Black Hat 2018: 10 Execs On The Top Cybersecurity Threat America Faces Around The 2018 Midterm Elections
Voting Under The Microscope
The November 2018 midterm contests have generated more scrutiny from a cybersecurity perspective than any election in recent memory due to the unprecedented high-profile data leaks and Russian-backed social media disinformation efforts during the 2016 election cycle.
In addition to a potential reprisal of all the issues from 2016, some observers fear that the voting machines themselves could be tampered with by a nation-state actor or agent.
CRN spoke with 10 executives and technical leaders at Black Hat 2018 to separate fact from fear, and get a sense of the most realistic scenarios that could cause disruption in the runup to the election or at the ballot box.
Read on for a deep dive into the top cybersecurity threats facing our electoral system heading into November's midterm vote.
Candidate Compromised Via Social Media
Bad actors could worm their way into a candidate's circle of trust by hitting a non-technically savvy person associated with the campaign with a phishing attack to obtain their credentials, according to Juniper Head of Threat Labs Mounir Hahad.
From there, a hacker would move from one person to the next obtaining credentials until they have found someone in the candidate's inner circle, Hahad said, at which point they will impersonate the close friend and send the candidate an email, Facebook message or Twitter message with a link or image.
The SVG image, though, could contain malicious JavaScript, Hahad said, or the link could lead to a dummy YouTube page that implements spyware onto the candidate's phone or laptop.
Once the bad actor has access to the candidate's phone, Hahad said they benefit from direct intelligence on the campaign's decision-making as well as private information that could potentially be used to blackmail the campaign.
Insufficient Education For Election Administrators
The people tasked with deploying and overseeing the voting technologies on Election Day may not have access to the security or IT expertise to know where the risks really lie, according to Symantec Chief Technology Officer Hugh Thompson.
Thompson said poll workers can typically detect suspicious behavior in the physical world – such as a person stuffing multiple pieces of paper into a ballot box – by might not be savvy to how a bad actor could tamper with a memory card holding the results of a specific voting precinct, or what it might look like if that were happening.
The greatest potential for problems lies in the process element of technology, Thompson said, such as a municipality making the machine it uses to tabulate votes accessible to the general public in the days and weeks leading up to the election as an internet kiosk. Thompson said unauthorized access to the tabulating machine could result in it getting infected with malware that tampers with the process.
Computer hacker - Male thief stealing data from laptop
User Credential Compromise
Attackers will look to breach the accounts that offer the least resistance and escalate their way up to the users with more valuable information, according to Todd Moore, Gemalto's senior vice president of encryption products. Consistency often proves elusive, Moore said, since a small funding base at the local government level means their data protection and access control capabilities lag behind state and federal counterparts.
A compromised user name or password is the single easiest way in for bad actors since the system isn't able to distinguish between the intended or an unintended user entering the right password, according to Jason Hart, Gemalto vice president and CTO for data protection. By gaining access to election data, Hart said bad actors can cause reputational damage and discredit a candidate or their entire campaign.
Access control safeguards should go beyond multifactor authentication, Moore said, and include biometrics, fingerprints, keystroke examination and other environmental factors to ensure the bad guy isn't able to enter with just a password. And should a bad actor breach the perimeter, Moore said strong segregation and classification of data should help prevent access to the crown jewels.
Danger light
Leak Of Voter Rolls
Given the low level of work required to impersonate a government employee at login, a bad actor could enter the system as a server administrator, obtain a large amount of voter information, and either release it online or use it for their own purposes, according to Ping Identity Senior Technical Architect Sarah Squire.
Squire said the leak of voter lists would be valuable to advertisers for targeting purposes since the voting data itself could provide more insight into who actually votes and where they likely shop or get their news.
Squire would love to see encryption at rest for voting data, Squire said, with the key needed to obtain access to the personally identifiable information (PII) stored in a different place than the information itself. In that scenario, Squire said that even if a bad actor were to gain access to voting data, they would be unable to decrypt it.
Manipulation Of Voting Machines
The collection of voting data is difficult to orchestrate and secure given its decentralized nature as well as the use of different technology in different places, according to Chad Holmes, Optiv's executive vice president, chief services and operations officer.
Voting machines can be manipulated in a manner similar to ATMs if a bad actor has direct access, Holmes said, and securing the infrastructure or network these machines connect with can be challenging. Physical access is the easiest way hackers can be disruptive since many poll workers know little to nothing about cybersecurity, according to Incident Response Practice Director Jeff Wichman.
Jurisdiction with quality analytics or data lake sophistication on the back end, though, should be able to figure out what's going on, detect the anomalies, and isolate the compromised voting machine fairly quickly, according to Holmes.
Social Engineering
The social campaigns from Russian accounts associated with Cambridge Analytica convincing people to behave in a certain manner have been far more effective than any voting machine hack, according to Veracode Vice President of Research Chris Eng. Ongoing efforts to manipulate the populace continue unabated, Eng said, with more Tweets sent out by bad actors after the election than before it.
Disrupting the voting technology itself would be far more difficult, Eng said, since the use of different equipment and networks by different cities means that there's no one place hackers can attack and suddenly gain control, Eng said.
Although voting machines have been found to have vulnerabilities at events such as Def Con, Eng said it would require a much bigger effort to actually execute on said vulnerabilities and mess with the machines. From an offensive perspective, Eng remains skeptical about the practicality of launching a meaningful attack against voting machines at scale.
Malware Embedded In Advertisements
Accenture has worked with media companies to protect their messaging and advertising and ensure foreign entities aren't able to control or manipulate it, according to Kelly Bissell, Accenture Security global managing director.
The company can use video and image analytics to ensure bad actors haven't intentionally embedded malware into digital advertisements to monitor users, Bissell said. And from a content moderation standpoint, Bissell said Accenture can detect whether or not the user is a real person, where they're coming from and what their intent is to ascertain whether or not the comment is appropriate.
The midterm elections will accelerate the pace at which Accenture's decision-making engine needs to operate, Bissell said, and could lead to changes in the model as geopolitics and the nature of the threat changes.
For instance, content moderation used to be focused purely on legal compliance, but the standards have become more stringent over time, according to Ryan LaSalle, Accenture Security North American Lead.
Election Day Misinformation Campaigns
Modern digital media platforms such as Facebook and Twitter aren't really controlled, meaning there's no way to ensure the information being disseminated on it is accurate, according to Jonathan Goldberger, Unisys security vice president and general manager.
Traditional media outlets didn't typically report on exit poll data until voting is done for the day to avoid influencing the result, Goldberger said. But interested parties can now spread erroneous information on social media to deter people thinking about voting for the candidate who is behind from showing up, according to Goldberger.
User and entity behavior analytics (UEBA) could help preserve the authenticity of exit polls by stopping the dissemination of information during certain time periods and differentiating bots from actual voters by examining what's being shared and communicated on social media, according to Goldberger. Machine learning could also help verify the authenticity of election-related messages, he said.
Political Party Data Leak
Political parties will be targeted in DDoS attacks in hopes of breaching and leaking data that can be used in some sort of fashion to influence opinions, according to Infoblox Director of Threat Intelligence Sean Tierney. The exfiltrating of political party data results in reputational damage to the party, Tierney said, and may result in job loss or other forms of direct harm.
The national political parties saw what happened in 2016 and should be prepared for a repeat of that, Tierney said. But states are unlikely to be as equally prepared due to a lack of funding, Tierney said, which could be consequential in jurisdictions where party control hangs in the balance.
Looking for patterns of abuse through threat intelligence, activity monitoring, and even anti-virus should help with identifying nefarious or suspicious activity, according to Tierney.
Widespread Electronic Voting
Electronic voting should be limited to those who are blind and disabled since it's much easier to manipulate than traditional voting methods, according to Sophos Principal Research Scientist Chester Wisniewski. As bad as the hanging chads were from the 2000 election, Wisniewski said voting on computers introduces new risks such as hacked software or a compromised thumb drive.
The multitude of voting systems within most states makes it difficult for the state to address vulnerabilities or put protections in place to thwart known weaknesses, Wisniewski said. However, the multitude of different voting systems would made it difficult for bad actors to carry out a large-scale manipulation of the actual votes themselves, according to Wisniewski.
A more formal, multistate protocol for communicating election-related information needs to be put in place so that the FBI can get news about cyberthreats or detected security issues out to state and county election officials immediately, Wisniewski said. Any delays in communication end up leaving municipalities and counties vulnerable, according to Wisniewski.