flexibility as the adversary’s tactics?”
Slow, Steady Progress
at the State Level
The report on Special Counsel Robert Mueller’s investigation into Russian interference in the 2016 election and related indict- ments against members of the Russia-based Internet Research Agency have documented a wide-reaching effort to target state boards of elections, secretaries of state, county government offi- cials and technology companies responsible for making election- related software and hardware.
In response, officials at DHS and its Cybersecurity and Infra- structure Security Agency have built relationships and informa- tion-sharing agreements with all 50 states and more than 1,400 local entities. CISA Director Chris Krebs recently joked that he knows the ties between DHS and the election community are stronger today because he receives texts from secretaries of states and election officials at all hours of the night, asking questions and requesting resources.
Nevertheless, by DHS’ own count, there are still thousands of localities left to contact at the county and local levels, where elec- tions are mostly administered. That activity is all the more urgent given a joint intelligence bulletin issued in March by the FBI and DHS confirming what had long been suspected: Russian hackers had probed the election infrastructure of all 50 states in the lead- up to the 2016 election.
Despite the revelation in a recent New York Times article that senior White House officials had thwarted an effort by former DHS Secretary Kirstjen Nielsen to create a Cabinet-level election security team to elevate the issue, the work of securing the coun- try’s election infrastructure is making progress at the state level.
Lawrence Norden, deputy director of the Brennan Center for Justice’s Democracy Program, told Federal Computer Week (FCW) magazine “there’s no question we’re in a better place” security-wise compared to 2016. He cited the steady (if slug- gish) progress on replacing paperless voting machines in the past three years and the heightened awareness of threats on the part of government agencies, technology vendors, election of- ficials and the media.
For instance, hackers had some success with spear-phishing attacks in 2016, but he said he hopes that’s less likely to happen in 2020 not that the election community has been educated about the tactic.
Do Attackers Even Need
a New Playbook?
In the meantime, work continues on efforts to counter disinfor- mation, state-sponsored hacking and leaks that target political campaigns.
The 2018 midterm election was notably quieter than the 2016’s presidential election, and Krebs told the House Homeland Se- curity Committee in February that social media companies de- serve some credit for stepping up their efforts during the recent election cycle. He said major platforms sent representatives to a DHS election security ware room in Virginia on Election Day and
coordinated with officials to pull down blatant instances of mis- information posted online, such as claims that voting machines were casting incorrect votes.
Still, many policymakers and advocacy groups continue to pil- lory social media companies for what they see as a lack of urgen- cy when it comes to combating misinformation or disinformation on their platforms.
“They played a part,” Krebs said. “There’s always much more to do here, and keep in mind that the adversary will continue to pivot, pivot, pivot as we raise defenses and block off avenues.”
Here again, DHS has indicated a willingness to enter the fray – in this case, by offering vulnerability scans and other protections services to any political campaign that wants it. When speaking with presidential campaigns, “we haven’t had anyone decline to have a call with us or not be excited about the resources that we’re offering,” Masterson said.
Cybersecurity experts say political campaigns are often most vulnerable in the early days of operations, when they are marked by high staff turnover, shoestring budgets and a lack of the sort of professional organization and sophistication that typically translate into good digital security practices.
Case in point: Research by the Global Cyber Alliance found that only four of 14 Democratic presidential campaigns were us- ing Domain-based Message Authentication, Reporting and Con- formance, a tool designed to prevent outside parties from spoof- ing an organization’s email messages.
In addition, a look at what’s going on in other countries could yield insights in to how influential operations have evolved in response to new protections. For instance, Ukrainian intelligence officials claimed in March the Russian operatives have sought to buy or rent Facebook accounts from Ukrainian citizens in order to avoid security measures the United States instituted after the 2016 elections. Similar tactics of cooperating native social media accounts and organizations were detailed in the Mueller report.
“We can’t just plug the holes that we’ve identified because you just don’t fight wars that way,” Norden said. “We see it in cy- berattacks...they develop, they mutate. Adversaries who want to influence an election are going to find new ways. Having said that, we haven’t even plugged the very obvious holes that we do have.”
Past said what worries her most is the “strategic silence” on the part of the state actors such as China and Russia in the past year, and she and Norden noted the lack of activity in recent years from which to draw valuable lessons.
But Past added that although policymakers should prepare for new tactics and strategies, it is not clear that a foreign influ- ence or elections hacking operation would need to stay far from Russia’s strategy in 2016.
“There’s been no convincing response, government-wise or in- ternationally or diplomatically, that would tell any nation-state... that they should \[deviate\] from the Russian playbook,” she said, “And most of the costs around those attacks have become less, not more, over the last year years.
Derek B. Johnson is a senior staff writer at FCW magazine. WWW.SECURITYTODAY.COM NS5