When Mike McNerney was a cyber policy advisor in the Office of the Secretary of Defense during the Obama administration, the primary concerns regarding cybersecurity were not focused on politics.
"The threat to election wasn't really on our radar as much as threats to other critical infrastructure were, like air traffic controller systems, the electric grid, the stock market, national defense systems," McNerney, now product manager for cyber threat intelligence at Netscout's Arbor Networks security division, told Security Now. "Those were the things that were presence of mind because we considered their loss something that could have a major financial impact on the country or lead to a significant loss of life."
That changed with the 2016 presidential election, when hacking and disinformation campaigns orchestrated by Russia took center stage and have formed the backdrop not only to the Trump administration's tenure but also in the run-up to this month's mid-term elections. (See Carbon Black: 20 Voter Databases for Sale on the Dark Web.)
"A couple of years back, we would not have been so concerned about election hacking per se, because we viewed our adversaries -- particularly the Chinese and the Russians -- were really focused on our national security systems," he said. "Even though they had the capability to go after other infrastructure, we didn't see the intent there. Now what we're seeing is intent matching capability and that's causing more of a problem."
A lot of effort by government agencies, journalists and others has gone into investigating how vulnerable the US election system is to cyberthreats and attempts to bolster the integrity of the process, and a lot of pixels have been used to write about those initiatives. On the eve of the high-profile midterms, industry experts continue to keep the discussion going. During the interview, McNerney spoke about the range of threats -- not only hacking, but also the use of social media to distribute disinformation as well as distributed denial-of-service (DDoS) attacks and efforts by the private sector to help election officials. (See US Voting Machines Riddled With Vulnerabilities & Security Flaws.)
He also has written about cybersecurity and elections.
State and local vulnerabilities
In addition, McAfee CTO Steve Grobman in a blog post outlined some of the key weaknesses found in county election websites and how they could be exploited by attackers.
"A realistic attack wouldn't require mass voting manipulation or the hacking of physical machines," Grobman wrote. "Rather it could use misinformation campaigns focused on vulnerable gaps at the county and state levels. Attackers will generally choose the simplest and most effective techniques to achieve their goal, and there are certain targets that have been overlooked which could prove to be the most practical avenues an attacker could take if their objective was to influence the outcome of an election cycle."
Election officials face myriad challenges and are often impacted by a lack of expertise and budgets. Along with hacking, DDoS attacks are being used as weapons, he said. They have cropped up in congressional campaigns in California and elsewhere.
"A lot of people are focused -- when it comes to operations information -- on stemming the flow of false information," McNerney said. "A lot of people are thinking about this in places like Facebook and Twitter. But just as important is the ability to spread true information, and if you're a candidate and you can't get your message across, no one's going to know who you are and you're going to lose. Or you can't refute an argument someone else is making because your website has crashed through a DDoS. You can't defend yourself and you're going to lose."
For McNerney, the threat is not only that cyberattacks could cause voting systems to malfunction or go down or that misinformation campaigns can muck up the debate, but also that at the end, the integrity of the election process is damaged.
"It's not just the actual security of the system but it's the faith that the system is running and it's secure and that the results actually reflect the will of the people," he said. "If that faith weakens, whether it's true or not, it's a big problem."
McAfee's Grobman noted that experts with the cybersecurity vendor looked at the security measures of county websites in 20 states. Such sites tend to be the first place voters go to find information on upcoming local elections, including such information as voter eligibility requirements, early voting schedules, deadlines to register and voting hours.
"A well-crafted campaign could focus on specific states or congressional districts where a close race is forecasted," he wrote. "An attacker would then examine which counties would have a substantive impact if barriers were introduced to reduce voter turnout, either in total, or a specific subset (such as those in rural or urban parts of a district which generally have a strong correlation to conservative and liberal voting tendencies respectively)."
Need for new standards
What they found was a lack of consistency when it comes to how counties validate that their websites are legitimate sites belonging to real county officials. A large majority of websites use domain names such as .com, .net and .us rather than the government-validated .gov in their web addresses. Domain names with .gov have to a federal government validation process to confirm that the website in question really belongs to the official government entity.
There also often was a lack of basic protection, such as SSL, the researchers found. For example, the website below for Scioto County in Ohio uses an unvalidated .net top-level domain and isn't protected by SSL, Grobman said.
"Many of these sites were built 10 to 15 years ago, before anyone could conceive that they might someday become potential targets for cyber-attacks," Grobman told Security Now in an email. "While not required in the past, new protections are required now that malicious actors are attempting to influence our democracy. State officials may have implemented these security measures on state election sites, but it's important for them to understand that voters may not go directly to those websites looking for important information on elections. Voters may first go to the unprotected, unvalidated local county websites for local information."
Given this, a key danger from such security shortcomings "is the uninformed behavior of human beings rather than technical vulnerabilities in voting systems themselves," he said.
In his blog, Grobman said security standardization, though such means as central regulation or best practice publication, would help protect vulnerable support systems that deal with elections. Federal laws mandating the use of .gov in domain names or SSL protection may be unrealistic, he said agencies like the Department of Homeland Security could play a leading role by recommending best practices.
In January 2017, in the wake of the 2016 election, then-DHS Secretary Jeh Johnson recommended designating election infrastructure as critical infrastructure, a move that would have given the agency more leeway in providing recommendations and resources to secretaries of state but received pushback from state and local election officials who were wary of federal incursion into the election system, McNerney said.
Despite the ongoing threats to the election process, McNerney said he is "cautiously optimistic" that the situation is improving. The issue has received significant attention from state officials and social media companies are making moves to combat disinformation efforts on their platforms. In addition, a number of cybersecurity vendors, including Netscout, are offering free services to elections officials, an ad-hoc movement that he said should become more formalized.
All of this is important now that the Russians' playbook in how to disrupt an election is out there for others to follow, whether they're other nation-states or threats from inside the country.
— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.