Around half of states typically considered battleground states are facing cybersecurity challenges that put them at risk of a breach ahead of election day, a study released Wednesday found.
IT security group SecurityScorecard evaluated and ranked all U.S. states and territories on their overall cybersecurity posture between September and early October, examining state election-related websites, along with network security, information leaks, endpoint security and other cybersecurity issues.
The company awarded 75 percent of all states and territories a “C” rating or below, including traditional swing states such as Florida, Iowa, Nevada, New Hampshire and Ohio. Of these, 35 percent were awarded a “D” or below, with North Dakota, Puerto Rico and American Samoa awarded the lowest scores.
Only three states – Kentucky, Kansas and Michigan – were awarded an “A” or above, while traditional swing states including Pennsylvania and Wisconsin received “B” scores. Among the U.S. territories, none ranked higher than a “C” rating.
SecurityScorecard noted that the lower the rating, the more susceptible the state was to a major cybersecurity incident, with a state receiving a “D” rating around four times as likely as a state awarded an “A” to experience a data breach.
The company also noted that the cybersecurity posture of many states had declined during the COVID-19 pandemic due to more government employees working from home, thereby expanding the attack surface for hackers due to an influx of less secure networks.
For states with lower scores, election security could be endangered by lower marks, with the researchers noting that malicious phishing emails containing malware could more easily be spread, as well as opening up more avenues for hackers to potentially exploit vulnerabilities in state voter registration systems.
“Since 2016, states have undoubtedly made improvements to their IT infrastructure in the wake of interference from foreign threat actors, particularly during the 2016 election,” SecurityScorecard researchers wrote in the report. “But, the pandemic has brought significant challenges to states with many facing hiring freezes and significant budget deficits. States cannot do this alone.”
Video: Facebook bans QAnon accounts across platforms (NBC News)
The company advocated for Congress to provide cybersecurity funding to states to address shortfalls, citing “chronic underinvestment” by many states in this area.
“The voting infrastructure and the upcoming election is only a very small part of a very bigger story: states are in an even more difficult position given the pandemic and they need federal assistance,” SecurityScorecard researchers wrote.
The findings of the company came amid ongoing efforts by federal, state and local officials to shore up election security and ensure voter safety ahead of November.
Top officials have warned that foreign adversaries including Russia, China and Iran are attempting to interfere in the elections process, though the federal effort to combat election security threats has been significantly stepped up since Russian agents interfered in the 2016 presidential election.
The study from SecurityScorecard was released the same day a second study on state cybersecurity concerns was rolled out by the National Association of State Chief Information Officers (NASCIO) and Deloitte.
NASCIO and Deloitte found that the COVID-19 pandemic has significantly increased state cybersecurity problems, mostly due to the shift to remote working and not prioritizing cybersecurity funding at the state level.
The organizations found that less than 40 percent of the 51 U.S. state and territory chief information security officers polled had a dedicated line item for cybersecurity in the budget, and that half of states spend less than 3 percent of their IT budget on cybersecurity.
“The last six months have created new opportunities for cyber threats and amplified existing cybersecurity challenges for state governments,” Meredith Ward, director of policy and research at NASCIO, said in a statement. “The budget and talent challenges experienced in recent years have only grown, and CISOs are now also faced with an acceleration of strategic initiatives to address threats associated with the pandemic.”
States have faced increasing cybersecurity challenges over the past two years, in particular from ransomware attacks, with cities including Atlanta, Baltimore and New Orleans spending millions of dollars to recover from these types of attacks that lock up systems.
Members of Congress on both sides of the aisle have recognized the increasing cyber challenges faced by states and localities, introducing numerous pieces of legislation over the past year designed to provide funding and other resources.