Incident Response, Network Security, TDR

Election Day Cybersecurity…in Perspective

One thing about the 2016 U.S. presidential election—it hasn't been boring. No one knows yet whether Hillary Clinton or Donald Trump will land in the White House but security experts have plenty to say about Election Day cybersecurity and what cyber issues a new president should tackle going forward.

On the election being hacked…

An attack would unsettle the electorate…with dire results

"In recent history, there has never been a more polarized presidential election here in the U.S.  The drama, suspicion, slander, anger, distortion, accusations, corruption, and investigations has the entire population reeling. People don't thrust the media, the candidates, the parties, and the process as a whole - and likely they won't trust the results.

One activity that will drive the final nail in the coffin (so to speak), is if hackers, nations-states, political parties, or any other malefactors disrupt our election process by attacking parts of the Internet, social media sites, news outlets, polling centers, and/or the transfer and culmination of the results. Anything that unsettles the electoral process will be a complete disaster.  If so, fingers will be pointed in both directions leaving the defenseless population stuck somewhere in the middle.

The most shocking thing, is that our leaders don't seem to get that. Either they're living with their heads in the sand, or they are hoping for more uncertainty.  One would think that for the last 12 months prior to the election, cyber defenses would have been strengthened, shored-up, and mobilized all over the U.S., to ensure the election process goes well. However, there is no indication that has happened. Most people understand the statement, “Plan for the worst, and hope for the best”.  In this case, most of us wonder if there is actually a plan at all.

One would have thought that the cyber-attacks on October, 21st would have been a wake-up call for our current administration and that immediate action would have been taken to ensure outsiders could not interrupt our election process.  However, from all observations nothing has been done outside of the norm, that has proven time-and-time again to be completely ineffectual.

Misinformation on exit polls, widespread Internet and media outages, and delays in reporting could seriously impact people's desire to vote and even worse – trust the results. If more outages and fabrications are spread during election day, it could completely skew the outcome. The eyes of the world are on this election, and if it goes sour it will resonate throughout time and history.  All one can do is hold on as tight as possible, it looks like it's going to be a wild ride.  The perfect storm is likely brewing on the horizon.

In the perfect storm:

  • Attackers could first launch massive DDoS attacks against U.S. DNS infrastructures, followed by direct DDoS attacks against online news and media, as well as TV media outlets themselves; which today are mostly digital.  Widespread outages and brownouts could ensue.
  • Attackers could next take registered voter verifications systems down by launching smaller DDoS attacks against individual polling centers.  Many of these verification systems are likely online and need to access state databases where voter registration and verification is required to cast a vote.  Attacks against registered voter databases themselves would also be highly likely.
  • Next, DDoS attacks and bogus elections posts could flood social media sites creating outages and spreading misinformation. Streaming banners on TV news outlets (bottom of screen) could also be potentially altered providing bogus reports and polling numbers that contradict live reporters; causing confusion and spreading misinformation.
  • Following that, attackers could also attempt to disrupt the infrastructures responsible for providing power to the polling stations themselves.  Following that, attackers may try to take out traffic signals around polling stations to create traffic situations that would not allow people to cast their votes before polls closed. Many are controlled by smart meters and SCADA systems today.
  • Don't forget man-in-the-middle attacks against polling stations as they report their final numbers to collection centers; in which most of it is likely transported across the Internet and systems are likely to be completely online.  These election result databases could also be skewed or even erased before all polling sites have reported their results.
  • Finally, attackers could also launch DDoS attacks against cable TV companies and mobile operators, since many people get their news and information directly from outlets streaming digital TV over cable, and from cellular networks through the usage of smartphones and apps. 

Most of these attacks would not be easy, and almost all would require “no” physical access.  They all could be launched simultaneously - from anywhere in the world by enemies both foreign and domestic.  The U.S. election process may see none of these attacks, or it may see all of them.  The real question is how well is the U.S. prepared.

Seeing that it's only a few days from the election, if cloud-based DDoS defenses, application and database defenses (WAF), and man-in-the-middle defenses are not already in place, it may be too late to stop attackers from impacting the U.S. election. - Stephen Gates, Chief Research Intelligence Analyst at NSFOCUS

Vulnerabilities exist but so do safeguards…

 If we are talking about voting, the present situation is one where voting irregularities and fraud present greater risk than cyberattacks. Given that there is limited online voting, the overall system is a distributed collection of different voting technologies and systems, some still using paper. 

We've obviously heard a great deal about other ways that the election can be manipulated in recent months. For example, campaigns and parties maintain their own home-brewed infrastructure , which contain sensitive information and data that could be leaked. A key defining criterion for a secure election in general is the confidence that your vote is done (a) only once and (b) confidentially.

Online voting itself could actually help to create a more robust election system. We're able to trust even more valuable data (credit cards, bank accounts, social security info, etc.) online.

To improve security in general, not just in voting, it is becoming abundantly clear that much data and information in general is living in e-mail. E-mail as we know it is a cancer that greatly threatens security and privacy in a general sense. I never thought I would say it, but the world may well be better off with communication systems from Facebook, Google, etc. with the addition of verified identity. 

Again, we must distinguish between the mechanisms of the actual election and those involved in the overall process. Most vulnerabilities thus far have been specific to communication issues, especially the attack on the DNC servers. This is unrelated to actual voting but resulted in the leak of voter information (people affiliated with the actual DNC and Democratic voters, for example). This violates the one of the two principles: maintaining voter confidentiality.

There's a real question about whether this could really affect an election. Voter fraud and inaccurate counting of paper ballots, however, are substantial risks that may even be more risky than having an online voting system, given that we have a wealth of information on how to build secure systems, such as online banking, etc. - George Thiruvathukal, Member of the IEEE Computer Society & Professor of Computer Science at Loyola University Chicago

Fear and anxiety at the polls

"Fear and anxiety over the election process underscores one of the most fundamental security issues organizations face: the ability to know whether there is an active attacker at work on a network. In the case of a classic data breach, the attack eventually surfaces once accounts, passwords and other details end up on the Dark Web or are used by cybercriminals. This revelation generally comes far too late-well after the theft or damage has occurred-and it takes an average of five months. In the case of data or system manipulation or stolen secrets, revelation may never come. While finding an active attack early and curtailing it is a long sought after objective, the ability to know that an attacker is not present is also tremendously valuable.

Ask a CIO or CISO, "Do you have the means to find an active attacker on your network working towards a data breach?" Most, if they are fully informed and completely honest, they will admit that they do not. If they believe they have the means to know, ask how and what is their level of confidence? You will likely get a blank stare.

Confidence is the issue with the election, especially after the breaches of the Arizona and Illinois election databases, the DNC attack, and other election-related security events. Ideally, a state elections department could attest that its network is free from attackers. Based on a thorough check of hundreds or thousands of parameters and using ongoing, detailed behavioral profiles, organizations should be able to find an attacker at work. The inverse is also immensely beneficial to give confidence and attest, "Our network is free from attackers." This kind of assurance would also be valuable for a law firm to give to its clients during a routine security review. It's exactly what a defense contractor should be able to present to the Department of Defense. Even in the case of a merger or acquisition, it would be extremely valuable to know that you are not connecting up to a network with a hidden attacker.

In some cases, knowing that there is no attacker is nearly as valuable as knowing that there is an attacker." - Kasey Cross, Director of Product Management at LightCyber

What the government needs to do going forward…

Federal Data Breach Notification Requirements

“Organizations in the United States have to understand and adhere to up to 47 different state breach disclosure notification laws. That's right, forty-seven. A federal standard would go a long way toward simplifying the process for organizations that happen to be compromised, yet no federal legislation is anywhere in sight. Creating a federal standard needs to be a priority, sooner rather than later, to eliminate unnecessary confusion during what is already a difficult time for organizations.” - Chris Pogue, CISO, Nuix 

Recognize the Threat Isn't Only External

Foreign nation states, shadowy hackers, and cyber-terrorists aren't the only ones trying to steal or destroy our data. They all have something in common; namely, they all sit outside an organization's perimeter defenses. However, insider threats are just as likely to be guilty of wrongdoing as these external malefactors. A thorough defense-in-depth program needs to account for all potential bad actors, and insider threats require a different type of approach to detect and counter. - Keith Lowry, SVP, Nuix USG (former Chief of Staff at the Department of Defense and also former Chief at the U.S. Counter Intelligence Agency where he was responsible for developing the U.S. National CI Strategy)

Bone up on cyber

“Consult the technical security community and take the criminal aspect of cyber crime seriously.  You can't address a threat if you don't appreciate the threat for what it is.

Familarize him/herself with the EU General Data Protection Regulation and look to implement a parallel regulation in the US.  Also emphasize the importance to US business the importance of readying for the EU enforcement of they wish to use EU citizen data.

Conduct public campaigns to make the average person aware of their own responsibilities to protect their own identities and data.” - Mark Wilson, director of product management, STEALTHbits Technologies

Take Your Own Medicine

The federal government faces persistent threats that pose strategic, economic, and security challenges to our nation on a daily basis. Addressing these threats requires a candid reassessment of the way it approaches security and a significant investment in critical testing, staff, and tools. All government systems need to be rigorously tested, vulnerabilities addressed, and government security teams need to continuously ‘train the way they fight' moving forward. Offensive security advances have long outpaced defensive countermeasures, and without a fundamental change, the trend is bound to continue.” - Chris Pogue, CISO, Nuix

What the next president must do…

 Insist on compliance and encryption

 “Improve cybersecurity compliance controls. Treat cybersecurity the same way financial controls and reporting are handled with Sarbanes-Oxley for example. Enterprises should not be allowed to check the box of cybersecurity compliance without their controls being rigorously tested by an independent audit body. 

Empower enterprises to better encrypt data. Stop trying to tap into every internet company database or user data data feed for national security reasons as it actually increases the risk for cybersecurity. 

Lead by example and invest in modern cybersecurity to protect government properties and databases.” - Julien Bellanger, co-founder & CEO, Prevoty

 Focus on infrastructure

 “Protect trans-Atlantic cables that carry most of the world's data. 

Work closely with major us service providers, financial, electronic, retail and the users to prevent, detect and respond to cyber-attacks. 

Immediately harden critical infrastructure, i.e. power grids and work with US citizens to prepare for a major outage related to critical infrastructure.”  - Christian Lees, CISO at InfoArmor

Identify and protect sensitive data and infrastructure

“To strengthen our national security, we need to identify all sensitive data and infrastructure in both the private and public sector that would have high value to our adversaries and then protect it. This will require a much higher level of protection along with close government involvement and oversight. People forget that in 2012, NASA's Jet Propulsion Labs was breached and the foreign-state hackers could have stolen whatever critical information they wanted. We think of JPL as this cool scientific organization that makes space vehicles fly to far away planets. Our enemies view JPL as a treasure trove of the most advanced technology that can be used create weapons that can strike anyone from anywhere in space. Securing advanced technology that could have a military use against us needs to be accomplished through involvement of government agencies such as the NSA and a much stronger requirement for IT security safeguards.” - John Gunn, vice president at VASCO Data Security

 Beef up cyber standards

 “Put more force behind the National Strategy for Trusted Identities in Cyberspace/NIST standard development including support and adoption by government agencies, followed by regulations that hold organizations accountable if they don't meet basic security standards of protecting consumer information.   Additionally, agencies with antitrust authority need to update their models to more fully recognize that as we are in an ‘information-based' economy, hording or excessive control of user or consumer information is not only insecure, but may be just as anticompetitive as was Standard Oil's monopolistic behavior of the last century.  I'm not suggesting the EU's mercantilist approach of using antitrust to compensate for a poor competitive position in internet technology, but a reasonable focus on consumer protection that encourages innovation and recognizes zero marginal supply cost of information technology as opposed to the large and growing value of personally identifiable information that companies are failing to effectively protect.  Loss of faith in the internet economy will have massive and negative effects on the economic security of the Unites States.” - Scott Clements, EVP and CSO, VASCO Data Security:

Promote expertise at the Top

Policy leadership requires expertise and understanding. The steps taken by President Obama in 2016—releasing the Cybersecurity National Action Plan (CNAP) and naming the first Federal CISO—are positive strides forward, but it's not enough. The next President should go even further and create a cabinet position dedicated to all areas of cybersecurity, with the Federal CISO and others accountable to the cabinet member. Cybersecurity is a broad subject, and one that requires more than a CISO's expertise to succeed. - Keith Lowry, SVP, Nuix USG

Push multifactor authentication

The president should focus on promoting multi-factor authentication to websites and applications for businesses as well as consumers. Breaches continue to grow year over year because of the weaknesses that passwords inherently possess. The technology exists to easily make this concept a reality and most everyone already has the perfect second factor of authentication readily available - a smart phone.

The alarming shortfall of cybersecurity trained individuals needs to be remediated. The president must mandate outreach to all levels of education focused on cybersecurity. Colleges around the United States need to ramp up and improve programs that offer varied specialties in cyber. Training is essential to our survival in the cyber arms race.

The president needs to mandate that enterprises enable the entire workforce with on the job training regarding cybersecurity. Think of this like running fire drills. Everyone knows what to do and where to go in the case of an emergency because they have drilled and practiced several times a year. The same thing needs to happen with cybersecurity. Companies need to develop programs to keep themselves safe and establish best practices that every employee can follow, regardless of job title. The real key to a successful cybersecurity program is to expose the entire organization to security on an ongoing basis.” - Brad Bussie, CISSP, director of product management, STEALTHbits Technologies

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.