Election Security Spotlight – Bots

What it is

Bots are automated applications or scripts designed to perform repetitive tasks without requiring human input. Overall, bot activity composes nearly half of all web traffic. Though much reporting surrounding bots focuses on their malicious behaviors, bots have many legitimate purposes. Examples of legitimate purposes include web crawlers to identify search results, chatbots on instant messaging services and websites, curation for conventional online news or social networking sites, and interactive services like Apple’s Siri or Google Assistant. Bots are used maliciously to distribute spam, conduct distributed denial of service (DDOS) attacks, operate as malware command and control infrastructure, or flood public forums with fraudulent commentary to propagate a specific message. When a collection of multiple bots is controlled by a single source, it is known as a botnet. A botnet is typically used to amplify the capabilities of its component bots and launch large-scale attacks. In order to build a botnet, malicious actors exploit vulnerable, unpatched systems or devices, gathering tens, hundreds, or thousands of bots. These compromised hosts that participate in a botnet are commonly referred to as “zombies.”

Why does it matter

Election office devices running vulnerable services could be infected by bots and act as unwitting participants in a botnet. Bots operating on election infrastructure are likely to drain system resources and slow down affected systems. Furthermore, participation in a botnet is likely to result in the participating IP or email address being placed on blacklists. Blacklists are reputation-based lists that cybersecurity professionals use to prevent connectivity with malicious IP and email addresses. Being on a blacklist means that electronic traffic, including legitimate traffic, to and from an election office may be blocked.

Similar to an election office being erroneously included on a blacklist, other legitimate IP or email addresses may be infected and participating in a botnet. Election offices may be the intentional or accidental target of these botnet-driven attacks or legitimate bot traffic may be mistakenly identified as an attack. Understanding bots and botnet infrastructure is essential when monitoring network activity and responding to incidents involving bot-related malicious activity.

Malicious actors also use social media bots to propagate disinformation to skew online perceptions or further criminal activity, which could affect local government election offices. Potential examples include the spreading of inaccurate electoral information, such as fake election results, polling locations, or election dates, and the use of social media bots to post negative information about an entity if an extortion demand is not paid.

What you can do

Election offices should routinely patch systems and maintain up-to-date anti-malware protection to ensure malicious actors do not exploit election systems as part of a botnet. The EI-ISAC’s services include monitoring for botnet activity through notifications to affected election offices if IP addresses belonging to your office are identified participating in botnet activity. To register your IP addresses and domain names with the EI-ISAC, email [email protected].

To help mitigate the effects of social media bots, ensure that any election office presence on social media is actively monitored, clearly labeled as authentic, and maintained with up-to-date electoral information. Election offices should also consider social media monitoring to identify potential misinformation campaigns and inform voters of authoritative sources. If you identify suspicious accounts or activity, contact the EI-ISAC, your local FBI office, or FBI CyWatch. In particular, the FBI’s Protected Voices initiative to mitigate the risk of cyber influence operations targeting U.S. elections provides additional resources that can be used to assist election staff and the public.

The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to election infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the election community, please contact [email protected].