Today, SecurityScorecard released a report that reviews the overall cybersecurity posture, including election-related infrastructure, of all 56 U.S. states and territories leading up to the presidential election. The “State of the States” infographic report found that the vast majority (75%) showed signs of a vulnerable IT infrastructure. Since most state websites offer access to voter and election information, these findings may indicate unforeseen issues leading up to, and following the US election.
Methodology
SecurityScorecard’s score for each state reflects the overall cybersecurity posture for the entire state, which includes the relevant state election office as identified through the following two resources:
Most states’ election “office” is part of their Secretary of State website, which itself is part of an entity’s overall digital footprint. However, examining the security for just the Secretary of State’s office would likely be incomplete since voter registration records and voter-related information could be kept in another part of a state’s IT infrastructure.
Only seven states (Pennsylvania, Idaho, North Carolina, South Carolina, Arizona, South Dakota, and Nevada) maintain independent websites dedicated to the election and voter-related information. However, these would still be digitally associated with a state’s umbrella website.
Five U.S. territories (American Samoa, Puerto Rico, Guam, Northern Mariana Islands, and the U.S. Virgin Islands) were included despite not having voter representation in the U.S. Congress or electoral votes for president. However, such territories help choose each party's nominee and political parties have the ability to include them in the primary selection process. Over three million people reside in these combined territories. Most importantly, anyone from these territories is a U.S. citizen.
SecurityScorecard calculated the scores for the period of September to early October 2020 with non-intrusive, publicly available data and based on individual scores within 10 categories: network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leaks, and social engineering.
For more information on how SecurityScorecard “scores” each state, please see the “meaning of scores and breach likelihood” section at the bottom of this fact sheet.
High-level findings
- 75% of U.S. states and territories’ overall cyberhealth are rated a ‘C’ or below. 35% have a ‘D’ and below
- States with a grade of 'C' are 3x more likely to experience a breach (or incident, such as ransomware) compared to an ‘A’ based on a three-year SecurityScorecard study of historical data
- Those with a 'D' are nearly 5x more likely to experience a breach
- States with the highest scores: Kentucky (95) Kansas (92) Michigan (92)
- States with the lowest scores: North Dakota (59) Illinois (60) Oklahoma (60)
- Among states and territories, there are as many ‘F’ scores as there are ‘A’s
- The Pandemic Effect: Many states’ scores have dropped significantly since January. For example, North Dakota scored a 72 in January and now has a 59
- Why? Remote work mandates gave state networks a larger attack surface (e.g., thousands of state workers on home Wi-Fi), making it more difficult to ensure employees are using up-to-date software
- SecurityScorecard observed significant security concerns with two critically important “battleground” states, Iowa and Ohio, both of which scored a 68, or a ‘D’ rating.
- According to political experts, the following states are considered ‘battleground’ and will help determine the result of the election, but half of these states’ overall IT infrastructure is lacking
- Michigan: 92 (A)
- Wisconsin: 88 (B)
- Texas: 85 (B)
- Pennsylvania: 85 (B)
- North Carolina: 81 (B)
- Arizona: 81 (B)
- New Hampshire: 77 (C)
- Georgia: 77 (C)
- Nevada: 74 (C)
- Florida: 73 (C)
- Iowa: 68 (D)
- Ohio: 68 (D)
Technical Findings
- Endpoint security was the lowest-scoring category (among 10 categories) across all 50 states and five territories, with an average score of 61. When scoring endpoint security, SecurityScorecard measured detected versions for operating systems, web browsers, and other notable data points that comprise endpoint security
- Massachusetts rates last in endpoint security with nearly 2,000 outdated operating system (OS) findings. Illinois comes in second-lowest with over 1,000 findings
- Why this matters: Outdated software is vulnerable against the latest security threats, making it easier for attackers to deploy malware, either via a drive-by-download attack or spear-phishing attack
- The good news: States can enhance their security by updating web browsers and operating systems to the latest available versions
- Malware is a big problem: West Virginia, Idaho and Indiana have the highest count of malware present across multiple malware families
- Common examples of malware present in a state’s infrastructure: Conficker, Emotet, Trickbot, Matsnu, and Qrypter.rat
- Why this matters: Malicious actors may be able to gain access to state networks simply by purchasing access from criminal groups that have gained a foothold through pre-existing malware infections
- In what appears to be a continued problem, SecurityScorecard observed a high volume of Server Message Block (SMB), particularly SMB protocols exposed to the public internet. This enables applications and users to access files (or other resources like printers) on remote servers. When this is exposed to the public internet, actors can quickly and easily gain access to a network
- This is how the infamous WannaCry and Petya ransomware attacks were executed
- Microsoft released a patch in 2017 and it is considered best practices to restrict this protocol to internal connections only. Three years later, this should not be exploited anymore
Potential consequences of lower scores
- Targeted phishing/malware delivery via e-mail and other mediums, potentially as a means to both infect networks and spread misinformation
- Malicious actors often sell access to organizations they have successfully infected
- Attacks via third-party vendors - many states use the same vendors, so access into one could mean access to all
- In fact, third parties are the primary area of focus for political campaigns because a significant amount of information is held by mom-and-pop ad-buying shops and pollster outfits. It’s not about the campaigns being attacked themselves, but one of their vendors
- Voter registration databases could be impacted, but more information about a state’s IT infrastructure would need to be uncovered to determine how such information is maintained within the state’s overall IT architecture, i.e., a low score may not necessarily mean that such information is easily compromised
- In the worst-case scenario, attackers could remove voter registrations or change voter precinct information or make crucial systems entirely unavailable on Election Day through ransomware
How states and territories can improve: We’re here to help
Election security is a significant priority for SecurityScorecard because the company’s mission is to make the world a safer place. The company already provides federal campaigns and federal political parties, on both sides of the aisle, its cybersecurity product and services at no cost. On Election Day, SecurityScorecard has given all employees the day off as part of the Make Time to Vote nonpartisan movement, joining over 1,000 companies to increase voter participation.
This report is part of that broader effort, and we’re here to help each state - not scare or embarrass them. Any state that wishes to receive a free version of its Scorecard may contact [email protected] and will promptly receive a complimentary version of the company’s product expanded beyond what is otherwise publicly offered.
A set of best practices for states and territories
- Create dedicated voter and election-specific websites under the domains of the official state domain, rather than using alternative domain names which can be subjected to typosquatting
- Have an IT team specifically tasked and accountable for bolstering voter and election website cybersecurity: defined as confidentiality, integrity, and availability of all processed information
- States should establish clear lines of authority for updating the information on these sites that includes the ‘two-person’ rule — no single individual should be able to update information without a second person authorizing it
- States and counties should continuously monitor the cybersecurity exposure of all assets associated with election systems, and ensure that vendors supplying equipment and services to the election process undergo stringent processes
Conclusion
Since 2016, states have undoubtedly made improvements to their IT infrastructure in the wake of interference from foreign threat actors, particularly during the 2016 election. But, the pandemic has brought significant challenges to states with many facing hiring freezes and significant budget deficits. States cannot do this alone.
We recommend that Congress and the federal government provide states with greater resources and funding, particularly given chronic underinvestment in IT across most states. The voting infrastructure and the upcoming election are only a very small part of a very bigger story: states are in an even more difficult position given the pandemic and they need federal assistance.
Finally, as voters consider electing (or re-electing) state officials and members of Congress from their state, they may also consider the security score of that state. This would be no different than what a board of directors for a company would evaluate in terms of the cyberhealth of that particular company.
Complete list of scores
*states in blue are Democrat-leaning red are Republican-leaning, and black are battleground
- Illinois: 60
- Connecticut: 62
- Hawaii:64
- Delaware: 65
- Maryland:66
- Oregon: 74
- California: 74
- Massachusetts: 74
- Washington: 74
- District of Columbia: 75
- New York: 76
- Rhode Island: 76
- Montana: 77
- Vermont: 77
- Virginia: 78
- New Jersey: 80
- Colorado 81
- New Mexico: 81
- North Dakota: 59
- Oklahoma: 60
- Indiana: 60
- Arkansas: 65
- Alabama: 66
- Louisiana: 67
- Mississippi: 67
- Wyoming: 68
- South Carolina: 72
- West Virginia: 73
- Utah: 73
- Idaho: 74
- Tennessee: 79
- Missouri: 82
- South Dakota: 83
- Alaska: 84
- Kansas: 92
- Kentucky: 95
- Iowa: 68
- Ohio: 68
- Minnesota: 68
- Florida: 73
- Nevada: 74
- Nebraska: 75
- Maine: 76
- New Hampshire: 77
- Georgia: 77
- Arizona: 81
- North Carolina: 81
- Pennsylvania: 85
- Texas: 85
- Wisconsin: 88
- Michigan: 92
- (Territory) American Samoa: 43
- (Territory) Puerto Rico: 53
- (Territory) Guam: 69
- (Territory) Northern Mariana Islands: 75
- (Territory) Virgin Islands: 76
Meaning of scores and breach likelihood
SecurityScorecard ratings provide insights and a detailed analysis of the security posture of an organization or entity. The ‘total score’ consists of an easy to understand letter grade A (100) to F (0) and quickly conveys an overall assessment of security hygiene. The ‘total score’ is a weighted average of 10 ‘Factor Scores,’ which provide useful insights into detected vulnerabilities grouped into different categories. Factors (or categories) include network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leaks, and social engineering.
How accurate are SecurityScorecard’s security ratings?
Online Business Systems found SecurityScorecard’s footprinting to be very accurate. Over the course of testing, Online evaluated SecurityScorecard’s data for a total of 13 unique, unrelated, and randomly selected domains and found SecurityScorecard’s attribution process to have an accuracy of 95%. The accuracy for positively attributing IP Addresses was found to be 94%, and for DNS Records it was found to be 100%. Read the full SecurityScorecard Summary Validation Assessment Report here. For more information, please see our accuracy page, a deep dive into our scoring methodology and the SecurityScorecard Trust Portal as well as an explanation of how SecurityScorecard collects data and calculates ratings.
Cybersecurity ratings can be compared to financial credit ratings.
Just as a poor credit rating is associated with a greater probability of default, a poor grade score evaluates organizations’ security profiles non-intrusively, using an ‘outside-in’ methodology. This approach enables SecurityScorecard to operate at scale, measuring and updating cybersecurity ratings daily on more than 1.5 million organizations globally. Relative breach likelihood increases as the SecurityScorecard grade decreases. For example, companies with an ‘F’ rating are 5.6x more likely to suffer a data breach versus those with an ‘A’ rating.
