Establishing Digital Trust: Don't Sacrifice Security for Convenience
Earlier this year, Colombian hacker Andres Sepulveda told Bloomberg he's "100 percent sure" that the U.S. presidential campaign is being tampered with by cyber attackers.
At this point, attacks may not be successful but they are happening.
The last several weeks saw a flurry of cyber attacks launched by Russian hackers and targeting a wide range of systems related to the upcoming election, from servers at the Democratic National Committee to voter databases in Arizona and Illinois.
'Concerted Effort' to Influence Election
"Based on briefings we have received, we have concluded that the Russian intelligence agencies are making a serious and concerted effort to influence the U.S. election," U.S. Senator Dianne Feinstein and Congressman Adam Schiff said in a joint statement released last month.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"At the least, this effort is intended to sow doubt about the security of our election and may well be intended to influence the outcomes of the election - we can see no other rationale for the behavior of the Russians," Feinstein and Schiff added.
According to a Tripwire survey of more than 220 information security professionals at Black Hat USA 2016, 63 percent of respondents believe cyber criminals are influencing the outcome of the upcoming U.S. presidential election.
Eighty-two percent of respondents said state-sponsored attacks on elections should be considered acts of cyber war.
"This is an unprecedented moment in both politics and information security," Tripwire director of IT security and risk strategy Tim Erlin said in a statement. "A foreign power possibly influencing the U.S. presidential election through electronic means is a game changer for information security professionals."
And at a basic level, it wouldn't be all that hard.
Elections Are Easy Targets
James Scott, senior fellow at the Institute for Critical Infrastructure Technology (ICIT), said elections in general make for extremely vulnerable targets. "It's difficult to find an upside at this point with the election process, in terms of the technical vulnerabilities," he said.
The easiest way for an attacker to impact an election, Scott said, would be through the manufacturer of voting equipment -- by spear phishing, through a port vulnerability or through a drive-by download. "There's a million ways to deliver a malicious payload," he said.
Then, he said, all you need to do is tamper with a single software update being delivered to voting machines. "The manufacturer will then unknowingly hand-deliver these poisoned updates, which will typically self-destruct -- it's an extra nine lines of code -- after the final tabulation process," he said.
It's a risk similar to the one enterprises face when working with third-party vendors; a breach at a single vendor can affect all of that vendor's customers, if the vendor is given privileged access.
Any election official concerned about this kind of attack still has time to hire an independent forensic expert to check out a few random machines, Scott said. "They should focus on the tabulation process and anything that would affect the weight of the voter," he said.
Messing with a Voting Machine
It's not just about attacks on the vendor, Scott said. Malware could also be delivered locally. "The reality is most of these machines are in church basements, boiler rooms in public schools; they're not in protected areas," he said. "And so getting in and manipulating a machine is a piece of cake. All you have to do, in most cases, is just walk in."
Even with a certification seal on the machine, Scott said, all hackers would need would be a razor blade, some acetone and a delivery mechanism for the malicious code, such as a USB drive or memory card.
"You put it in and it infects the machine," he said. "And if you add a few more lines of code, through the natural course of the election day this self-deleting malware will spread to the other machines."
Most polling places are run by elderly volunteers, Scott said. "These people don't know what social engineering is. Their technophobia is a vulnerability; they have no cyber hygiene training. They don't know what to look for if someone's trying to inject code into a machine."
Just as security awareness training can make a huge difference for an enterprise, Scott said basic digital security training for anyone managing an election location would be relatively easy to implement and could be highly effective. "And then spot checking, from a forensic perspective, to see if a machine has been manipulated; that's what they can do at the local level," he said.
Because so many different types of electronic voting machines are used and they have varying levels of automation and digitization, it will be tough for hackers to launch a comprehensive attack, said Chris Roberts,chief security architect at Acalvio, a California-based provider of advanced threat detection and defense solutions.
"Being able to manipulate the results at large is going to be a tough thing to do. The distributed system and the various types of electronic machines means that someone would have both had to do extensive research as well as have a distributed set of attack surfaces," Roberts said. "... It would be very difficult to influence enough systems to make a decent dent in the overall election. If you chose swing states or locations, that might be a different matter. We'll have to wait and see what happens."
Confidence Takes a Hit
Hacking electronic voting machines is not the only way to influence an election, said Nathan Wenzler, principal security architect at AsTech Consulting, a California- based independent security consulting company.
"While measures are taken to keep these [voting] systems isolated and thus much, much harder to hack, there are still many ways an external force could influence an election," Wenzler said. "For example, if a polling firm was hacked and reported poll numbers which were skewed, it could influence voters who have not yet voted to change their vote or not vote at all. Direct hacking of voting results is difficult, but other indirect methods of influencing voters and voting results can be effective, too."
For attackers, it's not just about trying to change the results of an election, Scott said. "If you're looking at nation-state actors, merely being able to interrupt the confidence in the election process and in democracy is a battle won. From an information warfare perspective, I think that's the biggest win for any adversary."
The potential impact on citizens' confidence in elections is similar to the impact a major data breach can have on a brand; it doesn't have to do significant damage in order to have a real impact on people's sense of trust.
NSA director Michael S. Rogers said last March in testimony before the House Armed Services Committee, "We believe potential adversaries might be leaving cyber fingerprints on our critical infrastructure, partly to convey a message that our homeland is at risk if tensions ever escalate toward military conflict."
While only a few countries -- most notably Russia and China -- currently have the kinds of resources necessary to launch these kinds of sophisticated attacks, those numbers will grow, Wenzler said. "As more technology resources become available to more countries, there will be more and more nation-states that will be able to perform legitimate cyberattacks against the United States that will need to be taken seriously."
Scans and Pen Tests
In response, there's a lot that state and local government agencies can do. The U.S. Department of Homeland Security announced on October 10 that 33 states and 11 county or local agencies had so far gotten in touch to request cyber hygiene scans or vulnerability assessments; DHS encouraged others to do the same.
"We can conduct cyber hygiene scans remotely, and provide state and local election officials with a report identifying vulnerabilities and recommendations to improve online voter registration systems, election night reporting systems and other Internet-connected election systems," DHS stated.
And Joshua Eck, spokesman for Ohio Secretary of State Jon Husted, recently told CNN that his state has asked the National Guard to conduct penetration tests, trying to breach its databases. "We've had a number of really positive tests," he said. "It has gone well and we've been able to find vulnerabilities and fix them."
Ultimately, Scott said, it's far more likely that someone's trying to manipulate the upcoming elections than not. "It only makes sense that they would, now that the world sees all of our vulnerabilities," he said. "All you have to do is watch the news for five minutes as a hacker and figure out who your next target's going to be."
Looking to the Future
Long term, electronic election systems that rely on proprietary code will need to be replaced, Scott said. New systems should "incorporate the principles of resiliency, security-by-design and layered defenses," he said.
And, he added, other cybersecurity measures include:
- Election personnel should be trained in cybersecurity and cyber-hygiene so that threats can be mitigated and so local and state levels are less reliant on vendors, contractors and consultants.
- Election machines must be better secured in storage to prevent unauthorized access.
- Objective cybersecurity professionals should conduct regular penetration tests on the systems to ensure the machines do not have exploitable ports or connections, that the machines remain free of malware, and that the machines do not exhibit any suspicious operations such as the fractionalization of votes.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at firstname.lastname@example.org.