County Websites Are in a Vulnerable Position
McAfee’s survey of the external security measures for county election websites included Arizona, Florida, Georgia, Iowa, Michigan, Minnesota, Nevada, New Hampshire, North Carolina, Ohio, Pennsylvania, Texas and Wisconsin. Together, those states account for 201 of the 270 electoral votes required to win the U.S. presidential election, McAfee notes.
“Whereas websites using .com, .net, .org, and .us in their names are easily accessible to anyone with a credit card from website domain vendors such as GoDaddy.com, acquiring a .gov website name requires that buyers submit evidence to the U.S. government that they truly are buying these names on behalf of legitimate local, county, or state government entities,” McAfee spokesperson Chris Palm tells Government Technology. “The lack of .gov in a website name means that no controlling government authority has validated that the website in question is legitimate,” he says.
Of the 1,117 counties in the survey group, 83.3 percent of their websites lacked .gov validation. The McAfee survey found that Minnesota and Texas ranked the lowest among the surveyed states in terms of .gov county coverage, with 4.6 percent and 5.1 percent coverage, respectively. Arizona ranked the highest in .gov county coverage with 66.7 percent, still leaving a third of the state’s counties uncovered.
McAfee’s survey found that 46.6 percent of county websites lack HTTPS encryption. Texas ranked the lowest in terms of HTTPS protection, with only 22.8 percent of its county websites protected. Arizona led in county HTTPS protection with 80 percent, followed by Nevada (75.0 percent), Iowa (70.7 percent), Michigan (65.1 percent) and Wisconsin (63.9 percent). Again, these “leader” states still lacked HTTPS coverage for approximately a third of their counties.
The dangers for counties are real. “Hackers typically look to carry out their attacks with the least amount of effort and the fewest resources. Instead of hacking into local voting systems and changing vote counts, hackers could conduct a digital disinformation campaign to influence voter behavior during the elections,” McAfee notes.
Such attacks would be aimed at suppressing or disrupting the voting process “by setting up bogus websites with official sounding domains and related email addresses.” Malicious actors could then use bogus email addresses to send mass email blasts “intended to feed unsuspecting voter email recipients false information on when, where, and how to vote,” McAfee says.
How to Enhance Website Security
Some states are transitioning county government websites to .gov domains. For example, while only 19.3 percent of Ohio’s 88 main county websites have .gov validation, the state leads McAfee’s survey with 76.1 percent of county election websites and webpages validated by .gov certification.
Ohio has been pushing an initiative to transition county election-related content to .gov-validated websites. A majority of counties have transitioned their main county websites .gov domains, their election-specific websites to .gov domains, or their election-specific webpages to Ohio’s own .gov-validated https://ohio.gov/ domain. The Hypertext Transfer Protocol serves as an application layer protocol, which means it focuses on how information is presented to a user but is not designed around data transfer. Since it is stateless and does not remember anything from previous web sessions, HTTP sends less data, which makes it speedier. However, it is also unsecured because the data being transferred is not encrypted.
Congress is currently considering legislation to enable state and local governments to transition to a .gov domain under a program funded through the Department of Homeland Security’s Homeland Security Grant Program.
In terms of HTTPS, Hypertext Transfer Protocol Secure is like HTTP, but the data is transferred in conjunction with another protocol, Secure Sockets Layer, now known as transport layer security.
While HTTP and HTTPS are focused on how info is presented, SSL/TLS is not concerned with what data looks like, but rather on encrypting the data: It produces a secure connection between web servers and web browsers.
Fortunately for counties, it is getting easier to securely move to HTTPS. IDG News Service reports “there are websites like Qualys SSL Labs that provide free documentation on TLS best practices, as well as testing tools to discover misconfigurations and weaknesses in existing deployments. Meanwhile, other websites provide resources on TLS performance optimizations.”
Businesses are moving to HTTPS because it makes their websites and transactions more secure, not just because Google will ding them if they do not. HTTPS protects users from malware, “man in the middle” attacks and advertising that might get injected into unencrypted web traffic, IDG adds.
HTTPS also increases users’ trust in a business, and in a world where so much commerce is done online and users check companies’ websites to validate and compare them, HTTPS in a browser bar is a seal of approval.