InfoSecurity Professional INSIGHTS Archive: October 2020
The 2020 Gartner Magic Quadrant for IT Vendor Risk Management Tools
Managing vendor risk is often manual and siloed—leaving organizations exposed to data breaches and other risks. IT vendor risk management tools can streamline assessment, remediation, and monitoring activities. Download the 2020 Gartner Magic Quadrant for IT Vendor Risk Management Tools to discover what to look for in a solution. Access the report »
Election Hacking: It’s Real and It’s Happening as You Read This
By Shawna McAlearney
The U.S. presidential election is just about a month away, and all eyes remain on voting security: from state-sponsored efforts to influence voters, to exploitable vulnerabilities that could cast doubt on election outcomes, to a pandemic preventing in-person voting in the interest of public safety.
Voting systems are designed to protect against traditional threats, but prior to the 2016 U.S. election, internet-based interference by foreign state adversaries wasn’t widely considered. Controversy surrounding that election led to a July 2018 indictment by the U.S. Justice Department of 12 Russian GRU intelligence officials for allegedly conspiring to interfere in the 2016 election and hacking into Hillary Clinton campaign computers, as well as those of the Democratic National Committee, state election boards, and secretaries of several states.
“The GRU [an agency within the Russian military responsible for intelligence production and special forces operations] attempted to convince Americans that their elections were rigged, and [leaked] emails from the Democratic Party leaders and members of the media, which the GRU claimed was evidence of coordinated favoritism for Clinton,” Nate Beach-Westmoreland, the Strategic Cyber Threat Intelligence Lead at Booz Allen Hamilton, said in his Black Hat 2020 presentation “Hacking the Voter: Lessons from a Decade of Russian Military Operations.”
Booz Allen Hamilton conducted an activity review of the GRU. It “identified more than 200 cyber incidents, spanning 15 years (2004–2019), targeting governments, the private sector and members of civil society. These operations have discovered and disclosed secrets, defamed people, disinformed populations, and destroyed or disrupted computerized systems.”
Beach-Westmoreland said: “They are a little different from traditional attackers in an election system because they may not want to choose a winner.” Nation-states may be satisfied with simply disrupting the overall process, casting doubt on the outcome or making it difficult for people to vote.
“Our confidence in the outcome of the election increasingly depends on our confidence in the integrity of the mechanisms, not only the people but also the technology, having the integrity to be reflective of how we voted,” said Matt Blaze, the McDevitt Chair in Computer Science and Law at Georgetown University, in his Black Hat presentation “Stress-Testing Democracy: Election Integrity During a Global Pandemic.”
“The security and integrity of civil elections is fundamentally orders of magnitude more difficult and more complex than anything else you can imagine [because] the requirements for elections contradict each other,” Blaze said. “The biggest contradiction is that we require both secrecy and transparency: You can’t find out anything about how someone voted and [yet] you want to be sure that everyone’s vote was counted as they intended.”
Failures in voting are not new, nor always tied to technology. Remember the hanging chads from the 2000 U.S. presidential election recount in Florida? Those voting machines relied on a punch card system, not computers or even electricity. Little pieces of cardboard from the ballots would build up, sometimes causing only a partial punch or even only a slight dimple in the card rather than a complete punch that a tabulating machine could read.
Inherent insecurities in networked systems and the internet offer many promising opportunities for malicious hackers. Experts say Russia in particular is quite experienced in exploiting such opportunities.
During his confirmation hearings in 2018, Paul Nakasone, Commander of the U.S. Cyber Command and Director of the National Security Agency, said, “As the most technically advanced potential adversary in cyberspace, Russia is a full-scope cyber actor, employing sophisticated cyber operations tactics, techniques and procedures against U.S. and foreign military, diplomatic and commercial targets, as well as science and technology sectors. Russia will likely continue to integrate cyber warfare into its military structure to keep pace with U.S. cyber efforts, and conduct cyberspace operations in response to perceived domestic threats.”
It’s not just Russia that might try to tamper with the U.S. elections.
In a June interview with CBS News, Christopher Krebs, the first director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, warned that much had changed since 2016. “It’s not just Russia. They’ve put the playbook out there. Any country that doesn’t quite like the way the American experience is going [will] get involved.”
Krebs enumerated that destabilizing influences could include trying to undermine public confidence and create chaos. “Those are absolutely domains of activity by a range of actors—Russia, China, Iran, North Korea and others—that are unattributed at this point,” he said. “Everyone has their own different, strategic objectives.”
Cheers (or jeers?) to a ‘better-secure’ 2020 U.S. election
"Americans should rest assured that we are working to ensure our elections remain secure," Krebs said in an August statement from the Office of the Director of National Intelligence. "We have long said Russia and other nation-states are targeting our elections. We knew this to be true in 2016, we know it’s true today, and we know they will continue to attempt to interfere. That’s why we have spent the last several years preparing alongside our partners across all levels of government, campaigns and tech companies to ensure the adversaries are not successful and American voters decide American elections."
Hanging chads aside, paper ballots may be more secure, as Krebs says approximately 92% of voting methods currently in use have some sort of paper trail for validation.
Krebs and his team are working with more than 6,000 election jurisdictions across all 50 states sharing threat intelligence and best practices and conducting annual exercises. While he has said everything is in place to make this the most secure election in modern history, Krebs also advocates for paper ballot backup to ensure any potential auditing will be accurate.
Securing our voting future
Experts have been working together to build a vulnerability disclosure program that works for both election vendors and ethical hackers—something like what is being proposed by Dr. Mark Kuhr, chief technology officer for Synack, a crowdsourced security provider, and Chris Wlaschin, vice president of systems security for ES&S (Election Systems & Software) and former CISO for the U.S. Department of Health and Human Services.
Calling voting “the most sacred aspect of our democracy,” Kuhr said they’re eyeing something between invitation-only and open bug bounties and pro bono services offered by security companies. “We are seeing a match made in heaven between the security research community and the government bodies that manage our elections infrastructure. We’re trying to advance that and improve that collaboration because it can be quite valuable.”
Changes he would like to see include shortened testing timelines, continuous testing, and the ability to push patches to the field quickly. Also, Kuhr said, “The incorporation of federal standards on this type of product is needed. The public demands we deliver a more secure voting infrastructure and they do not want to see adversaries meddle with our elections. We owe it to the general public to do a much better job.”
He added, “The end result will hopefully be vulnerabilities found ahead of our adversaries, and a more secure election process.”
Shawna McAlearney is a Las Vegas-based freelance writer and frequent contributor to INSIGHTS and InfoSecurity Professional.
Key Events in the 2014 Ukrainian Election Disruption Operation
Though no definitive timeline exists, Nate Beach-Westmoreland, the Strategic Cyber Threat Intelligence Lead at Booz Allen Hamilton, attempted to resolve occasionally contradictory information in the following timeline using a wide variety of online news sources.
- February 21-23: Ukraine’s Russia-friendly president, Viktor Yanukovych, is removed and flees the country.
- Late February (Crimea): Russian soldiers without insignia (“Little Green Men”) seize the Crimean Peninsula, prompting a referendum to secede from Russia.
- Early March (Eastern Ukraine): Pro-Russian protestors in eastern Ukraine launch counter-revolutionary protests.
- March 16 (Crimea): A referendum passes with reportedly 97% support.
- Mid-March: Ukraine’s CERT warns of GRU reconnaissance of Ukraine’s Central Election Commission
- Early April (Eastern Ukraine): Armed separatist militias along with undeclared Russian special forces (“Spetsnaz”) begin militarily engaging Ukrainian government forces, starting the still-ongoing War in Donbass.
- May 21 @ ~8 pm: The GRU allegedly uses a wiper with hardcoded administrative passwords to disable systems at Ukraine’s Central Election Commission (CEC). Ukraine’s national security service, the SBU, observes that the attackers appeared to target the elections analytic system that aggregates voter data.
- May 22 @ ~4 p.m.: Reports note that CEC systems are restored from backups and the disruption ends about 20 hours after it started.
- May 22 @ ~10 p.m.: The CEC’s press secretary dismisses rumors that CEC’s website issues were caused by malicious hackers.
- May 23 early morning: CyberBerkut, a fake hacktivist group that the U.S. government and others deem a GRU front, publicly claims responsibility for destroying the CEC’s vote-counting system. As proof, they leak internal data, such as admin passwords and network diagrams.
- May 23 later that morning: The SBU Chairman says malware was found May 22 on a CEC server that could have destroyed the upcoming election’s results.
- May 23 even later that morning: The CEC Chairman at a press conference states there were “some technical problems” at the CEC.
- May 24 evening: The Interior Minister’s website is modified to show a statement corroborating CyberBerkut’s claims about the attack on the CEC and a blog post CEC electronic vote counting systems had been destroyed, requiring manual voting only. The statement blames “criminal negligence of certain CEC officials” and bemoans security agencies slow to release appropriate details.
- May 24 evening: Russian government media outlets like RT republish the fake statement from the Interior Minister’s website. Meanwhile, the Interior Minister issues a statement on Facebook claiming that the website had been defaced and the election would proceed normally.
- May 25 morning: On its website, CyberBerkut (i.e., the GRU) publishes documents allegedly belonging to an assistant for a Ukrainian billionaire appointed governor of the Dnipropetrovsk region. CyberBerkut claims this is evidence the Ukrainian National Assembly – Ukrainian People’s Self-Defence (UNA-UNSO) is attempting to seize power and promote Dmitri Yarosh “in the so-called ‘presidential election.’”
- May 25: The CEC website was periodically inaccessible throughout the day, showing 404 errors, which continued as late as 7 p.m.
- May 25 @ 7:48 p.m.: The GRU defaces the CEC’s website with fake results showing that, exactly as CyberBerkut had claimed would happen, Yarosh had inexplicably won the election with 37% of the vote, despite having polled in the low single digits.
- May 25 @ ~8 p.m.: Russian TV’s Channel One airs a report showing the fake results.
- May 26 @ 1-3 a.m.: A DDoS attributed by Arbor Networks to CyberBerkut disrupts the CEC system responsible for receiving vote tallies from local election districts, delaying the publication of official results.
- Note: Yarosh ultimately receives less than 1% of the vote.