Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security

11/5/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

On Eve of 2018 Midterm Elections, All Eyes Still on Cybersecurity

Netscout and McAfee executives talk about the myriad challenges facing state and county election officials as voting for the 2018 midterm elections is about to get underway.

When Mike McNerney was a cyber policy advisor in the Office of the Secretary of Defense during the Obama administration, the primary concerns regarding cybersecurity were not focused on politics.

"The threat to election wasn't really on our radar as much as threats to other critical infrastructure were, like air traffic controller systems, the electric grid, the stock market, national defense systems," McNerney, now product manager for cyber threat intelligence at Netscout's Arbor Networks security division, told Security Now. "Those were the things that were presence of mind because we considered their loss something that could have a major financial impact on the country or lead to a significant loss of life."

That changed with the 2016 presidential election, when hacking and disinformation campaigns orchestrated by Russia took center stage and have formed the backdrop not only to the Trump administration's tenure but also in the run-up to this month's mid-term elections. (See Carbon Black: 20 Voter Databases for Sale on the Dark Web.)

"A couple of years back, we would not have been so concerned about election hacking per se, because we viewed our adversaries -- particularly the Chinese and the Russians -- were really focused on our national security systems," he said. "Even though they had the capability to go after other infrastructure, we didn't see the intent there. Now what we're seeing is intent matching capability and that's causing more of a problem."

A lot of effort by government agencies, journalists and others has gone into investigating how vulnerable the US election system is to cyberthreats and attempts to bolster the integrity of the process, and a lot of pixels have been used to write about those initiatives. On the eve of the high-profile midterms, industry experts continue to keep the discussion going. During the interview, McNerney spoke about the range of threats -- not only hacking, but also the use of social media to distribute disinformation as well as distributed denial-of-service (DDoS) attacks and efforts by the private sector to help election officials. (See US Voting Machines Riddled With Vulnerabilities & Security Flaws.)

He also has written about cybersecurity and elections.

State and local vulnerabilities
In addition, McAfee CTO Steve Grobman in a blog post outlined some of the key weaknesses found in county election websites and how they could be exploited by attackers.

"A realistic attack wouldn't require mass voting manipulation or the hacking of physical machines," Grobman wrote. "Rather it could use misinformation campaigns focused on vulnerable gaps at the county and state levels. Attackers will generally choose the simplest and most effective techniques to achieve their goal, and there are certain targets that have been overlooked which could prove to be the most practical avenues an attacker could take if their objective was to influence the outcome of an election cycle."

Election officials face myriad challenges and are often impacted by a lack of expertise and budgets. Along with hacking, DDoS attacks are being used as weapons, he said. They have cropped up in congressional campaigns in California and elsewhere.

"A lot of people are focused -- when it comes to operations information -- on stemming the flow of false information," McNerney said. "A lot of people are thinking about this in places like Facebook and Twitter. But just as important is the ability to spread true information, and if you're a candidate and you can't get your message across, no one's going to know who you are and you're going to lose. Or you can't refute an argument someone else is making because your website has crashed through a DDoS. You can't defend yourself and you're going to lose."

For McNerney, the threat is not only that cyberattacks could cause voting systems to malfunction or go down or that misinformation campaigns can muck up the debate, but also that at the end, the integrity of the election process is damaged.

"It's not just the actual security of the system but it's the faith that the system is running and it's secure and that the results actually reflect the will of the people," he said. "If that faith weakens, whether it's true or not, it's a big problem."

McAfee's Grobman noted that experts with the cybersecurity vendor looked at the security measures of county websites in 20 states. Such sites tend to be the first place voters go to find information on upcoming local elections, including such information as voter eligibility requirements, early voting schedules, deadlines to register and voting hours.

"A well-crafted campaign could focus on specific states or congressional districts where a close race is forecasted," he wrote. "An attacker would then examine which counties would have a substantive impact if barriers were introduced to reduce voter turnout, either in total, or a specific subset (such as those in rural or urban parts of a district which generally have a strong correlation to conservative and liberal voting tendencies respectively)."

Need for new standards
What they found was a lack of consistency when it comes to how counties validate that their websites are legitimate sites belonging to real county officials. A large majority of websites use domain names such as .com, .net and .us rather than the government-validated .gov in their web addresses. Domain names with .gov have to a federal government validation process to confirm that the website in question really belongs to the official government entity.

There also often was a lack of basic protection, such as SSL, the researchers found. For example, the website below for Scioto County in Ohio uses an unvalidated .net top-level domain and isn't protected by SSL, Grobman said.

"Many of these sites were built 10 to 15 years ago, before anyone could conceive that they might someday become potential targets for cyber-attacks," Grobman told Security Now in an email. "While not required in the past, new protections are required now that malicious actors are attempting to influence our democracy. State officials may have implemented these security measures on state election sites, but it's important for them to understand that voters may not go directly to those websites looking for important information on elections. Voters may first go to the unprotected, unvalidated local county websites for local information."

Given this, a key danger from such security shortcomings "is the uninformed behavior of human beings rather than technical vulnerabilities in voting systems themselves," he said.

In his blog, Grobman said security standardization, though such means as central regulation or best practice publication, would help protect vulnerable support systems that deal with elections. Federal laws mandating the use of .gov in domain names or SSL protection may be unrealistic, he said agencies like the Department of Homeland Security could play a leading role by recommending best practices.

In January 2017, in the wake of the 2016 election, then-DHS Secretary Jeh Johnson recommended designating election infrastructure as critical infrastructure, a move that would have given the agency more leeway in providing recommendations and resources to secretaries of state but received pushback from state and local election officials who were wary of federal incursion into the election system, McNerney said.

Despite the ongoing threats to the election process, McNerney said he is "cautiously optimistic" that the situation is improving. The issue has received significant attention from state officials and social media companies are making moves to combat disinformation efforts on their platforms. In addition, a number of cybersecurity vendors, including Netscout, are offering free services to elections officials, an ad-hoc movement that he said should become more formalized.

All of this is important now that the Russians' playbook in how to disrupt an election is out there for others to follow, whether they're other nation-states or threats from inside the country.

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Digital Clones Could Cause Problems for Identity Systems
Robert Lemos, Contributing Writer,  8/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8913
PUBLISHED: 2020-08-12
A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library versions prior to 1.7.2. A malicious attacker could create an apk which targets a specific application, and if a victim were to install this apk, the attacker could perform a dir...
CVE-2020-7029
PUBLISHED: 2020-08-11
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the System Management Interface Web component of Avaya Aura Communication Manager and Avaya Aura Messaging. This vulnerability could allow an unauthenticated remote attacker to perform Web administration actions with the privileged ...
CVE-2020-17489
PUBLISHED: 2020-08-11
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible f...
CVE-2020-17495
PUBLISHED: 2020-08-11
django-celery-results through 1.2.1 stores task results in the database. Among the data it stores are the variables passed into the tasks. The variables may contain sensitive cleartext information that does not belong unencrypted in the database.
CVE-2020-0260
PUBLISHED: 2020-08-11
There is a possible out of bounds read due to an incorrect bounds check.Product: AndroidVersions: Android SoCAndroid ID: A-152225183