Vulnerabilities / Threats

2/17/2017
11:00 AM
Connect Directly
Twitter
RSS
E-Mail
0%
100%

After Election Interference, RSA Conference Speakers Ask What Comes Next

Election-tampering called 'a red line we should not allow anyone to cross.'

RSA CONFERENCE -- San Francisco -- As discussion about possible American collusion with Russian interference in the 2016 US presidential election heats up in Washington, the events have also been a hot topic here. RSA Conference speakers have not only tackled recent hacking events specifically, but discussed how they exacerbate the weaknesses of an already fragmented, lightly regulated voting system with highly irregular security practices.

The fundamental questions: what comes next and why does it matter to cybersecurity professionals? 

Rep. Michael McCaul (R-TX), chairman of the House Homeland Security Committee, said during a keynote session Tuesday that he was first briefed on election-related attacks in the spring, and has "no doubt" Russians undermined the election.

"This is a red line we should not allow anyone to cross," said Rep. McCaul. 

"We must continue to call out Moscow for election interference. …  And if we don’t, I am certain they will do it again," he said.

McCaul also said that there must be a response to this behavior, and the "strategies should not include just returning fire."

These were thoughts echoed by John P. Carlin, chair of Morrison and Foerster LLP in a session called "Electoral Dysfunction" Wednesday. Until recently, Carlin was the US Department of Justice's assistant attorney general for national security; he left the position in October. "I'm very concerned about repeated conduct," by nation-state attackers, said Carlin.

During Carlin's tenure, DOJ developed a cybercrime "deterrence playbook" to discourage nation-state attacks on the US by ensuring there would be consequences for them. For deterrence to work, Carlin explained, the government would not only have to make it clear that it would take action in respond to specific acts, but make it clear that "we are going to take actions until the behavior stops."  

Michele Flournoy - founder and CEO of the Center for a New American Security, who served as Under Secretary of Defense for Policy from 2009 to 2012 - took aim at Russia and recent attacks specifically.

"We need to assess Russian with clear eyes," said Flournoy, during a session on the future of security and defense Tuesday. She explained that after the Cold War, Russia did not integrate with global community as other members of the Eastern Bloc, and that since Putin took leadership of the country a second time he has pursued a campaign "against democracy" and an effort to deunify allies. 

"We owe it to ourselves to investigate [these attacks] further," Flournoy said, saying that we need to "really map the extent of contact between the Trump campaign and Russia." 

(Later that day, the New York Times reported that members of the Trump campaign had repeated contact with Russian intelligence before the election. Some legislators, including Senate Foreign Relations Committee Chairman Bob Corker, a Republican, has since suggested that recently ousted national security adviser Michael Flynn should testify before Congress, telling MSNBC "Maybe there's a problem that obviously goes much deeper than what we now suspect." President Trump has suggested the controversy is manufactured.)

How much of this really falls under the purview of cybersecurity, though? No evidence has been reported of voting machines themselves being exploited or attacked in the 2016 US presidential election. The hacks and information leaks that did occur were not particularly sophisticated from a technological standpoint.

Despite that, "it may eventually come to be seen as the biggest hack in history," said Kenneth Geers, Comodo Senior Research Scientist and a NATO Cooperative Cyber Defence Center of Excellence Ambassador, in an interview with Dark Reading. Geers also spoke about the demonstrable connection between malware activity and significant political, socioeconomic events during a Comodo event here Monday and RSA presentations.  

Geers says one could "definitely draw a parallel" between Russian involvement in the US elections and the Ukraine election in 2014, because both included the hacking of political parties, doxing, and the information operations in social media - like the creation of fraudulent accounts and the spread of propaganda, which are not always seen as part of the American definition of "information security." 

While attackers could focus their hacking efforts on e-voting machines themselves, Geers said, it would easier to discover than these other, subtler methods, Geers said.

Carlin echoed this sentiment. "Think of how effective this was, and it did not attack the [systems we use to vote.]"

There are other, practical reasons attackers wouldn't go after voting machines. Mike Weber, vice president of labs at Coalfire explained in the "Electoral Dysfunction" session, although vulnerabilities have been found in machines before, many of them require physical access, or near access to the hardware. Therefore, it's simpler "not to attack the infrastructure, but the things that access the infrastructure" - like voter databases, for example.

These attacks nevertheless cause distrust in the very democratic process.

In the same session, Pamela Smith, president of Verified Voting said the 2016 election showed that the US vote auditing and recount process is "worse than we thought." There are roughly 6,000 voting jurisdictions in the US, all with their own rules. Some of the jurisdictions that were called upon to do a recount had no voter-verified paper trails, others had policies allowing them the option to re-run their machines' tally instead of counting the paper votes, and others halted the recounts before they were completed. 

Related RSA Content:

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GetErD973
67%
33%
GetErD973,
User Rank: Apprentice
2/19/2017 | 11:10:27 PM
Russians hacking election? Really?
So many things wrong with this concept.  First, a simple phish attack resulted in showing how the DNC was actually rigging the election and yet somehow what the DNC did is blamed on the Russians?

Second, the great USA has always tried to influence elections of other countries - why is it right when we do it and wrong when others try to do same to us?

If you are a credible security professional, this is a none story.  If you "hate Trump" and "love Clinton", then this is a great story to try to jam down everyone's throat.

 
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
How to Engage Your Cyber Enemies
Guy Nizan, CEO at Intsights Cyber Intelligence,  12/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20228
PUBLISHED: 2018-12-19
Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF.
CVE-2018-20230
PUBLISHED: 2018-12-19
An issue was discovered in PSPP 1.2.0. There is a heap-based buffer overflow at the function read_bytes_internal in utilities/pspp-dump-sav.c, which allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact.
CVE-2018-20231
PUBLISHED: 2018-12-19
Cross Site Request Forgery (CSRF) in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfa_enable_tfa parameter due to missing nonce validation.
CVE-2018-20227
PUBLISHED: 2018-12-19
RDF4J 2.4.2 allows Directory Traversal via ../ in an entry in a ZIP archive.
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...