Cyber threats to elections in the U.S. and abroad remain at an elevated level and continue to evolve. It’s appropriate and encouraging to see continued growth and investment in cybersecurity efforts within elections communities. As a longstanding leader in defending elections globally, CrowdStrike understands the importance of these efforts and we want to do our part to help raise and sustain awareness. As we’ve said previously, those in a position to contribute to election cybersecurity have a responsibility to do so. 

Let’s take a look at some of the consistent threats and newer developments, and highlight some key resources and best practices. 

Adversaries Persist

Central to CrowdStrike’s view of cyberdefense is the importance of understanding threat actors. Knowledge of threat actors’ motivations, objectives and operations critically informs defensive practices. This is the insight behind CrowdStrike’s threat intelligence offerings and the starting point for any brief to victims or potential victims of targeted threat activity. 

Threat actors have sought to disrupt or influence elections worldwide. This category of threat activity generally seeks to inflict damage to perceived foes within democratic systems or to pursue other political ends. This potentially includes efforts to undermine the very concept of elections themselves. Naturally, this strikes at the core of free and fair elections on which modern democracies are based.   

While high-profile threats targeting the U.S. elections in 2016 and several European parliamentary elections over the next few years attracted significant attention, it’s important to remember that these threats are more enduring and more widespread than just those attacks. My first significant election security effort was over 15 years ago during my U.S. government service. This was in response to threat actors CrowdStrike would come to track as PANDAs — Chinese-state-nexus groups — conducting espionage against the 2008 U.S. presidential campaigns, targeting candidates on both sides of the aisle. And over the past few years, CrowdStrike intelligence has reported significantly on regional interventions in elections spanning from the Middle East to Latin America. 

In short, an expanding group of threat actors has come to view elections as high-leverage targets, and we shouldn’t expect that to change any time soon. 

The Threat Landscape: Continuity and Change 

What types of threat activity, specifically, should the elections security community be prepared to face? We’ll outline a few key concerns here. We want to be clear that this is a general advisory and not intended to characterize specific, ongoing malicious threat activity. That said, CrowdStrike strongly encourages organizations to watch for these types of malicious activity, which I’ve updated from previous writings.

Breaches

The most straightforward attack that political and election-related entities face remains the penetration of IT networks, assets and resources. Notably, both organizations and individuals are at risk, and personal accounts and devices are heavily targeted. In some instances, threat actors may seek intelligence on emerging policy positions or influential advisors. Breaches may also be the precursor to “hack and leak” campaigns, where sensitive private information is released to the public and later amplified (see “Misinformation and Disinformation” below). 

In other cases, breaches may precede ransomware attacks, which disrupt business processes and ultimately operations. There are examples of eCrime actors simply targeting political and policy institutions to extort funds. In addition, nation-state threat actors may also use pseudo, ransomware-style attacks, or other disruptive or destructive attacks, strategically timed to maximize damage and effect. 

Misinformation and Disinformation

The last several years have brought the topics of misinformation and disinformation surging to the forefront of public discourse. The terms themselves are often used interchangeably, but CISA definitions draw a useful distinction. Misinformation is false, but not created or shared with the intention of causing harm. Disinformation, on the other hand, is deliberately created to mislead, harm or manipulate a person, social group, organization or country. CrowdStrike’s particular focus is on cyber threat actors’ use of information operations to weaponize disinformation campaigns.

As the FBI and CISA recently alerted the public in a PSA, adversaries leverage traditional and social media channels to effectuate these operations. In some instances, the source or distribution channel of this information may be formal or quasi-formal propaganda outlets. In other instances, the source is personas that have developed a wide reach and can be further amplified on social media. In either case, legitimate outlets or social media users receive the information under false pretenses or simply share it uncritically. 

Such threats can take many forms, from low to high tech. Signs or fliers could be used to intentionally mislead, as could robocalls and bulk text messages. Manipulated or synthetic media-based campaigns are also on the rise. Manipulated media are authentic, but deceptively edited or mislabeled to provide incorrect context. Synthetic media include increasingly sophisticated “deep fakes” to mimic public figures, frequently doing or saying something intended to generate a particular — and often electorally harmful — political impression.  

Supply-Chain Attacks

Even organizations with strong security postures have dependencies on third parties, which adversaries increasingly target. High-profile breaches over the past several years illustrate that the compromise of one service provider, for example, can enable adversaries to launch attacks against thousands or even tens of thousands of their customers, users or clients.

In the context of elections, supply chains can include a diverse web of specialized vendors, from organizations that print and distribute campaign mail and digital ads, to those that manage the pollbooks and voting machines. Any part of the ecosystem can be exploited, and sophisticated adversaries have the capability to identify creative — and poorly defended — targets and attack surfaces.  

Broader Security Threats 

While this guide focuses on cyber threats to elections rather than physical threats or other barriers to voting, I’ll briefly acknowledge increasing reports of physical intimidation and threats of violence targeting poll workers and others. Such threats can be rooted in domestic politics alone, but it is worth mentioning that some adversaries, notably North Korea during a prominent 2014 hack of a media organization, have conducted blended operations that include destructive cyberattacks in concert with threats of violence to achieve greater effects. 

Vote suppression through intimidation or threats of violence — targeting voters or election facilitators — is a particularly insidious type of attack. The cybersecurity community must remain on high alert for indications that cyber threat actors are propagating, amplifying or weaponizing themes along these lines.  

Recommendations and Resources

While election threats are serious and ongoing, we can all do our respective part to meet the challenge. Our recommendations focus on four core themes, laid out below. 

Think Broadly 

First, CrowdStrike encourages stakeholders to take a broad view of what constitutes the election ecosystem. Those engaged directly in election administration understand the context, sensitivity and importance of their work. But those who support such organizations, or people who otherwise play a key role in the successful execution of elections, may not consider themselves targets or take the necessary steps to ensure security. People in roles within industries as diverse as television and news, manufacturing, social media, IT services, and shipping and logistics, for example, may ultimately play a critical part in successful elections. 

Employ a Risk-Informed Defense

Every cybersecurity guide harps on best practices, and this is no exception. It has been encouraging over the past couple of years to see the election community, together with counterparts in academia, nonprofits and the private sector, coalesce around strong security best practices — specifically for elections. Some of these resources are linked below and available in CrowdStrike’s Election Security Resource Center. 

One of those best practices is the use of a risk-informed approach to security. Elections are, by design, ephemeral and, in practice, traditionally under-resourced. Defenders throughout the ecosystem must focus on the most significant threats to their function, role or mission. For social media companies, that may mean combatting coordinated inauthentic behavior. For infrastructure providers, it may mean defending against supply chain attacks. For election administrators, that likely means defending against breaches. In an industry as broad as elections, the attack vectors can be as dynamic as the threats themselves. 

Build Capacity

From our point of view, it is absolutely essential to maintain the technical capability to detect an adversary and expel them from the network before they can accomplish actions on objectives. Doing this reliably entails the orchestration of people, processes and technologies. Because campaigns and other election entities can be short-lived in nature — forming and disbanding during a single cycle — achieving security maturity is even harder than with more permanent, long-standing organizations, which themselves often struggle with maturity. Increasingly, organizations in the space look to managed security services providers, such as CrowdStrike Falcon Complete™, to achieve the necessary speed and scale. 

Don’t Face the Threat Alone

Democracy is by definition a shared enterprise, and no one is alone in the fight to defend it. All of us throughout the extended election ecosystem should familiarize ourselves with other resources that can help us plan for success. CrowdStrike’s Cybersecurity and Election Security Resource Center highlights some of the entities we’ve partnered with and programs we’re supporting, and shares helpful videos, talks and assets produced by others making positive contributions in this space.

Specifically, we want to highlight key contributions and endpoint security services offerings for U.S. State, Local, Tribal and territorial governments from the Center for Internet Security, with whom we partner on this important mission. 

A notable addition this year, which we also want to highlight here, comes by way of the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Joint Cyber Defense Collaborate (JCDC), of which CrowdStrike is a plankholder member. The group aggregates a list of resources for the community: Cybersecurity Toolkit to Protect Elections. 

Our Work Must Continue 

The election community has come together significantly over the past several years and continues to get stronger. People are more aware of the threat of misinformation and disinformation and other tactics foreign adversaries use to affect discourse domestically. Further, after a long period of underinvestment, policymakers across the world have reemphasized providing additional funding and support for elections generally and election security specifically.  

But there’s more work to be done. The threats are real, and adversaries remain emboldened. While awareness is a good start, we must all play our parts to successfully mitigate proliferating risks. Please review these resources and contact us if we can provide additional support. 

Additional Resources 

• Visit the CrowdStrike Cybersecurity and Election Security Resource Center for valuable information and resources.
• Find out how CrowdStrike Services can help your organization answer its most important security questions by visiting the CrowdStrike Services webpage.
• Learn about CrowdStrike’s comprehensive next-gen endpoint protection platform by visiting the Falcon products webpage.
• Test CrowdStrike next-gen AV for yourself: Start your free trial of Falcon Prevent™.