According to information provided by the Wisconsin Elections Commission, as of September 23, 2019 there were over 1900 county and municipal clerks that were responsible for administering elections in the state of Wisconsin. That means there are potentially over 1900 different computer systems and sets of election equipment that need to be secure, both physically and in the cyber world.
A cyber attacker could target and attack any one of these clerks at any time, and the fact that all their names and email addresses are publicly available and posted right on the Commission’s website could speed up an attacker’s progress. If an attacker wanted to target a specific clerk, they could use the clerk’s email address to send a spear-phishing email with a malicious attachment. If that malicious attachment is opened, it could allow the attacker to harvest usernames and passwords, exfiltrate or modify data, or even encrypt the clerk’s entire system with ransomware. Depending on what the attacker can do, it could affect the administration of an election by denying the clerk access to needed election materials or if poll books were somehow accessed or modified, it could complicate a voter’s ability to cast their vote.
Setting aside what the attacker can do, the bigger issue may be the fact that they were able to access the clerk’s systems. If an election system breach occurs, the voting public may feel less confident in the integrity of the election and that their vote counts. This might be the specific intent of the attacker – to reduce confidence in the election. Whether the attacker is successful in harvesting credentials or encrypting data, the mere fact that they were able to gain access to the system might have a deterring effect on those who are not regular voters, thus lessening voter turnout.
Because Wisconsin has so many clerks and potentially many different computer systems, it is imperative that good cybersecurity practices are implemented for election systems and that those responsible for them receive appropriate cybersecurity training to ensure malicious activity can be recognized and the attacked can be prevented from gaining access to the systems in the first place.