Cyber Threats & Elections; Part IV of IV

Here we find ourselves again at the end of an August and the waning of another summer. Having just wrapped up both the Republican and Democratic National Conventions in the last two weeks, our country’s Presidential and Vice-Presidential candidates have officially accepted their nominations. Fittingly, we at ProtectedIT are also wrapping up a month-long discussion about cyber threats surrounding elections in the United States, elections outside of the U.S., and what kind of implications this may present with the upcoming presidential election in November.

In Part I, Objective & Observations, we looked at the current situation today with a sharp lens and made some key observations about where we stand. The topic this month has been split into a 4-part series to better understand its complexity. In Part II, Reflection & Analysis, we took a look at the past and did a bit of analyzing of what really happened in the most recent presidential election of 2016. In Part III, Comparison & Perspective, we stepped outside of our own “shoes” and evaluated what has happened to other countries when they were targeted with cyber-attacks.

This week in Part IV, our August FINALE we are looking towards the FUTURE. What can we learn from our own history and the history of other countries’ elections? What conclusions can be drawn about the types of actions that are needed to move forward? How can we as individuals, families, interest groups, communities, businesses, and so on prevent these kinds of outside manipulations and intrusions from happening again?

OUTLOOK & ACTION ITEMS

These days, practically the entire world is subject to influence from afar. Call it a ‘natural balancing’ that comes from an exponential technological growth - that kind of unchecked growth can be a double-edged sword.

The National Intelligence Council - a joint intelligence community consisting of members of the United States’ CIA, FBI, and NSA  - published a coordinated analytic report of their findings after investigating the presidential election of 2016. One of their primary conclusions read “Russian efforts to influence the 2016 US presidential election represent the most recent expression of Moscow’s longstanding desire to undermine the US-led liberal democratic order, but these activities demonstrated a significant escalation in directness, level of activity, and scope of effort compared to previous operations…We assess Moscow will apply lessons learned from its Putin-ordered campaign aimed at the US presidential election to future influence efforts worldwide, including against US allies and their election processes.” Additionally, this insightful publication from the European Council on Foreign Relations exposed the twisted reality of Russian cyber intelligence operating in environments of chaos and competition. Agencies often replicate each other’s work in race to please the Kremlin. All of this “bloody competition” is intentionally cultivated by Russia’s president, Vladimir Putin, and any type of teamwork or consensus disappears “as soon as there is an opportunity to make money or avoid blame.”

While they remain at the top of the list, the truth remains that Russia is not the only threat actor around. Google researches found evidence of China-linked and Iran-linked Advanced Persistent Threat (APT) groups targeting both the Biden campaign and Trump campaign staffers as recently as a few months ago.

It seems that few people realize the amount of resources these ‘APT groups’ have at hand and (more importantly) their extensive reach of influence. This ‘reach’ of outside influence and manipulative intent can, realistically, be found in every home that contains a computer or smartphone. It is unseen but constantly accessible. By nature, being unseen makes something more likely to be overlooked, and it is alarming how many overlook the true nature and extent to which modern intelligence organizations and threat groups will go to accomplish their own agendas.

We are in this together. When I say “We,” I mean the Western alliance of countries striving in and for successful democratic nations. When I say “We,” I am talking about the root and essence of democracy.

ACTION ITEMS

What kind of countermeasures are currently being taken (or still need to be taken) against these compromising and multi-faceted cyber threats? The answer is not exactly a simple one. To make it a bit more intuitive, I’d like to look at this concept from 3 different perspectives - Large scale, Medium scale, and Small scale.

Action at the LARGE scale (Government/Country-level):

While there is a lot of adversity Western democracies are facing, it is not all doom and gloom! There are many informed and alert people aware of the danger to the election process, and several of them are working hard at the government level to strengthen security measures. Two weeks ago, congressional members of the House Homeland Security Committee emphasized to the public that they will be spending the rest of the year “pushing election stakeholders to continue boosting security around election and voting systems, examining how the widespread shift to telework in the wake of COVID has impacted federal cybersecurity and shoring up network monitoring efforts at CISA [Cybersecurity and Infrastructure Security Agency].” The same article also details how these committees are focusing on key specifics like “combating disinformation” and working on “better cooperation between state and local election officials,” which includes urging CISA to issue states better direction and guidelines about election security in the upcoming months.

There has been success with the state level regarding the implementation of cyber solutions (i.e. scanning, patches, etc), but the local and county levels are an area of concern. This goes for network software and operational systems that, aside from being a tool in the presidential elections, are also used for smaller, local elections which do not get as much attention. Cybersecurity expert Jeremy Epstein leant some insight recently as to why: “Attackers may well use a low-consequence election to scout out the landscape, learn the vulnerabilities, and then save their opportunities for attacking a real election later on.”

Relatedly, another action that is currently underway on the large scale is a legislation to funnel billions of dollars of federal grant money to updating state and local government legacy systems. So much of this country’s government operation is conducted on these outdated and insecure legacy IT infrastructure and investing in “IT modernization strategies” will be a win on multiple fronts, not the least of which being election cybersecurity. Clearly, there are unresolved vulnerabilities in these frequently overlooked and underfunded areas. And COVID-19 only made that same truth all the increasingly apparent, exposing even more systemic weaknesses on top of those infrastructural flaws already recognized prior to the pandemic. 

Action on a MEDIUM Scale (businesses, interest groups, organizations, etc.):

California recently enacted a state law surrounding data and consumer privacy - The California Consumer Privacy Act (CCPA). It has been called “the most comprehensive privacy law in the country.” It is, I think, a solid example of progressive change that came about due to actions and hard work from the organizations and groups at the medium scale in an effort to tip the hand at the large scale and implement new law and policy…count another one for a success story! The interest group Californians for Consumer Privacy gathered more than 600,000 signatures from state citizens in a push to make the security and privacy of personal data more of a priority to those with power at the government level (large scale).

There ARE also success stories of secure election digitalization. Take the European country of Estonia. A population size equivalent to the state of Maine, nearly half of Estonian voters chose to cast their vote digitally in 2019 for the European Parliament elections, and they’ve been voting this way for well on 15 years now. It is a component of their “broader digital society,” possible due to the trust the people have in their government to “take care of their data…and that citizens are the main owners of these data.” Estonia’s National Digital Advisor, Marten Kaevats, believes that the core to their success in this comes down to data governance and policy. According to his expertise, “the U.S. needs to have something similar to GDPR [General Data Protection Regulation] in Europe. The U.S. needs to up their game, otherwise the potential likelihood of building trust in a society is not good.” He goes on to point out that online voting is one of the more complicated steps of a “larger digital revolution” of their country, which took many years of hard work and dedicated proponents.

The California Consumer Privacy Act (CCPA) which I previously mentioned is a data-oversight compliance law quite very much like the European Union’s GDPR. While there are certainly differences between the two legislations, the CCPA is nonetheless a mighty step in the direction of progress (In this earlier series of our blog, ProtectedIT discusses the ins and outs of the CCPA and more reasons why it is so trailblazing). The first step towards trust in big government and confidence in a secure and fair election is (as the Estonian advisor previously emphasized): Data governance and policy. The EU has taken these steps, California has taken these steps, and more states in the U.S. need to follow suit.

Another important takeaway is stakeholder perspective - these risks permeate well beyond the election process and voting systems. The amount of network hacks to businesses and people everywhere is skyrocketing. They come in an enormous diversity of forms, with various intent, and can reach from practically anywhere in the world. The security firm Emsisoft reported recent data to The New York Times showing that 205,280 organizations submitted files that were hacked in a ransomware attack in 2019, which is a 41% increase from 2018. These and other kinds of attacks are expected to continue to grow as hackers become smarter and more adaptable, and there will be plenty more platforms from which to choose their targets as this ongoing pandemic pushes organizations of every market and service to seek remote, digital alternatives for their business functionality. Proactive thinking and action in “bolstering IT security practices” is the best way for businesses to be prepared for potential assaults on company data. As I mentioned earlier, often it comes down to human error as being the final straw…and we all know that’s not going anywhere anytime soon.

Action on a SMALL scale (Individuals, families):

From the simplest perspective, what can you or I do about this from an individual’s standpoint? I guess that is up to each of us and our own level of exposure. And in my mind, therein lies the keystone and shining point of it all: It is up to us.

One of the best actions you can take on the small scale is making a point to fact-check your news sources. This can’t be overstated, especially given the high amount of disinformation prevalent on social media and the internet in general, and accentuated by this poll from early 2020 revealing that approximately one third of Americans feel worried because they cannot tell the difference between fake article and a true article.

There are many tips and tricks to doing this, and a number of good ones are described in this helpful article from NPR, sourced from a guide that an assistant professor of communication & media created for her students at Merrimack College. They include practices like paying attention to oddities in a domain name and URL of a source, looking at the quotes in the story and verifying them with a few other news sources, checking comments to see if a story has been flagged by other readers as fake or misleading, and glancing through the “About Us” section of the story source with an eye for a level-headed mission and ethics statement (for Professor Melissa Zimdars’ original full list of tips for analyzing news sources, click here).

I think it is vital here to also emphasize the relevance and value of reaching out to your community or contacting your local government to see what kind of discussions are already happening. There may be petitions in progress, planned events centered around policy activism, or communication with people that understand the risks we are facing in this metaphorical arena.

Bringing it full circle - What conclusions can we draw?

And so, in essence, it really comes down to choice - our choice of how much time we spend on a given digital platform, how much news and/or propaganda we read (or watch) a day, how many campaign videos we watch, and in general how much we are exposed to the overwhelming amount of information that is available at the tap of a button in the palm of our hand.

ProtectedIT partner, RSA, spoke to him earlier in the month regarding his thoughts on these very topics. According to him, there has been more discussion over the last 10 years when it comes to securing the future of elections, and over the last 4 years (since the election of 2016) more people have tuned in to understand what election security is and what it entails. He says this is “good progress.” He adds credence to a point I’d discussed earlier regarding funding for state IT and local government IT modernization efforts, and also emphasizes how “sowing doubt” about the democratic process in the minds of its citizens is a dangerous and effective move against democracy and a “nemesis” to an election.

Following the Russian meddling in the U.S. presidential election of 2016 and the 2017 German elections, an expert on European and trans-Atlantic foreign security policy testified before a U.S. Senate Select Committee, and her words are powerful and worth bringing to focus again:

“By striking at Europe and the United States at the same time, the interference appears to be geared towards undermining the effectiveness and cohesion of the Western alliance as such - and at the legitimacy of the West as a normative force upholding a global order based on universal rules rather than might alone. That said, Russia’s active measures are presumably directed at a domestic audience as much as towards the West: They are designed to show that Europe and the U.S. are no alternative to Putin’s Russia. Life under Putin, the message runs, may be less than perfect; but at least it is stable.”

Without question, that is a stark and unsettling insight.

I’ve said it before, and I’ll say it again - this is not just a provocation of the U.S. It is a move against democracy itself. It seems to me that there is no other way forward but to push back against these threat actors in the fullest extent we are able. That is a conclusion that can be drawn whether you remain skeptical and filled with doubt, are passionately fired-up about the cause, or are just cautiously hopeful. No matter the background, no matter the political squabbles, no matter the ethical differences and ho-hums excuses that Americans invent for themselves, on this we are united. United in a cause to defend this democracy and other democracies worldwide. These measures may take years and several elections until we come to a state of confidence in the system. There is no doubt that it is worthwhile in continuing to work towards legitimizing the process, securing the systems, equipping the citizens thereby removing the doubt.

Because if we want to ask the single, resounding rhetorical question here that is begging to be asked: What would be the alternative?

To be continued.

To learn more about ProtectedIT and how we protect, prevent and remediate threats in the IT and OT spaces please contact us here.