RSA CONFERENCE -- San Francisco -- As discussion about possible American collusion with Russian interference in the 2016 US presidential election heats up in Washington, the events have also been a hot topic here. RSA Conference speakers have not only tackled recent hacking events specifically, but discussed how they exacerbate the weaknesses of an already fragmented, lightly regulated voting system with highly irregular security practices.
The fundamental questions: what comes next and why does it matter to cybersecurity professionals?
Rep. Michael McCaul (R-TX), chairman of the House Homeland Security Committee, said during a keynote session Tuesday that he was first briefed on election-related attacks in the spring, and has "no doubt" Russians undermined the election.
"This is a red line we should not allow anyone to cross," said Rep. McCaul.
"We must continue to call out Moscow for election interference. … And if we don’t, I am certain they will do it again," he said.
McCaul also said that there must be a response to this behavior, and the "strategies should not include just returning fire."
These were thoughts echoed by John P. Carlin, chair of Morrison and Foerster LLP in a session called "Electoral Dysfunction" Wednesday. Until recently, Carlin was the US Department of Justice's assistant attorney general for national security; he left the position in October. "I'm very concerned about repeated conduct," by nation-state attackers, said Carlin.
During Carlin's tenure, DOJ developed a cybercrime "deterrence playbook" to discourage nation-state attacks on the US by ensuring there would be consequences for them. For deterrence to work, Carlin explained, the government would not only have to make it clear that it would take action in respond to specific acts, but make it clear that "we are going to take actions until the behavior stops."
Michele Flournoy - founder and CEO of the Center for a New American Security, who served as Under Secretary of Defense for Policy from 2009 to 2012 - took aim at Russia and recent attacks specifically.
"We need to assess Russian with clear eyes," said Flournoy, during a session on the future of security and defense Tuesday. She explained that after the Cold War, Russia did not integrate with global community as other members of the Eastern Bloc, and that since Putin took leadership of the country a second time he has pursued a campaign "against democracy" and an effort to deunify allies.
"We owe it to ourselves to investigate [these attacks] further," Flournoy said, saying that we need to "really map the extent of contact between the Trump campaign and Russia."
(Later that day, the New York Times reported that members of the Trump campaign had repeated contact with Russian intelligence before the election. Some legislators, including Senate Foreign Relations Committee Chairman Bob Corker, a Republican, has since suggested that recently ousted national security adviser Michael Flynn should testify before Congress, telling MSNBC "Maybe there's a problem that obviously goes much deeper than what we now suspect." President Trump has suggested the controversy is manufactured.)
How much of this really falls under the purview of cybersecurity, though? No evidence has been reported of voting machines themselves being exploited or attacked in the 2016 US presidential election. The hacks and information leaks that did occur were not particularly sophisticated from a technological standpoint.
Despite that, "it may eventually come to be seen as the biggest hack in history," said Kenneth Geers, Comodo Senior Research Scientist and a NATO Cooperative Cyber Defence Center of Excellence Ambassador, in an interview with Dark Reading. Geers also spoke about the demonstrable connection between malware activity and significant political, socioeconomic events during a Comodo event here Monday and RSA presentations.
Geers says one could "definitely draw a parallel" between Russian involvement in the US elections and the Ukraine election in 2014, because both included the hacking of political parties, doxing, and the information operations in social media - like the creation of fraudulent accounts and the spread of propaganda, which are not always seen as part of the American definition of "information security."
While attackers could focus their hacking efforts on e-voting machines themselves, Geers said, it would easier to discover than these other, subtler methods, Geers said.
Carlin echoed this sentiment. "Think of how effective this was, and it did not attack the [systems we use to vote.]"
There are other, practical reasons attackers wouldn't go after voting machines. Mike Weber, vice president of labs at Coalfire explained in the "Electoral Dysfunction" session, although vulnerabilities have been found in machines before, many of them require physical access, or near access to the hardware. Therefore, it's simpler "not to attack the infrastructure, but the things that access the infrastructure" - like voter databases, for example.
These attacks nevertheless cause distrust in the very democratic process.
In the same session, Pamela Smith, president of Verified Voting said the 2016 election showed that the US vote auditing and recount process is "worse than we thought." There are roughly 6,000 voting jurisdictions in the US, all with their own rules. Some of the jurisdictions that were called upon to do a recount had no voter-verified paper trails, others had policies allowing them the option to re-run their machines' tally instead of counting the paper votes, and others halted the recounts before they were completed.
Related RSA Content:
- Iran Intensifies Its Cyberattack Activity
- Clinton Campaign Tested Staffers With Fake Phishing Emails
- Obama's Former Cybersecurity Coordinator Named President Of CTA