The latest insights from your peers on the latest in Enterprise IT, straight to your inbox.
By Bob Gourley, Partner and Co-Founder, Cognitio
This article is by Featured Blogger Bob Gourley from his CTOvision column.
I try hard to stay away from hyperbole in the hopes that when I do issue a bold warning more people will listen. But this is a pretty bold one and you should certainly dive into the observable facts yourself to come to your own conclusion. First, here’s my assessment based on years of observation:
- This federal election, 8 Nov 2016, there will be cyber attacks against our voting infrastructure.
- Some attacks will be by old school malware accidentally injected into the devices. Others will be unauthorized eavesdropping by miscreants who just want to prove they can. Miscreants and some people who are just plain jerks may also seek to conduct denial of service attacks against connected systems.
- Some attacks may be by political operatives seeking to sway things for their candidate or to inject uncertainty.
- All the attacks above, and many other related attacks, are criminal and inexcusable. The attackers should be prosecuted, and the people who designed, fielded, certified system that fall vulnerable to these attacks should be considered negligent for fielding systems so easily attacked.
- But the attacks we should fear the most are more insidious. If a well resourced adversary, which could include China or Russia, decide to conduct cyber attacks against portions of our voting infrastructure they will be able to inject uncertainty in ways that could cause tremendous doubt among our citizenry.
- Cyber attacks against the electoral infrastructure of the nation could conceivably cause a crisis of Constitutional proportions, since those elected to lead us may have their credibility attacked for letting this occur.
- Other scenarios could include having the results of elections contested not just by legal means but by angry mobs who believe their votes were rendered irrelevant.
I first heard of scenarios of cyber attackers attempting to influence citizens through hacks in the summer of 1999. Then Air Force Captain Jason Healey was the brains behind many of the more advanced, fact-based assessments and observations in the DoD's new Joint Task Force for Computer Network Defense and this type of scenario was articulated by Jay back then. At the time most of use were more worried about cyber attacks that might disrupt warfighting data in DoD, and we were all also attuned to and active fighting theft of information from our systems. But Jay's prescient thoughts helped us consider more elegant and significant scenarios, including some very much like those unfolding in the U.S. right now.
To refresh your memory on the evolving threat, cyber attacks against the election infrastructure have occurred for years. The first public record of presidential campaigns being hacked were when the FBI confirmed that both the Obama and McCain campaigns were hacked by sophisticated adversaries in 2008. Similar attacks occurred in 2012. This is the type of espionage that is done by nation's seeking insights into what a future President's policies might be as well as information on who the future leadership team for the President will be. This is pure espionage. It very likely is part of attacks by multiple nations against not just the parties and campaigns but the private IT of 100's or 1000's of those involved in politics in the U.S.
Attacks against the DNC from 2015 to 2016 were discovered with both forensic and circumstantial evidence leading to conclusions that the Russian's were involved. There may have been others as well. Then release of information via WikiLeaks lead most to conclude that there have now been deliberate attempts to influence an election.
- Take a few minutes to get personally smart on election system vulnerabilities so you know what you are talking about. I have a list of references below to start your studies.
- Think globally, act locally. Call your local government and tell them you expect to have a paper ballot and if you use an electronic machine you expect to see a paper print out, and that you expect that polling in your county will be verified by hand count of paper printouts of machines (this is not a perfect approach, but might mitigate some fraud). Also contact your state government and tell them you take this seriously and want to see a list of steps they are taking to enhance security now.
- Find out what the make and model of your electronic voting machine will be. Contact the provider and learn everything you can about it. Learn how to operate it securely and ensure your local polltakers know what you know.
- Do whatever you can to encourage DHS to treat the election infrastructure as an infrastructure. We only have a few weeks before the election, but if they make an emergency push they can make a difference in helping secure the systems.
- Stay informed as this situation develops. We will be covering this topic at ThreatBrief.com, which will be a good place to catch up on the latest on this topic.
- Meet the e-voting machine so easy to hack, it will take your breath away
- Hack the vote: Cyber experts say ballot machines easy targets
- DNC hack requires swift, forceful response from Washington
- How to hack an election in 7 minutes
- DHS may increase protections for voting systems to thwart hackers
Originally published on CTOvision.