Websites of the US County Election (Still) Failure to complete basic security measures

Websites of the US County Election (Still) Failure to complete basic security measures


In January 2020, McAfee launched the outcomes of a survey establishing the extent of the usage of .GOV validation and HTTPS encryption amongst county authorities web sites in 13 states projected to be crucial within the 2020 U.S. Presidential Election. The analysis was a results of  my concern that the shortage of .GOV and HTTPS amongst county authorities web sites and election-specific web sites may enable overseas or home malicious actors to probably create pretend web sites and use them to unfold disinformation within the remaining weeks and days main as much as Election Day 2020.

Subsequently, reviews emerged in August that the U.S. Federal Bureau of Investigations, between March and June, had recognized dozens of suspicious web sites made to seem like official U.S. state and federal election domains, a few of them referencing voting in states like Pennsylvania, Georgia, Tennessee, Florida and others.

These revelations compelled us to conduct a follow-up survey of county election web sites in all 50 U.S. states.

Why .GOV and HTTPS Matter

Utilizing a .GOV internet area reinforces the legitimacy of the location. Authorities entities that buy .GOV internet domains have submitted proof to the U.S. authorities that they really are the professional native, county, or state governments they claimed to be. Web sites utilizing .COM, .NET, .ORG, and .US domains may be bought with out such validation, that means that there isn’t a governing authority stopping malicious events from utilizing these names to arrange and promote any variety of fraudulent internet domains mimicking professional county authorities domains.

An adversary may use pretend election web sites for disinformation and voter suppression by focusing on particular residents in swing states with deceptive info on candidates or inaccurate info on the voting course of similar to ballot location and instances. On this approach, a malicious actor may impression election outcomes with out ever bodily or digitally interacting with voting machines or techniques.

The HTTPS encryption measure assures residents that any voter registration info shared with the location is encrypted, offering larger confidence within the entity with which they’re sharing that info. Web sites missing the mix of .GOV and HTTPS can’t present 100% assurance that voters searching for election info are visiting professional county and county election web sites. This leaves a gap for malicious actors to steal info or arrange disinformation schemes.

I just lately demonstrated how such a pretend web site can be created by mimicking a real county election web site after which inserting deceptive info that might affect voter conduct. This was carried out in an remoted lab setting that was not accessible to the web as to not create any confusion for professional voters.

In lots of instances, election web sites have been set as much as present a powerful consumer expertise versus a deal with mitigating considerations that they might be spoofed to use the communities they serve. Malicious actors can go off pretend election web sites and mislead giant numbers of voters earlier than detection by authorities organizations. A marketing campaign near election day may confuse voters and forestall votes from being solid, leading to lacking votes or total lack of confidence within the democratic system.

September 2020 Survey Findings

McAfee’s September survey of county election administration web sites in all 50 U.S. states (3089 counties) discovered that 80.2% of election administration web sites or webpages lack the .GOV validation that confirms they’re the web sites they declare to be.

Almost 45% of election administration web sites or webpages lack the required HTTPS encryption to forestall third-parties from re-directing voters to pretend web sites or stealing voter’s private info.

Solely 16.4% of U.S. county election web sites implement U.S. authorities .GOV validation and HTTPS encryption.

States # Counties # .GOV % .GOV # HTTPS % HTTPS # BOTH %BOTH
Alabama 67 8 11.9% 26 38.8% 6 9.0%
Alaska 18 1 5.6% 12 66.7% 1 5.6%
Arizona 15 11 73.3% 14 93.3% 11 73.3%
Arkansas 75 18 24.0% 30 40.0% 17 22.7%
California 58 8 13.8% 45 77.6% 6 10.3%
Colorado 64 21 32.8% 49 76.6% 20 31.3%
Connecticut 8 1 12.5% 2 25.0% 1 12.5%
Delaware 3 0 0.0% 0 0.0% 0 0.0%
Florida 67 4 6.0% 64 95.5% 4 6.0%
Georgia 159 40 25.2% 107 67.3% 35 22.0%
Hawaii 5 4 80.0% 4 80.0% 4 80.0%
Idaho 44 6 13.6% 28 63.6% 5 11.4%
Illinois 102 14 13.7% 60 58.8% 12 11.8%
Indiana 92 28 30.4% 41 44.6% 16 17.4%
Iowa 99 27 27.3% 80 80.8% 25 25.3%
Kansas 105 8 7.6% 46 43.8% 2 1.9%
Kentucky 120 19 15.8% 28 23.3% 15 12.5%
Louisiana 64 5 7.8% 12 18.8% 2 3.1%
Maine 16 0 0.0% 0 0.0% 0 0.0%
Maryland 23 9 39.1% 22 95.7% 8 34.8%
Massachusetts 14 3 21.4% 5 35.7% 2 14.3%
Michigan 83 9 10.8% 63 75.9% 9 10.8%
Minnesota 87 5 5.7% 59 67.8% 5 5.7%
Mississippi 82 8 9.8% 30 36.6% 5 6.1%
Missouri 114 8 7.0% 49 43.0% 7 6.1%
Montana 56 15 26.8% 21 37.5% 8 14.3%
Nebraska 93 35 37.6% 73 78.5% 32 34.4%
Nevada 16 3 18.8% 13 81.3% 2 12.5%
New Hampshire 10 0 0.0% 0 0.0% 0 0.0%
New Jersey 21 3 14.3% 11 52.4% 2 9.5%
New Mexico 33 7 21.2% 20 60.6% 6 18.2%
New York 62 15 24.2% 48 77.4% 14 22.6%
North Carolina 100 37 37.0% 69 69.0% 29 29.0%
North Dakota 53 3 5.7% 19 35.8% 2 3.8%
Ohio 88 77 87.5% 88 100.0% 77 87.5%
Oklahoma 77 1 1.3% 24 31.2% 1 1.3%
Oregon 36 1 2.8% 22 61.1% 0 0.0%
Pennsylvania 67 11 16.4% 40 59.7% 7 10.4%
Rhode Island 5 2 40.0% 3 60.0% 0 0.0%
South Carolina 46 15 32.6% 33 71.7% 13 28.3%
South Dakota 66 2 3.0% 14 21.2% 1 1.5%
Tennessee 95 23 24.2% 38 40.0% 12 12.6%
Texas 254 10 3.9% 86 33.9% 6 2.4%
Utah 29 8 27.6% 16 55.2% 7 24.1%
Vermont 14 0 0.0% 0 0.0% 0 0.0%
Virginia 95 33 34.7% 61 64.2% 35 36.8%
Washington 39 7 17.9% 26 66.7% 6 15.4%
West Virginia 55 18 32.7% 33 60.0% 16 29.1%
Wisconsin 72 16 22.2% 61 84.7% 11 15.3%
Wyoming 23 4 17.4% 15 65.2% 2 8.7%
Complete 3089 611 19.8% 1710 55.4% 507 16.4%

We discovered that the battleground states have been largely in a foul place when it got here to .GOV and HTTPS.

Solely 29% of election web sites used each .GOV and HTTPS in North Carolina, 22% in Georgia, 15.3% in Wisconsin, 10.8% in Michigan, 10.4% in Pennsylvania, and a couple of.4% in Texas.

Whereas 95.5% of Florida’s county election web sites and webpages use HTTPS encryption, solely 6% p.c validate their authenticity with .GOV.

Throughout the January 2020 survey, solely 11 Iowa counties protected their election administration pages and domains with .GOV validation and HTTPS encryption. By September 2020, that quantity rose to 25 as 14 counties added .GOV validation. However 72.7% of the state’s county election websites and pages nonetheless lack official U.S. authorities validation of their authenticity.

Alternatively, Ohio led the survey pool with 87.5% of election webpages and domains validated by .GOV and guarded by HTTPS encryption. 4 of 5 (80%) Hawaii counties shield their important county and election webpages with each .GOV validation and encryption and 73.3% of Arizona county election web sites do the identical.

What’s not working

Separate Election Websites. As many as 166 counties arrange web sites that have been utterly separate from their important county internet area.  Separate election websites might have easy-to-remember, user-friendly domains to make them extra accessible for the broadest doable viewers of residents. Examples embrace my very own county’s in addition to,,, and

The issue with these election-specific domains is that whereas 89.1% of those websites have HTTPS, 92.2% lack .GOV validation to ensure that they belong to the county governments they declare. Moreover, solely 7.2% of those domains have each .GOV and HTTPS applied. This means that malicious events may simply arrange quite a few web sites with equally named domains to spoof these professional websites.

Not on OUR web site. Some smaller counties with few sources usually cause that they’ll inform and shield voters just by linking from their county web sites to their states’ official election websites. Different smaller counties have prompt that social media platforms similar to Fb are preferable to election web sites to succeed in Web-savvy voters.

Sadly, neither of those approaches prevents malicious actors from spoofing their county authorities internet properties. Such actors may nonetheless arrange pretend web sites no matter whether or not the real web sites hyperlink to a .GOV validated state election web site or whether or not counties arrange wonderful Fb election pages.

For that matter, Fb is just not a authorities entity targeted on validating that organizational or group pages are owned by the entities they declare to be. The platform may simply as simply be utilized by malicious events to create pretend pages spreading disinformation about the place and tips on how to vote throughout elections.

It’s not OUR job. McAfee discovered that some states’ voters might be prone to pretend county election web sites although their counties have little if any position in any respect in administering elections. States similar to Connecticut, Delaware, Maine, Massachusetts, New Hampshire, Rhode Island and Vermont administer their elections by their native governments, that means that any election info is barely obtainable on the states’ web sites and people web sites belonging to main cities and cities. Whereas this association makes county-level web site comparisons with different states tough for the aim of our survey, it doesn’t make voters in these states any much less prone to pretend variations of their county web site.

There needs to be one recipe for the safety and integrity of presidency web sites similar to election web sites and that recipe needs to be .GOV and HTTPS.

What IS working: The Carrot & The Stick

Ohio’s management place in our survey seems to be the results of a state-led initiative to transition county election-related content material to .GOV validated internet properties. Ohio’s Secretary of State used “the stick” method by demanding by official order that counties implement .GOV and HTTPS on their election internet properties. If counties couldn’t transfer their current web sites to .GOV, he provided “the carrot” of permitting them to leverage the state’s area.

A majority of counties have subsequently transitioned their important county web sites to .GOV domains, their election-specific web sites to .GOV domains, or their election-specific webpages to Ohio’s personal .GOV-validated area.


Whereas Ohio’s important county web sites nonetheless largely lack .GOV validation, Ohio does present a mechanism for voters to rapidly assess if the primary election web site is actual or probably pretend. Different states ought to contemplate such interim methods till all county and native web sites with election capabilities may be absolutely transitioned to .GOV.

In the end, the top objective success needs to be that we’re in a position to inform voters that in the event that they don’t see .GOV and HTTPS, they shouldn’t consider {that a} web site is professional or protected. What we inform voters should be that easy, as a result of most people lacks a technical background to find out actual websites from pretend websites.

For extra info on our .GOV-HTTPS county web site analysis, potential disinformation campaigns, different threats to our elections, and voter security suggestions, please go to our Elections 2020 web page:

x3Cimg peak=”1″ width=”1″ fashion=”show:none” src=”″ />x3C/noscript>’);internet voting countries,online voting,election security best practices,election cybersecurity issues,elections handbook,ms-isac cybersecurity,center for internet security,voting terms definitions,words associated with voting,what is a combined polling place,election vocabulary words,voting terms quizlet,what is my election jurisdiction in illinois,am i registered to vote in maryland,early voting in maryland,bread and roses party,baltimore county board of elections,maryland absentee ballot montgomery county,maryland voter registration deadline 2020

You May Also Like