Voting systems not the only target in defending against cyberattacks on our elections
By: Luke McNamara, Principal Analyst, FireEye, The Hill Newspaper
Legislation that better enables states to protect key systems is a great starting point, but the most concerning cyber threats against the 2018 midterms are those that seek to target confidence in the process itself.
With midterm elections less than a month away, concerns about the security of the electoral process persist. The newly released National Cyber Strategy acknowledges the challenges state and local election administrators face in securing key election infrastructure, as well as the growing threat from social media-driven influence operations conducted on the platforms we use every day. Over $380 million in federal funding has already been released to the states this year to help improve election infrastructure, and there is a revived push to pass the Secure Elections Act that seeks to improve the security of state election systems.
While renewed focus and federal funding are beneficial to protecting voting systems, agile and adaptive adversaries are looking beyond election infrastructure and attacking trust in our democratic process itself. How do you safeguard that?
When looking at historical cyber threats towards elections globally, we see a wide variety of types of activity—particularly from Russian-sponsored cyber groups. But at its core, there seems to be a similar purpose: to delegitimize and attack public confidence in the electoral process.
On one end of the spectrum, we have witnessed activity that consists of stealing and releasing political parties’ sensitive data or spreading propaganda on social media to encourage discord. On the other end, there’s continuing concerns around the security of critical election assets: voter registration databases, election management systems, and voting machines.
While we must continue to safeguard such critical infrastructure, proactive cybersecurity cannot consist of only patching software vulnerabilities and putting up defensive machine safeguards. Adversaries are conducting activity that falls in the middle of this spectrum by combining disinformation with successful intrusions of election administrators or non-critical election infrastructure.
What might such attacks look like? Imagine if adversaries compromised key state or local officials’ social media accounts to spread false claims about voting machines not working, and used these compromised accounts to leak internal data and emails as an effort to claim more widespread intrusion. Or consider intrusions into electoral board or commission websites—assets targeted time and time again by nation states. Though they may exist on different networks from critical systems and data, when they become public, such compromises could fuel fears over deeper penetrations and result in a loss of confidence over the election results, whether votes or critical data has been altered or not.
Cyber adversaries don’t need to steal data to effectively attack confidence in elections. They could simply stop them. Increasingly nation state actors leverage disruptive and destructive tools to project power and hinder operations. One could picture the chaos caused by cyber attackers deploying ransomware—or something more destructive like NotPetya, which resulted in hundreds of millions of dollars in damage to FedEx and Maersk—to infect the network of a state or local government, hampering their ability to carry out operations mid-election.
The example of the City of Atlanta’s incident with SamSam ransomware this year underscores the cost and impact from such events.
This also presents an interesting dilemma for election administrators and defenders on how to communicate attempted cyberattacks or intrusions: if the goal is to attack the public’s trust that their votes are counted and their voice matters, does the acknowledgement of some type of attempted breach give adversaries a victory? The technical nuances or extent of a compromise (which often takes some time to fully determine) can be difficult to communicate in an effort to counter false narratives from faceless personas.
With limited resources and complex attack surfaces to defend, election administrators and others must focus on protecting systems and networks critical for maintaining voting integrity.
So far as it better enables the states to protect these systems, initiatives like the Secure Elections Act get it right. However, proactive cybersecurity measures can’t stop there, and defensive steps should not be taken in isolation from the activities we know cyber adversaries are actually conducting.
Beyond monitoring of critical networks and systems, utilizing threat intelligence, employing basic security best practices like multi-factor authentication for email and social media accounts, and ensuring crisis communication strategies are in place to counter disinformation campaigns should be core components of state election security strategies.
By understanding the goal of adversaries engaged in cyber-enabled election interference, states can be better prepared to respond and ensure free and fair elections.
Luke McNamara is a principal analyst at FireEye, an intelligence-led security company.