InfoSecurity Professional INSIGHTS
InfoSecurity Professional INSIGHTS is (ISC)²'s bi-monthly e-newsletter, associated with our members-only digital publication, InfoSecurity Professional. Similar to the magazine, it will deliver timely, compelling content written with the professional development of infosecurity practitioners in mind.
InfoSecurity Professional INSIGHTS October Sponsor
The 2020 Gartner Magic Quadrant for IT Vendor Risk Management Tools
Managing vendor risk is often manual and siloed—leaving organizations exposed to data breaches and other risks. IT vendor risk management tools can streamline assessment, remediation, and monitoring activities. Download the 2020 Gartner Magic Quadrant for IT Vendor Risk Management Tools to discover what to look for in a solution. Access the report >>
Election Hacking: It’s Real and It’s Happening as You Read ThisBY SHAWNA McALEARNEY
The U.S. presidential election is just about a month away, and all eyes remain on voting security: from state-sponsored efforts to influence voters, to exploitable vulnerabilities that could cast doubt on election outcomes, to a pandemic preventing in-person voting in the interest of public safety.
Voting systems are designed to protect against traditional threats, but prior to the 2016 U.S. election, internet-based interference by foreign state adversaries wasn’t widely considered. Controversy surrounding that election led to a July 2018 indictment by the U.S. Justice Department of 12 Russian GRU intelligence officials for allegedly conspiring to interfere in the 2016 election and hacking into Hillary Clinton campaign computers, as well as those of the Democratic National Committee, state election boards, and secretaries of several states.
“The GRU [an agency within the Russian military responsible for intelligence production and special forces operations] attempted to convince Americans that their elections were rigged, and [leaked] emails from the Democratic Party leaders and members of the media, which the GRU claimed was evidence of coordinated favoritism for Clinton,” Nate Beach-Westmoreland, the Strategic Cyber Threat Intelligence Lead at Booz Allen Hamilton, said in his Black Hat 2020 presentation “Hacking the Voter: Lessons from a Decade of Russian Military Operations.”
Booz Allen Hamilton conducted an activity review of the GRU. It “identified more than 200 cyber incidents, spanning 15 years (2004–2019), targeting governments, the private sector and members of civil society. These operations have discovered and disclosed secrets, defamed people, disinformed populations, and destroyed or disrupted computerized systems.”
Beach-Westmoreland said: “They are a little different from traditional attackers in an election system because they may not want to choose a winner.” Nation-states may be satisfied with simply disrupting the overall process, casting doubt on the outcome or making it difficult for people to vote.
“Our confidence in the outcome of the election increasingly depends on our confidence in the integrity of the mechanisms, not only the people but also the technology, having the integrity to be reflective of how we voted,” said Matt Blaze, the McDevitt Chair in Computer Science and Law at Georgetown University, in his Black Hat presentation “Stress-Testing Democracy: Election Integrity During a Global Pandemic.”
“The security and integrity of civil elections is fundamentally orders of magnitude more difficult and more complex than anything else you can imagine [because] the requirements for elections contradict each other,” Blaze said. “The biggest contradiction is that we require both secrecy and transparency: You can’t find out anything about how someone voted and [yet] you want to be sure that everyone’s vote was counted as they intended.”
Failures in voting are not new, nor always tied to technology. Remember the hanging chads from the 2000 U.S. presidential election recount in Florida? Those voting machines relied on a punch card system, not computers or even electricity. Little pieces of cardboard from the ballots would build up, sometimes causing only a partial punch or even only a slight dimple in the card rather than a complete punch that a tabulating machine could read.
Inherent insecurities in networked systems and the internet offer many promising opportunities for malicious hackers. Experts say Russia in particular is quite experienced in exploiting such opportunities.
During his confirmation hearings in 2018, Paul Nakasone, Commander of the U.S. Cyber Command and Director of the National Security Agency, said, “As the most technically advanced potential adversary in cyberspace, Russia is a full-scope cyber actor, employing sophisticated cyber operations tactics, techniques and procedures against U.S. and foreign military, diplomatic and commercial targets, as well as science and technology sectors. Russia will likely continue to integrate cyber warfare into its military structure to keep pace with U.S. cyber efforts, and conduct cyberspace operations in response to perceived domestic threats.”
It’s not just Russia that might try to tamper with the U.S. elections.
In a June interview with CBS News, Christopher Krebs, the first director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, warned that much had changed since 2016. “It’s not just Russia. They’ve put the playbook out there. Any country that doesn’t quite like the way the American experience is going [will] get involved.”
Krebs enumerated that destabilizing influences could include trying to undermine public confidence and create chaos. “Those are absolutely domains of activity by a range of actors—Russia, China, Iran, North Korea and others—that are unattributed at this point,” he said. “Everyone has their own different, strategic objectives.”
Cheers (or jeers?) to a ‘better-secure’ 2020 U.S. election
“Americans should rest assured that we are working to ensure our elections remain secure,” Krebs said in an August statement from the Office of the Director of National Intelligence. “We have long said Russia and other nation-states are targeting our elections. We knew this to be true in 2016, we know it’s true today, and we know they will continue to attempt to interfere. That’s why we have spent the last several years preparing alongside our partners across all levels of government, campaigns and tech companies to ensure the adversaries are not successful and American voters decide American elections.”
Hanging chads aside, paper ballots may be more secure, as Krebs says approximately 92% of voting methods currently in use have some sort of paper trail for validation.
Krebs and his team are working with more than 6,000 election jurisdictions across all 50 states sharing threat intelligence and best practices and conducting annual exercises. While he has said everything is in place to make this the most secure election in modern history, Krebs also advocates for paper ballot backup to ensure any potential auditing will be accurate.
Securing our voting future
Experts have been working together to build a vulnerability disclosure program that works for both election vendors and ethical hackers—something like what is being proposed by Dr. Mark Kuhr, chief technology officer for Synack, a crowdsourced security provider, and Chris Wlaschin, vice president of systems security for ES&S (Election Systems & Software) and former CISO for the U.S. Department of Health and Human Services.
Calling voting “the most sacred aspect of our democracy,” Kuhr said they’re eyeing something between invitation-only and open bug bounties and pro bono services offered by security companies. “We are seeing a match made in heaven between the security research community and the government bodies that manage our elections infrastructure. We’re trying to advance that and improve that collaboration because it can be quite valuable.”
Changes he would like to see include shortened testing timelines, continuous testing, and the ability to push patches to the field quickly. Also, Kuhr said, “The incorporation of federal standards on this type of product is needed. The public demands we deliver a more secure voting infrastructure and they do not want to see adversaries meddle with our elections. We owe it to the general public to do a much better job.”
He added, “The end result will hopefully be vulnerabilities found ahead of our adversaries, and a more secure election process.”
SHAWNA McALEARNEY is a Las Vegas-based freelance writer and frequent contributor to Insights and InfoSecurity Professional.
For all past issues see the archives.