t been a big issue for the industry, the spike in attacks globally should put campaigns on guard.
Chumley also agreed that issues of trust could play a role in 2022.
“In part, it’s why we do the technical work,” Chumley told CyberScoop. “Even allegations of wrongdoing can be detrimental to an election.”
Ransomware isn’t the only evolving threat campaigns face. Grace Hoyt, who runs Google’s account security partnerships, pointed to the growing threat of surveillance-for-hire technology such as spyware from companies like the NSO Group. Security researchers have already identified such campaigns on a global stage, including elections in Poland and Mexico.
Still, the top threat for campaigns remains phishing attacks like the one that allowed Russian hackers to access the email account of Hilary Clinton’s 2016 campaign chairman John Podesta. Chumley says that Microsoft has observed attackers targeting not just candidates’ and staff’s personal emails, but also targeting their families and inner circles.
Those kinds of threats aren’t ones most campaigns have to think about when it comes to cybersecurity, said Alissa Starzak, global head of public policy at Cloudflare. “A unique thing about the campaign risk space is, it’s personal,” said Starzak.
While there haven’t been any public reports of a significant ransomware attack against a campaign, the 2020 election showed that cybercriminals aren’t shy in going after election infrastructure directly. Cybercriminals disrupted the election infrastructure of a Georgia county just weeks before the 2020 election.
The broader intelligence community is also preparing for a more evolved set of cybercrime threats.
“The threat landscape, I believe is more complicated, more dynamic, and so it will require the full force of all the resources [we have] … It is something that I think is going to be a challenge,” CISA director Jen Easterly said at a media roundtable Tuesday.
Tim Starks contributed to this story.
Updated 6/8/22: To include additional comments by Rob Joyce and Ethan Chumley.