The report talks about election website security “shortcomings” that is says could render 13 battleground states “susceptible to voter disinformation campaigns.”
McAfee surveyed Arizona, Florida, Georgia, Iowa, Michigan, Minnesota, Nevada, New Hampshire, North Carolina, Ohio, Pennsylvania, Texas, and Wisconsin – which account for 201 of the 270 electoral votes needed to win the general election. The report found that of the 1,117 counties in the survey group, 83 percent of battleground-state counties use websites that lack U.S. government .GOV certification. Additionally, roughly half (46.6 percent) of battleground-state counties fail to protect voters using their websites with HTTPS encryption.
“Such shortcomings could make it possible for malicious actors to establish false government websites and use them to spread false election information that could influence voter behavior and even impact final election results,” McAfee said.
Steve Grobman, McAfee senior vice president and chief technology officer, stressed the importance of .gov validation and encryption. “Without a governing body validating whether websites truly belong to the government entities they claim, it’s possible to spoof legitimate government sites with fraudulent ones.”
He continued, “An adversary can use fake election websites for misinformation and voter suppression by targeting specific voters in swing states with misleading information on candidates, or inaccurate information on the voting process such as poll location and times. In this way, this malicious actor could impact election results without ever physically or digitally interacting with voting machines or systems.”
Grobman said part of the issue is that governments are putting end-user experience ahead of cybersecurity, explaining, “In many cases, these websites have been set up to provide a strong user experience versus a focus on the implications that they could be spoofed to exploit the communities they serve.”
The report flags one way that governments put user experience ahead of cybersecurity – the use of easy-to-remember naming formats. The report found 103 cases in which counties attempted to use easy-to-remember URLs to make it easier for voters to find election information.
McAfee did note that 90.2 percent of counties did protect voters visiting their sites with encryption. But only two validated their election domains and websites with .GOV. The report concluded that the lack of .GOV validation “suggests that malicious parties could easily set up numerous websites with similarly named domains to spoof these legitimate sites.”
Government entities can only secure .GOV domains by submitting evidence to the U.S. government regarding their legitimacy. However, websites using .COM, .NET, .ORG, and .US domains do not require any validation. That means “there is no governing authority preventing malicious parties from using these names to set up and promote any number of fraudulent web domains mimicking legitimate county government domains,” the report says.