Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

11/5/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

On Eve of 2018 Midterm Elections, All Eyes Still on Cybersecurity

Netscout and McAfee executives talk about the myriad challenges facing state and county election officials as voting for the 2018 midterm elections is about to get underway.

When Mike McNerney was a cyber policy advisor in the Office of the Secretary of Defense during the Obama administration, the primary concerns regarding cybersecurity were not focused on politics.

"The threat to election wasn't really on our radar as much as threats to other critical infrastructure were, like air traffic controller systems, the electric grid, the stock market, national defense systems," McNerney, now product manager for cyber threat intelligence at Netscout's Arbor Networks security division, told Security Now. "Those were the things that were presence of mind because we considered their loss something that could have a major financial impact on the country or lead to a significant loss of life."

That changed with the 2016 presidential election, when hacking and disinformation campaigns orchestrated by Russia took center stage and have formed the backdrop not only to the Trump administration's tenure but also in the run-up to this month's mid-term elections. (See Carbon Black: 20 Voter Databases for Sale on the Dark Web.)

(Source: iStock)
(Source: iStock)

"A couple of years back, we would not have been so concerned about election hacking per se, because we viewed our adversaries -- particularly the Chinese and the Russians -- were really focused on our national security systems," he said. "Even though they had the capability to go after other infrastructure, we didn't see the intent there. Now what we're seeing is intent matching capability and that's causing more of a problem."

A lot of effort by government agencies, journalists and others has gone into investigating how vulnerable the US election system is to cyberthreats and attempts to bolster the integrity of the process, and a lot of pixels have been used to write about those initiatives. On the eve of the high-profile midterms, industry experts continue to keep the discussion going. During the interview, McNerney spoke about the range of threats -- not only hacking, but also the use of social media to distribute disinformation as well as distributed denial-of-service (DDoS) attacks and efforts by the private sector to help election officials. (See US Voting Machines Riddled With Vulnerabilities & Security Flaws.)

He also has written about cybersecurity and elections.

State and local vulnerabilities
In addition, McAfee CTO Steve Grobman in a blog post outlined some of the key weaknesses found in county election websites and how they could be exploited by attackers.

"A realistic attack wouldn't require mass voting manipulation or the hacking of physical machines," Grobman wrote. "Rather it could use misinformation campaigns focused on vulnerable gaps at the county and state levels. Attackers will generally choose the simplest and most effective techniques to achieve their goal, and there are certain targets that have been overlooked which could prove to be the most practical avenues an attacker could take if their objective was to influence the outcome of an election cycle."

Election officials face myriad challenges and are often impacted by a lack of expertise and budgets. Along with hacking, DDoS attacks are being used as weapons, he said. They have cropped up in congressional campaigns in California and elsewhere.

"A lot of people are focused -- when it comes to operations information -- on stemming the flow of false information," McNerney said. "A lot of people are thinking about this in places like Facebook and Twitter. But just as important is the ability to spread true information, and if you're a candidate and you can't get your message across, no one's going to know who you are and you're going to lose. Or you can't refute an argument someone else is making because your website has crashed through a DDoS. You can't defend yourself and you're going to lose."

For McNerney, the threat is not only that cyberattacks could cause voting systems to malfunction or go down or that misinformation campaigns can muck up the debate, but also that at the end, the integrity of the election process is damaged.

"It's not just the actual security of the system but it's the faith that the system is running and it's secure and that the results actually reflect the will of the people," he said. "If that faith weakens, whether it's true or not, it's a big problem."

McAfee's Grobman noted that experts with the cybersecurity vendor looked at the security measures of county websites in 20 states. Such sites tend to be the first place voters go to find information on upcoming local elections, including such information as voter eligibility requirements, early voting schedules, deadlines to register and voting hours.

"A well-crafted campaign could focus on specific states or congressional districts where a close race is forecasted," he wrote. "An attacker would then examine which counties would have a substantive impact if barriers were introduced to reduce voter turnout, either in total, or a specific subset (such as those in rural or urban parts of a district which generally have a strong correlation to conservative and liberal voting tendencies respectively)."

Need for new standards
What they found was a lack of consistency when it comes to how counties validate that their websites are legitimate sites belonging to real county officials. A large majority of websites use domain names such as .com, .net and .us rather than the government-validated .gov in their web addresses. Domain names with .gov have to a federal government validation process to confirm that the website in question really belongs to the official government entity.

There also often was a lack of basic protection, such as SSL, the researchers found. For example, the website below for Scioto County in Ohio uses an unvalidated .net top-level domain and isn't protected by SSL, Grobman said.

Unsecured voting site\r\n(Source: McAfee)
Unsecured voting site
\r\n(Source: McAfee)

"Many of these sites were built 10 to 15 years ago, before anyone could conceive that they might someday become potential targets for cyber-attacks," Grobman told Security Now in an email. "While not required in the past, new protections are required now that malicious actors are attempting to influence our democracy. State officials may have implemented these security measures on state election sites, but it's important for them to understand that voters may not go directly to those websites looking for important information on elections. Voters may first go to the unprotected, unvalidated local county websites for local information."

Given this, a key danger from such security shortcomings "is the uninformed behavior of human beings rather than technical vulnerabilities in voting systems themselves," he said.

In his blog, Grobman said security standardization, though such means as central regulation or best practice publication, would help protect vulnerable support systems that deal with elections. Federal laws mandating the use of .gov in domain names or SSL protection may be unrealistic, he said agencies like the Department of Homeland Security could play a leading role by recommending best practices.

In January 2017, in the wake of the 2016 election, then-DHS Secretary Jeh Johnson recommended designating election infrastructure as critical infrastructure, a move that would have given the agency more leeway in providing recommendations and resources to secretaries of state but received pushback from state and local election officials who were wary of federal incursion into the election system, McNerney said.

Despite the ongoing threats to the election process, McNerney said he is "cautiously optimistic" that the situation is improving. The issue has received significant attention from state officials and social media companies are making moves to combat disinformation efforts on their platforms. In addition, a number of cybersecurity vendors, including Netscout, are offering free services to elections officials, an ad-hoc movement that he said should become more formalized.

All of this is important now that the Russians' playbook in how to disrupt an election is out there for others to follow, whether they're other nation-states or threats from inside the country.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-40526
PUBLISHED: 2021-10-25
Incorrect calculation of buffer size vulnerability in Peleton TTR01 up to and including PTV55G allows a remote attacker to trigger a Denial of Service attack through the GymKit daemon process by exploiting a heap overflow in the network server handling the Apple GymKit communication. This can lead t...
CVE-2021-40527
PUBLISHED: 2021-10-25
Exposure of senstive information to an unauthorised actor in the "com.onepeloton.erlich" mobile application up to and including version 1.7.22 allows a remote attacker to access developer files stored in an AWS S3 bucket, by reading credentials stored in plain text within the mobile applic...
CVE-2021-40371
PUBLISHED: 2021-10-25
Gridpro Request Management for Windows Azure Pack before 2.0.7912 allows Directory Traversal for remote code execution, as demonstrated by ..\\ in a scriptName JSON value to ServiceManagerTenant/GetVisibilityMap.
CVE-2021-21703
PUBLISHED: 2021-10-25
In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower-privileged users, it is possible for the child processes to access memory shared with the ma...
CVE-2021-42258
PUBLISHED: 2021-10-22
BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution, as exploited in the wild in October 2021 for ransomware installation. SQL injection can, for example, use the txtID (aka username) parameter. Successful exploitation can include ...