1 Simple Step Could Help Election Security. Governments Aren't Doing It
Local governments across the United States could perform a simple upgrade to strengthen voters' confidence that they are what they say they are: use websites that end in .gov.
Federal officials control the keys to the ".gov" top-level domain, making it less likely that somebody could get one fraudulently and use it to fool people.
Domains that end in .com or .org, meanwhile, could be set up by attackers to try to intercept users seeking information from real sources.
But with an uneven appreciation across the country about the way a fake website could deceive users, and with little guidance from officialdom about what to do, many counties aren't taking that step, cyberspecialists say.
"The big problem today is we don't have a simple rule to tell people how to differentiate a legitimate election domain from one that was set up for malicious purposes," says Steve Grobman, a senior vice president at the cybersecurity firm McAfee.
A McAfee analysis from 2018 found that 95% of counties in Texas and Minnesota, 91% of counties in Michigan and 90% of counties in New Hampshire aren't using .gov addresses.
A recent NPR analysis of counties in Iowa, where voters are set to take part in the first-in-the-nation primary caucuses on Monday, found just nine of 99 counties using .gov addresses.
That's a glaring issue that could open up the door for a simple but potentially disastrous disinformation attack, says Grobman.
An attacker could mimic a real elections site by buying a similar domain name, copying the site and then picking a district in which to suppress votes.
"They could choose urban areas if they wish to suppress Democratic votes. They could choose rural areas if they choose to suppress Republican votes," Grobman says. "They would then send an email to users in those different districts that point them to a fraudulent site."
A fake site could look identical to a real site, only with slightly wrong polling-location information or slightly wrong times.
If both websites — the real one and the fake one — are closely alike and use .com top-level domains, voters probably would have no idea they were being manipulated until they showed up at a closed or empty polling location.
"Even narrowing the window slightly could suppress enough votes to make a material difference in the outcome of the election," Grobman says.
When it comes to getting good information, the Internet is a minefield.
That's a problem especially for governments, which need to get information out to people about things such as voting and have people be confident that what they're reading is legitimate.
That's not a given in 2020.
A plurality of Americans think misleading information is the biggest threat to a secure and accurate election this year, according to a recent NPR/ PBS NewsHour/Marist poll.
"One of the effective ways we think to counter disinformation campaigns is to have highly visible, credible and trustworthy sources of information," says Chris Krebs, the director of the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security.
Cybersecurity experts as well as federal government officials say having the entire government system — from localities to states to the federal government — all using .gov addresses would make it simple for people to know immediately that the website they're reading is to be trusted.
"Dot-gov is an authoritative message," Krebs says. "It says this is, in fact, government."
But thousands of local governments across the country aren't using it for websites that house their election information. That creates the possibility for attackers to exploit such domains by creating a fake site.
While such a plot might sound complicated, Grobman says it would take less than an hour for a malicious actor to build such a trap website.
Experts also say not having a consistent domain name structure for local governments makes it harder for them to communicate with each other.
Leading up to the 2016 election, attackers used email addresses that mimicked real addresses within the elections world to try to entice local officials to click on links.
Dot-gov addresses are harder to spoof than dot-coms or dot-orgs, so phishing attacks like this would be harder to pull off if official websites were uniform.
"Never heard anything about that"
The biggest reason more counties don't use the .gov infrastructure is a lack of communication from the federal government, officials, including Krebs, told NPR.
Basically, many local election leaders don't know it matters.
Last year, for example, Clinton County, Iowa, got a brand-new elections website. It has a clean layout with easy-to-use buttons labeled "Register to Vote," "Am I Registered?" and "How Do I Vote?"
"We love it," says Eric Van Lancker, the commissioner of elections for Clinton County. "We've been looking for something like this for years."
The URL, however, is clintoncountyelections.com — a dot-com URL.
Getting a .gov address isn't a particularly difficult process: It costs around $400 a year and usually takes a few weeks for the paperwork to process.
But Van Lancker says he just wasn't aware that it was recommended by the federal government.
"I think I'm pretty on top of the election issues and such here in the state of Iowa," Van Lancker says. "But I never heard anything about that."
That's not surprising, says Andrea Limbago, the chief social scientist at the cybersecurity company Virtru. She says that local officials have many disparate roles, and thinking about how their websites fit into the broader information landscape of America isn't usually at the top of the list.
"To assume that county officials have the full knowledge to be cybersecurity experts, I think it's unfair to expect that of them," Limbago says. "We don't really provide them a lot of the tools that are necessary."
A bill currently in committee in Congress would make .gov domain names available to local governments at "no cost or negligible cost."
If passed, it would also move responsibility for the domain program and the outreach about that domain program from the General Services Administration to Krebs' agency in DHS.
"There's an awareness gap," Krebs says. "We need to do a better job of going out there and helping state and local partners know that this is something available to them."
Copyright 2020 NPR. To see more, visit https://www.npr.org.