Counties in more than a dozen swing states across the country operate election-related websites that lack basic security measures and are not even identified as government related, computer security research firm McAfee found in a study published Wednesday.
“We found that large majorities of county websites use top level domain names such as .com, .net and .us rather than the government validated .gov in their web addresses,” the study found after examining 20 swing states. “Our findings essentially revealed that there is no official U.S. governing body validating whether the majority of county websites are legitimately owned by actual legitimate county entities.”
Websites that use .gov must pass a U.S. government validation process to ensure that the entity operating such a site indeed belongs to a government entity, McAfee said.
“This is important, because unlike .gov sites where there is a thorough vetting process and background checks, including government officials as references, anyone can buy a .com domain,” McAfee’s Chief Technology Officer Steve Grobman said in a statement. Attackers could launch a fake .com website that mimics a county website, he said.
Minnesota and Texas had the largest percentage of non-.gov domain names with 95.4 percent and 95 percent respectively, according to McAfee. They were followed by Michigan with 91.2 percent of the sites lacking a .gov designation, followed by 90 percent in New Hampshire, 86.6 percent in Mississippi, 85.9 percent in Ohio, the study found. McAfee chose the 20 swing states because they present the “most compelling targets for threat actors.”
Texas and Minnesota election authorities could not immediately be reached for comment.
A majority of the counties studied also “did not enforce the use of SSL, or Secure Sockets Layer certificates,” Grobman said. “These digital certificates protect a website visitor’s web sessions, encrypting any personal information voters might share and ensuring that bad actors can’t redirect site visitors to fraudulent sites that might give them false election information.”
McAfee highlighted that many of the county websites that lack the SSL feature clearly show up as “Not Secure” on the website’s address bar.
While Congress and the Department of Homeland Security have focused on reducing the risk of attackers interfering in the actual voting process, either by hacking into voting machines, or voter registration databases, adversaries could choose simpler and more effective techniques, Grobman said.
DHS Undersecretary Christopher Krebs told reporters earlier this week that the department was going through a series of exercises to figure out all the ways in which adversaries may try to interfere in the midterms, and helping states prepare for such eventualities.
Adversaries are more likely to employ a disinformation campaign in specific states or closely contested congressional districts with the goal of suppressing voter turnout, including such tactics as mass email campaigns that distribute fake websites and false information on polling locations, Grobman said. In such a scenario voters would likely turn to county websites for accurate information on polling stations, eligibility requirements, and other information, McAfee said.
If county websites lacking basic security measures can be duplicated, voters would likely never find accurate information, Grobman said.
McAfee said adversaries could produce mass email phishing campaigns targeting voters in key states using publicly available voter information. But the company did not find any evidence such a campaign was underway.
To ensure that voters get accurate information, state and county officials should offer official phone numbers where voters can call, and DHS must recommend that counties use .gov domains and employ security measures, McAfee said.
Watch: Initial Early Voting Data Appears to Favor GOP in Several Key States