Election Security Spotlight – CAPTCHA

What it is

The Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) is a challenge-response test to determine if a user is a human. CAPTCHA tests are often based on visual-perception tasks, such as reading distorted text or selecting a particular image, but they can also be audio based. Newer versions incorporate additional features since researchers and malicious actors have created multiple methods to defeat the visual and audio tests. On the Internet, CAPTCHA is used to protect website forms and other services from abusive traffic, mostly generated by bots, including credential reuse attacks, email bombs, and inappropriate comments on discussion boards.

captcha

Figure 1: Two examples of CAPTCHA tests as they commonly appear on websites.

Why does it matter

An automated process previously disrupted an election office’s activities, which would have been prevented through the use of CAPTCHA software. It is possible that malicious actors could use input forms lacking CAPTCHA validation to automate processes, such as modifying and submitting forms, comments, and providing social media replies. This activity could potentially lead to invalid or modified voter registrations, biased feedback from online comments, denial of service attacks, or the use of an election website to participate in an email bomb. CAPTCHA helps defend against these kinds of attacks.

What you can do

If an election website contains user input fields, such as registration forms or comments, consider using CAPTCHA or alternate means of form security. The EI-ISAC recommends that election officials work with their IT and website staff to incorporate these measures into their election website’s defense as the software provides a strong defensive layer against bots. If an election website is currently using CAPTCHA, ensure the most current, up-to-date, version is running and that automatic updates are enabled.

                            

The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact [email protected].