Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

11/5/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

On Eve of 2018 Midterm Elections, All Eyes Still on Cybersecurity

Netscout and McAfee executives talk about the myriad challenges facing state and county election officials as voting for the 2018 midterm elections is about to get underway.

When Mike McNerney was a cyber policy advisor in the Office of the Secretary of Defense during the Obama administration, the primary concerns regarding cybersecurity were not focused on politics.

"The threat to election wasn't really on our radar as much as threats to other critical infrastructure were, like air traffic controller systems, the electric grid, the stock market, national defense systems," McNerney, now product manager for cyber threat intelligence at Netscout's Arbor Networks security division, told Security Now. "Those were the things that were presence of mind because we considered their loss something that could have a major financial impact on the country or lead to a significant loss of life."

That changed with the 2016 presidential election, when hacking and disinformation campaigns orchestrated by Russia took center stage and have formed the backdrop not only to the Trump administration's tenure but also in the run-up to this month's mid-term elections. (See Carbon Black: 20 Voter Databases for Sale on the Dark Web.)

"A couple of years back, we would not have been so concerned about election hacking per se, because we viewed our adversaries -- particularly the Chinese and the Russians -- were really focused on our national security systems," he said. "Even though they had the capability to go after other infrastructure, we didn't see the intent there. Now what we're seeing is intent matching capability and that's causing more of a problem."

A lot of effort by government agencies, journalists and others has gone into investigating how vulnerable the US election system is to cyberthreats and attempts to bolster the integrity of the process, and a lot of pixels have been used to write about those initiatives. On the eve of the high-profile midterms, industry experts continue to keep the discussion going. During the interview, McNerney spoke about the range of threats -- not only hacking, but also the use of social media to distribute disinformation as well as distributed denial-of-service (DDoS) attacks and efforts by the private sector to help election officials. (See US Voting Machines Riddled With Vulnerabilities & Security Flaws.)

He also has written about cybersecurity and elections.

State and local vulnerabilities
In addition, McAfee CTO Steve Grobman in a blog post outlined some of the key weaknesses found in county election websites and how they could be exploited by attackers.

"A realistic attack wouldn't require mass voting manipulation or the hacking of physical machines," Grobman wrote. "Rather it could use misinformation campaigns focused on vulnerable gaps at the county and state levels. Attackers will generally choose the simplest and most effective techniques to achieve their goal, and there are certain targets that have been overlooked which could prove to be the most practical avenues an attacker could take if their objective was to influence the outcome of an election cycle."

Election officials face myriad challenges and are often impacted by a lack of expertise and budgets. Along with hacking, DDoS attacks are being used as weapons, he said. They have cropped up in congressional campaigns in California and elsewhere.

"A lot of people are focused -- when it comes to operations information -- on stemming the flow of false information," McNerney said. "A lot of people are thinking about this in places like Facebook and Twitter. But just as important is the ability to spread true information, and if you're a candidate and you can't get your message across, no one's going to know who you are and you're going to lose. Or you can't refute an argument someone else is making because your website has crashed through a DDoS. You can't defend yourself and you're going to lose."

For McNerney, the threat is not only that cyberattacks could cause voting systems to malfunction or go down or that misinformation campaigns can muck up the debate, but also that at the end, the integrity of the election process is damaged.

"It's not just the actual security of the system but it's the faith that the system is running and it's secure and that the results actually reflect the will of the people," he said. "If that faith weakens, whether it's true or not, it's a big problem."

McAfee's Grobman noted that experts with the cybersecurity vendor looked at the security measures of county websites in 20 states. Such sites tend to be the first place voters go to find information on upcoming local elections, including such information as voter eligibility requirements, early voting schedules, deadlines to register and voting hours.

"A well-crafted campaign could focus on specific states or congressional districts where a close race is forecasted," he wrote. "An attacker would then examine which counties would have a substantive impact if barriers were introduced to reduce voter turnout, either in total, or a specific subset (such as those in rural or urban parts of a district which generally have a strong correlation to conservative and liberal voting tendencies respectively)."

Need for new standards
What they found was a lack of consistency when it comes to how counties validate that their websites are legitimate sites belonging to real county officials. A large majority of websites use domain names such as .com, .net and .us rather than the government-validated .gov in their web addresses. Domain names with .gov have to a federal government validation process to confirm that the website in question really belongs to the official government entity.

There also often was a lack of basic protection, such as SSL, the researchers found. For example, the website below for Scioto County in Ohio uses an unvalidated .net top-level domain and isn't protected by SSL, Grobman said.

"Many of these sites were built 10 to 15 years ago, before anyone could conceive that they might someday become potential targets for cyber-attacks," Grobman told Security Now in an email. "While not required in the past, new protections are required now that malicious actors are attempting to influence our democracy. State officials may have implemented these security measures on state election sites, but it's important for them to understand that voters may not go directly to those websites looking for important information on elections. Voters may first go to the unprotected, unvalidated local county websites for local information."

Given this, a key danger from such security shortcomings "is the uninformed behavior of human beings rather than technical vulnerabilities in voting systems themselves," he said.

In his blog, Grobman said security standardization, though such means as central regulation or best practice publication, would help protect vulnerable support systems that deal with elections. Federal laws mandating the use of .gov in domain names or SSL protection may be unrealistic, he said agencies like the Department of Homeland Security could play a leading role by recommending best practices.

In January 2017, in the wake of the 2016 election, then-DHS Secretary Jeh Johnson recommended designating election infrastructure as critical infrastructure, a move that would have given the agency more leeway in providing recommendations and resources to secretaries of state but received pushback from state and local election officials who were wary of federal incursion into the election system, McNerney said.

Despite the ongoing threats to the election process, McNerney said he is "cautiously optimistic" that the situation is improving. The issue has received significant attention from state officials and social media companies are making moves to combat disinformation efforts on their platforms. In addition, a number of cybersecurity vendors, including Netscout, are offering free services to elections officials, an ad-hoc movement that he said should become more formalized.

All of this is important now that the Russians' playbook in how to disrupt an election is out there for others to follow, whether they're other nation-states or threats from inside the country.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27218
PUBLISHED: 2020-11-28
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is ...
CVE-2020-29367
PUBLISHED: 2020-11-27
blosc2.c in Blosc C-Blosc2 through 2.0.0.beta.5 has a heap-based buffer overflow when there is a lack of space to write compressed data.
CVE-2020-26245
PUBLISHED: 2020-11-27
npm package systeminformation before version 4.30.5 is vulnerable to Prototype Pollution leading to Command Injection. The issue was fixed with a rewrite of shell sanitations to avoid prototyper pollution problems. The issue is fixed in version 4.30.5. If you cannot upgrade, be sure to check or sani...
CVE-2017-15682
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to inject malicious JavaScript code resulting in a stored/blind XSS in the admin panel.
CVE-2017-15683
PUBLISHED: 2020-11-27
In Crafter CMS Crafter Studio 3.0.1 an unauthenticated attacker is able to create a site with specially crafted XML that allows the retrieval of OS files out-of-band.