Daxdi now accepts payments with Bitcoin

2020 Election Security: What the Experts Are Saying About Ransomware, Paper Ballots, More

SAN FRANCISO—If foreign meddling in the 2016 US presidential election caught people unawares, the security experts at the RSA Conference are working to ensure there will be fewer surprises in 2020.

In many sessions and meetings, broad themes emerged about what threats we should expect this election cycle, and what can be done about them.

Voting Machines Aren’t the Problem (Anymore)

When I sat down with Tod Beardsley, Rapid7’s Director of Research, the first words out of his mouth were, “I don’t want to talk about voting machines.” Attacking voting machines, he said, requires a big effort and probably some degree of proximity to the machines themselves.

Voting machine vendors have also upped their game in recent years.

“They’re no longer the villain, more of a reluctant ally,” said Beardsley.

“If that were the attack we had to worry about, we’d be so far ahead of the game.”

Voters line up on April 26, 2016 in Greenbelt, Md.

(Photo by Mark Gail/For The Washington Post via Getty Images)

Beardsley wasn’t alone.

The issue was also raised during the annual Cryptographer’s Panel.

Ron Rivest—the “R” in RSA and currently a professor at MIT—said voting machine security has improved.

“One of the things we have learned...is the importance of paper ballots,” said Rivest, who explained that 80 percent of voters will use a paper ballot this year.

While votes may be counted electronically, a paper record means that the digital results can be verified and audited, confirming the validity of the outcome.

“Putting a foundation of trust on electronic components that are hackable is the wrong way to go,” said Rivest.

While Rivest is optimistic about the security of voting in 2020, he isn’t convinced that new technologies like blockchain have a place in elections.

“Blockchain is the wrong security technology for voting,” said Rivest.

“It’s like bringing a combination lock to a kitchen fire.”

Disinformation Is Here to Stay

In her talk, FireEye SVP and Head of Global Intelligence Sandra Joyce reminded the audience that voting machines are just part of a larger election ecosystem of individuals, systems, and organizations.

“The largest attack surface in the nation is the electorate.

Us.”

The way to attack the electorate, Joyce explained, is through disinformation.

She described this as efforts to “sway your opinions or amplify opinions you already have in an inauthentic way.” She pointed to an Iranian campaign that succeeded in getting letters to the editor published in American newspapers.

It was easy, she said, to think, “it’s a concerned citizen from Modesto but it’s an influence operation from Iran.”

2016 Democratic National Convention (Photo by Michael Robinson Chavez/The Washington Post via Getty Images)

The 2016 US presidential election was replete with disinformation.

After the election, it was discovered that Russian operatives had created numerous political and community groups on Facebook and accounts on Twitter.

US officials also blamed blamed Russia for the theft of Democratic National Committee emails, which were released by WikiLeaks.

“We're going to see misinformation and disinformation around the next one,” said Sam Curry, CSO of Cybereason.

“We've seen it in every election over the last four years.

This is a propaganda war and the tools available to propaganda people are immense.”

Beardsley was equally blunt in his assessment.

“That has happened and will happen again.” The onus, he said, is on Facebook and other sites that are used as platforms for misinformation campaigns to do something.

Facebook and Twitter played key roles in the disinformation campaigns surrounding the 2016 US presidential election.

Four years later, experts are frustrated with the lack of progress on the part of social media companies to better police their platforms.

Curry was certain that Facebook ads will play a part in future election meddling, and voiced concern that the company had not committed to policing political ads.

Curry also voiced concern about “cyberswarming,” where real individuals have the same effect as an automated DDoS.

The example he cited was 4chan tying up the phone number used by voter precincts in the Iowa caucus.

The "ideological alignment of a large group of people was able to be mobilized to embarrass the Democratic Party” and take disruptive action, said Curry.

(John J.

Kim/Chicago Tribune/Tribune News Service via Getty Images)

Social media companies have confirmed that the threat of disinformation hasn’t gone away, and it has evolved on social platforms.

“Since 2016 we have seen an evolution of tactics set by these threat actors,” said Yoel Roth, Head of Site Integrity at Twitter, during an RSAC panel.

Instead of relying on huge numbers of bogus accounts, disinformation operations now use smaller numbers of higher value accounts.

Nathaniel Gleicher, Head of Cybersecurity Policy at Facebook, agrees.

Social media companies are now facing, “operations that are very expensive on the part of the threat actors, where you try to create false organizations and get people to trust them over years.” While these are more sophisticated threats, the groups protecting against these threats are “getting better faster.” The bad guys, said Gleicher, are spending more to build these disinformation campaigns and being caught earlier.

Despite that optimism, combatting disinformation online remains a difficult business.

Gleicher and Roth both discussed a Catch-22 situation where disclosing potential disinformation threats without absolute confidence can actually do the work of the bad guys.

“We know that an explicit part of Russia’s goal is to make us think there are Russians under every rock,” said Gleicher.

Ransomware Attacks in the Future?

An “Election Day ransomware event is what I am most afraid of," Beardsley said.

While the waves of ransomware targeting cities in 2019 were brutal, Beardsley said it has given security professionals and cities a chance to prepare for this type of malware striking during an election.

In his onstage discussion, Christopher Krebs, Director of the Cybersecurity and Infrastructure Security Agency, said he's most concerned about ransomware hitting "areas where information is centralized and highly networked—that’s where a lot of the risk is." 

In elections, that means voter registration databases.

Poll workers need that data to run elections, raising its value, and the centralization of the data means it can be targeted in its entirety.  Fortunately, there’s already a playbook for ransomware defense.

“It’s just like any ransomware event,” said Krebs.

“You have an offline backup, [you] have an analog backup, have paper voter rolls.

Not just at the state level but at the individual precinct level.”

Missouri voters, 2016 (Cristina M.

Fletes/St.

Louis Post-Dispatch/Tribune News Service via Getty Images)

J.J.

Thompson, the Senior Director of Managed Threat Response at Sophos, agreed that voting machines are not the main concern, but rather poll books and submission systems used at voting sites.

Poll books contain lists of registered voters, and are needed to confirm that someone is eligible to vote.

In the 2016 election, there was some evidence that lists of registered voters were targeted by Russian attackers.

Targeting poll books and submission systems would “cause chaos throughout the system,” Thompson said.

He was careful to point out that these attacks might not change the outcome of the election, but could cast doubt on the results.

“Disruption is important because most states don’t certify election results until days after the election.”

The disparate nature of US elections has often made it hard to improve security.

Different places use different means to cast ballots, so improving security has to be done and a case-by-case basis.

That fractured nature, however, can sometimes be a blessing.

“The reason it’s somewhat secure is because it’s so disparate you’re not able to go attack the system as a whole." Centralization of data, said Thompson, would be the worst thing for security.

Recommended by Our Editors

In his talk at RSAC, Aaron Wilson, Senior Director of Election Security at the Center for Internet Security, focused in on the non-voting equipment used in elections.

Like others, he identified poll books as a potential weak point, but also included tools for reporting results, voter registration systems, and others.

Unlike voting machines, Wilson said that these systems have “a greater attack surface than our voting systems because it’s internet-connected in one way or another.”

Issues with submitting poll results has already cropped up in this election cycle.

The app used at the Iowa caucus to report results from individual precincts was not secure and did not work, causing confusion and lengthy delays in reporting the results.

Wilson said the topthreats he saw as likely against these systems were denial of service and ransomware, which are similar in that they both prevent access to critical information and infrastructure.

These are, “Particularly concerning to me because you know exactly when to wage the attack," he said.

Fortunately, Wilson had several suggestions for defending against these attacks.

Companies and municipalities needed to set up back-up communications systems, create full system backups, and plan ahead so that everyone knows their role in a crisis.

For ransomware specifically, Wilson also recommended segmenting networks, which prevents ransomware from spreading to the most sensitive areas.

Contracting the services of a DDoS prevention services is also a good idea, according to Wilson.

The Best Defense

One idea that came up several times was that the best defense against election meddling was voting.

During an election war game, Curry said there wasn’t any one method or tool that would fix voting.

“There’s nothing that’s foolproof,” said Curry.

“The answer isn’t just to run to paper or run to technology.”

Instead, Curry felt that technology should be used to make voting easier and more accessible, and enfranchise more voters.

He called this, “a literal democratization by getting more people out to vote.”

Beardsley echoed that sentiment when he spoke with me.

“The best defense to any kind of technical attack is showing up and voting,” said Beardsley.

If there are any issues at the polls, voters can cast a provisional ballot and work it out later.

Beardsley admits that this is “a little user blamey,” but that voters voting is enormously powerful.

He believes it can also suppress misinformation campaigns where people are told the wrong location or day to vote.

Krebs was clear-eyed about the likelihood of election disruption, and the role that voters will play in that.

“100 percent security is not possible,” said Krebs.

“You as the voter need to have a plan as well.”

SAN FRANCISO—If foreign meddling in the 2016 US presidential election caught people unawares, the security experts at the RSA Conference are working to ensure there will be fewer surprises in 2020.

In many sessions and meetings, broad themes emerged about what threats we should expect this election cycle, and what can be done about them.

Voting Machines Aren’t the Problem (Anymore)

When I sat down with Tod Beardsley, Rapid7’s Director of Research, the first words out of his mouth were, “I don’t want to talk about voting machines.” Attacking voting machines, he said, requires a big effort and probably some degree of proximity to the machines themselves.

Voting machine vendors have also upped their game in recent years.

“They’re no longer the villain, more of a reluctant ally,” said Beardsley.

“If that were the attack we had to worry about, we’d be so far ahead of the game.”

Voters line up on April 26, 2016 in Greenbelt, Md.

(Photo by Mark Gail/For The Washington Post via Getty Images)

Beardsley wasn’t alone.

The issue was also raised during the annual Cryptographer’s Panel.

Ron Rivest—the “R” in RSA and currently a professor at MIT—said voting machine security has improved.

“One of the things we have learned...is the importance of paper ballots,” said Rivest, who explained that 80 percent of voters will use a paper ballot this year.

While votes may be counted electronically, a paper record means that the digital results can be verified and audited, confirming the validity of the outcome.

“Putting a foundation of trust on electronic components that are hackable is the wrong way to go,” said Rivest.

While Rivest is optimistic about the security of voting in 2020, he isn’t convinced that new technologies like blockchain have a place in elections.

“Blockchain is the wrong security technology for voting,” said Rivest.

“It’s like bringing a combination lock to a kitchen fire.”

Disinformation Is Here to Stay

In her talk, FireEye SVP and Head of Global Intelligence Sandra Joyce reminded the audience that voting machines are just part of a larger election ecosystem of individuals, systems, and organizations.

“The largest attack surface in the nation is the electorate.

Us.”

The way to attack the electorate, Joyce explained, is through disinformation.

She described this as efforts to “sway your opinions or amplify opinions you already have in an inauthentic way.” She pointed to an Iranian campaign that succeeded in getting letters to the editor published in American newspapers.

It was easy, she said, to think, “it’s a concerned citizen from Modesto but it’s an influence operation from Iran.”

2016 Democratic National Convention (Photo by Michael Robinson Chavez/The Washington Post via Getty Images)

The 2016 US presidential election was replete with disinformation.

After the election, it was discovered that Russian operatives had created numerous political and community groups on Facebook and accounts on Twitter.

US officials also blamed blamed Russia for the theft of Democratic National Committee emails, which were released by WikiLeaks.

“We're going to see misinformation and disinformation around the next one,” said Sam Curry, CSO of Cybereason.

“We've seen it in every election over the last four years.

This is a propaganda war and the tools available to propaganda people are immense.”

Beardsley was equally blunt in his assessment.

“That has happened and will happen again.” The onus, he said, is on Facebook and other sites that are used as platforms for misinformation campaigns to do something.

Facebook and Twitter played key roles in the disinformation campaigns surrounding the 2016 US presidential election.

Four years later, experts are frustrated with the lack of progress on the part of social media companies to better police their platforms.

Curry was certain that Facebook ads will play a part in future election meddling, and voiced concern that the company had not committed to policing political ads.

Curry also voiced concern about “cyberswarming,” where real individuals have the same effect as an automated DDoS.

The example he cited was 4chan tying up the phone number used by voter precincts in the Iowa caucus.

The "ideological alignment of a large group of people was able to be mobilized to embarrass the Democratic Party” and take disruptive action, said Curry.

(John J.

Kim/Chicago Tribune/Tribune News Service via Getty Images)

Social media companies have confirmed that the threat of disinformation hasn’t gone away, and it has evolved on social platforms.

“Since 2016 we have seen an evolution of tactics set by these threat actors,” said Yoel Roth, Head of Site Integrity at Twitter, during an RSAC panel.

Instead of relying on huge numbers of bogus accounts, disinformation operations now use smaller numbers of higher value accounts.

Nathaniel Gleicher, Head of Cybersecurity Policy at Facebook, agrees.

Social media companies are now facing, “operations that are very expensive on the part of the threat actors, where you try to create false organizations and get people to trust them over years.” While these are more sophisticated threats, the groups protecting against these threats are “getting better faster.” The bad guys, said Gleicher, are spending more to build these disinformation campaigns and being caught earlier.

Despite that optimism, combatting disinformation online remains a difficult business.

Gleicher and Roth both discussed a Catch-22 situation where disclosing potential disinformation threats without absolute confidence can actually do the work of the bad guys.

“We know that an explicit part of Russia’s goal is to make us think there are Russians under every rock,” said Gleicher.

Ransomware Attacks in the Future?

An “Election Day ransomware event is what I am most afraid of," Beardsley said.

While the waves of ransomware targeting cities in 2019 were brutal, Beardsley said it has given security professionals and cities a chance to prepare for this type of malware striking during an election.

In his onstage discussion, Christopher Krebs, Director of the Cybersecurity and Infrastructure Security Agency, said he's most concerned about ransomware hitting "areas where information is centralized and highly networked—that’s where a lot of the risk is." 

In elections, that means voter registration databases.

Poll workers need that data to run elections, raising its value, and the centralization of the data means it can be targeted in its entirety.  Fortunately, there’s already a playbook for ransomware defense.

“It’s just like any ransomware event,” said Krebs.

“You have an offline backup, [you] have an analog backup, have paper voter rolls.

Not just at the state level but at the individual precinct level.”

Missouri voters, 2016 (Cristina M.

Fletes/St.

Louis Post-Dispatch/Tribune News Service via Getty Images)

J.J.

Thompson, the Senior Director of Managed Threat Response at Sophos, agreed that voting machines are not the main concern, but rather poll books and submission systems used at voting sites.

Poll books contain lists of registered voters, and are needed to confirm that someone is eligible to vote.

In the 2016 election, there was some evidence that lists of registered voters were targeted by Russian attackers.

Targeting poll books and submission systems would “cause chaos throughout the system,” Thompson said.

He was careful to point out that these attacks might not change the outcome of the election, but could cast doubt on the results.

“Disruption is important because most states don’t certify election results until days after the election.”

The disparate nature of US elections has often made it hard to improve security.

Different places use different means to cast ballots, so improving security has to be done and a case-by-case basis.

That fractured nature, however, can sometimes be a blessing.

“The reason it’s somewhat secure is because it’s so disparate you’re not able to go attack the system as a whole." Centralization of data, said Thompson, would be the worst thing for security.

Recommended by Our Editors

In his talk at RSAC, Aaron Wilson, Senior Director of Election Security at the Center for Internet Security, focused in on the non-voting equipment used in elections.

Like others, he identified poll books as a potential weak point, but also included tools for reporting results, voter registration systems, and others.

Unlike voting machines, Wilson said that these systems have “a greater attack surface than our voting systems because it’s internet-connected in one way or another.”

Issues with submitting poll results has already cropped up in this election cycle.

The app used at the Iowa caucus to report results from individual precincts was not secure and did not work, causing confusion and lengthy delays in reporting the results.

Wilson said the topthreats he saw as likely against these systems were denial of service and ransomware, which are similar in that they both prevent access to critical information and infrastructure.

These are, “Particularly concerning to me because you know exactly when to wage the attack," he said.

Fortunately, Wilson had several suggestions for defending against these attacks.

Companies and municipalities needed to set up back-up communications systems, create full system backups, and plan ahead so that everyone knows their role in a crisis.

For ransomware specifically, Wilson also recommended segmenting networks, which prevents ransomware from spreading to the most sensitive areas.

Contracting the services of a DDoS prevention services is also a good idea, according to Wilson.

The Best Defense

One idea that came up several times was that the best defense against election meddling was voting.

During an election war game, Curry said there wasn’t any one method or tool that would fix voting.

“There’s nothing that’s foolproof,” said Curry.

“The answer isn’t just to run to paper or run to technology.”

Instead, Curry felt that technology should be used to make voting easier and more accessible, and enfranchise more voters.

He called this, “a literal democratization by getting more people out to vote.”

Beardsley echoed that sentiment when he spoke with me.

“The best defense to any kind of technical attack is showing up and voting,” said Beardsley.

If there are any issues at the polls, voters can cast a provisional ballot and work it out later.

Beardsley admits that this is “a little user blamey,” but that voters voting is enormously powerful.

He believes it can also suppress misinformation campaigns where people are told the wrong location or day to vote.

Krebs was clear-eyed about the likelihood of election disruption, and the role that voters will play in that.

“100 percent security is not possible,” said Krebs.

“You as the voter need to have a plan as well.”

PakaPuka

pakapuka.com Cookies

At pakapuka.com we use cookies (technical and profile cookies, both our own and third-party) to provide you with a better online experience and to send you personalized online commercial messages according to your preferences. If you select continue or access any content on our website without customizing your choices, you agree to the use of cookies.

For more information about our cookie policy and how to reject cookies

access here.

Preferences

Continue