Last week, FBI Director Wray testified before Congress that election threats remain and that the FBI and other agencies “need to ensure that they are all doing what they should” to protect elections. With mid-term elections around the corner and 2020 not too far behind, we need to change our thinking about how to counter this challenge. Adversaries looking to influence the results of an election or undermine confidence are probing all avenues of attacks and are becoming more creative and persistent.
While much of the focus on election security has been on voting technology, voter rolls, and related systems, election security professionals need to look beyond the ballot box and consider a range of other threats to systems and individuals that previously may not have been considered essential.
Threats from the Inside
Our research shows that the most successful cyber attacks are initiated by targeting specific individuals or ancillary systems. An attacker’s first objective is conducting reconnaissance of people, systems, and processes with the goal of intelligence gathering and probing for vulnerabilities. It’s important then to consider the tactics, techniques, and procedures (TTPs) of the attacker with the goal of understanding where an attacker can gain that initial beachhead.
We currently track over 140 targeted attack groups and found that over 70 percent of successful attacks were initiated through spear phishing. From our experience, these targeted attackers (think APTs) are generally nation-state supported groups that are sophisticated and well resourced. Their primary motivation isn’t financial, rather it’s subversion and sabotage, making elections a high-value target. Given this, election security professionals need to consider how best to identify threats against their officials and staff.
Here are just a few threat vectors to consider:
Mobile Devices: With the growth of BYOD (bring your own device) and the risk it poses, election officials need to ensure that there are basic industry standard security protocols in place. This is especially important if staff are using phones to access email or sensitive data.
In 2017, we saw a 54 percent growth in new mobile malware and that trend is only predicted to continue. In response, election security professionals need to assess and mitigate the risks associated with elections staff and officials’ use of mobile devices. They must ensure their operating systems are up-to-date and have updated security software deployed.
Cloud: There has been a tremendous growth in the use of cloud applications, which are often unsecured. In fact, it was the use of a cloud application, namely Gmail, that allowed hackers to take over Clinton Campaign Manager John Podesta’s email account during the 2016 Presidential Election. If elections staff are using unsecured cloud applications at work or at home, it provides avenues for attackers looking to gather information or plant malicious malware.
Complicating this is the fact that many CIOs and CISOs are unaware of the number of cloud apps operating in their environments. This is particularly disturbing because you can’t protect what you can’t see. To address this vulnerability, election officials should consider having a “shadow cloud” assessment done in their environment. We have found that on average, while many CIOs thought they only had 30-40 cloud apps operating within their environment, a “shadow cloud” assessment found that they had many times more, with major enterprises averaging over 900.
Internet of Things: Another threat to consider is the growth of Wi-Fi enabled devices, the so-called internet of things (IoT) and the use of unsecured WiFi. Many of these devices lack adequate security protections and can be hacked relatively easily. In fact, one of the world’s largest distributed denial of service attacks ever was launched by the Mirai Botnet which utilized unsecured IoT devices. Election officials indicate that all IoT devices being connected to their environment have updated security software and are only connecting through a secure WiFi connection.
Scary stuff to be sure. But the more aware we are the better prepared we can be against ever-evolving adversaries.
This is the first in a series of blogs that will examine threats to the voting process outside of voting machines and voter rolls. Unlike many of the recent publications on election security, which are more operational in nature, these blogs are aimed at helping election officials think about threats from a much broader perspective. Please follow along as the series progresses and, of course, we welcome your feedback and comments.
Originally Posted 07/03/2018
We encourage you to share your thoughts on your favorite social platform.