SecurityScorecard Reveals 75% of US States and Territories Have Poor Overall Cybersecurity Leading up to Election
- Research Found that the Overall IT Infrastructure in 75% of U.S. States and Territories are Graded a 'C' or Lower
- Security Profiles Have Weakened Significantly During the Pandemic
New York – October 15, 2020 – A report released today reviews the overall cybersecurity posture, including election-related infrastructure, of all 56 U.S. states and territories leading up to the presidential election. The “State of the States” infographic report found that the vast majority (75%) showed signs of a vulnerable IT infrastructure. The report was authored by SecurityScorecard, a New York-based cybersecurity firm and the global leader in security ratings. Since most state websites offer access to voter and election information, these findings may indicate unforeseen issues leading up to, and following the US election.
- Seventy-five percent of U.S. states and territories’ overall cyberhealth are rated a ‘C’ or below; 35% have a ‘D’ and below.
- States with a grade of 'C' are 3x more likely to experience a breach (or incident, such as ransomware) compared to an ‘A’ based on a three-year SecurityScorecard study of historical data
- Those with a 'D' are nearly 5x more likely to experience a breach
- States with the highest scores: Kentucky (95) Kansas (92) Michigan (92)
- States with the lowest scores: North Dakota (59) Illinois (60) Oklahoma (60)
- Among states and territories, there are as many ‘F’ scores as there are ‘A’s
- The Pandemic Effect: Many states’ scores have dropped significantly since January. For example, North Dakota scored a 72 in January and now has a 59
- Why? Remote work mandates gave state networks a larger attack surface (e.g., thousands of state workers on home Wi-Fi), making it more difficult to ensure employees are using up-to-date software
- SecurityScorecard observed significant security concerns with two critically important “battleground” states, Iowa and Ohio, both of which scored a 68, or a ‘D’ rating.
- According to political experts, the following states are considered “battleground” and will help determine the result of the election. But over half have a lacking overall IT infrastructure:
- Michigan: 92 (A)
- Wisconsin: 88 (B)
- Texas: 85 (B)
- Pennsylvania: 85 (B)
- North Carolina: 81 (B)
- Arizona: 81 (B)
- New Hampshire: 77 (C)
- Georgia: 77 (C)
- Nevada: 74 (C)
- Florida: 73 (C)
- Iowa: 68 (D)
- Ohio: 68 (D)
“The IT infrastructure of state governments should be of critical importance to securing election integrity,” said Alex Heid, chief research and development officer at SecurityScorecard. “This is especially true in ‘battleground states’ where the Department of Homeland Security, political parties, campaigns, and state government officials should enforce vigilance through continuously monitoring state voter registration networks and web applications for the purpose of mitigating incoming attacks from malicious actors. The digital storage and transmission of voter registration and voter tally data needs to remain flawlessly intact. Some states have been doing well regarding their overall cybersecurity posture, but the vast majority have major improvements to make.”
Potential Consequences of Lower Scores
- Targeted phishing/malware delivery via e-mail and other mediums, potentially as a means to both infect networks and spread misinformation
- Malicious actors often sell access to organizations they have successfully infected
- Attacks via third-party vendors - many states use the same vendors, so access into one could mean access to all. This is the top cybersecurity concern for political campaigns
- Voter registration databases could be impacted
- In the worst-case scenario, attackers could remove voter registrations or change voter precinct information or make crucial systems entirely unavailable on Election Day through ransomware
“These poor scores have consequences that go beyond elections; the findings show chronic underinvestment in IT by state governments,” said Rob Knake, the former director for cybersecurity policy at the White House in the Obama Administration. “For instance, combatting COVID-19 requires the federal government to rely on the apparatus of the states. It suggests the need for a massive influx of funds as part of any future stimulus to refresh state IT systems to not only ensure safe and secure elections but save more lives.”
How States and Territories Can Improve
First and foremost, election security is a significant priority for SecurityScorecard as it is aligned with the company’s mission to make the world a safer place. Any state that wishes to receive a free version of its Scorecard may contact [email protected] and will promptly receive a complimentary version of the company’s product expanded beyond what is otherwise publicly offered.
"SecurityScorecard takes election security very seriously and we are here to help. While this report shines a light on some of the gaps in state security, there are paths to remediation,” said Sachin Bansal, general counsel at SecurityScorecard. “We already offer our solution at no charge to all federal campaigns and parties, and the same offer now applies to any state and territory. We're on the same side of the fight against malicious actors who threaten the safety and security of our national cyber infrastructures.”
A set of best practices for states includes:
- Create dedicated voter and election-specific websites under the domains of the official state domain, rather than using alternative domain names which can be subjected to typosquatting
- Have an IT team specifically tasked and accountable for bolstering voter and election website cybersecurity: defined as confidentiality, integrity, and availability of all processed information
- States should establish clear lines of authority for updating the information on these sites that includes the ‘two-person’ rule — no single individual should be able to update information without a second person authorizing it
- States and counties should continuously monitor the cybersecurity exposure of all assets associated with election systems, and ensure that vendors supplying equipment and services to the election process undergo stringent processes
Methodology and the Meaning of Scores and Breach Likelihood
From September to early October 2020, SecurityScorecard evaluated and scored each state based on findings across 10 categories: network security, DNS health, patching cadence, endpoint security, IP reputation, application security, cubit score, hacker chatter, information leaks, and social engineering. Technical findings, methodology, and an explanation of the score meanings and breach likelihood stats can be found in this fact sheet. More information on scoring methodology is explained in full on the SecurityScorecard Trust Portal.
The full visual representation of the data can be found here.
SecurityScorecard is the global leader in cybersecurity ratings and the only service with over a million companies continuously rated. Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard’s patented rating technology is used by over 1,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, and cyber insurance underwriting. SecurityScorecard continues to make the world a safer place by transforming the way companies understand, improve, and communicate cybersecurity risk to their boards, employees, and vendors. Every company has the universal right to their trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.