In the runup to the November elections, there were serious concerns that hacker groups acting as proxies for hostile nations might seek to attack the US electoral system - everything from the changing of votes to the spread of disinformation. But while the worst-case scenarios involving the possibility of widespread electoral interference failed to materialize, security experts aren’t close to declaring victory.
They say considerable challenges remain on the horizon for state and local elections officials, who face major work to protect their voting systems from future cyber attacks.
Indeed, a recent report by the National Academy of Sciences notes that states have been left free to go their own way so that each one does something a little different from the others. That means the task of securing them also means taking on 50 different kinds of problems, a challenge that clearly involves considerable effort, not to mention considerable funding.
“This is going to be an expensive endeavor but it’s something we must do if we’re going to have confidence in our democracy,” said Thomas Hicks, Commissioner of the U.S. Election Assistance Commission (EAC).
Hicks spoke on a roundtable at the Symantec Government Symposium that brought together government officials and security experts to discuss the ever-evolving challenge of cyber security, with election security serving as a major topic.
“It’s a misnomer to think that election localities have vast staffs,” Hicks said. “They don’t have the resources they need to defend themselves against nation-states.”
Considerable challenges remain on the horizon for state and local elections officials, who face major work to protect their voting systems from future cyber attacks.
Consider, for example, the activities of APT28, an espionage group that according to the U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) is linked to the Russian government. The organization was found to have conducted a months-long spear-phishing campaign starting in the Spring of 2016, when it began sending malware-laded emails to political targets including members of the Democratic National Committee. APT28 subsequently used stolen credentials to gain access to the DNC network, install malware, move across the network, and steal data, including a trove of emails. The compromised information was later leaked online.
The activities of APT28 and other sophisticated attack groups working at the behest of various nation-states injects a new element into the calculus that CISOs and CIOs must factor into their threat assessments - and for good reason.
“The bad guys are incredibly creative,” said Thomas MacLellan, the Director of Policy & Government Affairs at Symantec. “If they learn about a weakness in a particular area, they’ll go after whatever they possibly can do to undercut the most important notion - which is the notion of trust.”
At the same time, however, MacLellan said there has been encouraging progress, noting that “a lot has been done to improve election security around the country” since 2016.
“There’s a narrative that nothing’s happened since the last election - and that’s not true,” he said. “It's a mixed bag. It’s good that we’ve got progress but there are still things that can be done,” MacLellan added. “The states are just now getting up to speed. The good news is that there are lots of best practices they can build on.”
Stronger Lines of Communications
The roundtable panelists also said the work that’s being invested in establishing closer communications between local election officials and security practitioners is paying off in better overall security. One of the participants in the discussion, Robert O’Connor, the Chief Information Security Officer, Maricopa County, described how his department is now “working very closely with election officials to make sure that we understand the end-to-end process and to understand the landscape where risks and vulnerabilities are from an operational perspective.”
At that point, he said it’s possible to share lessons learned and apply best practices to the election systems.
“We’re trying to make sure we have good communications between all state and local county organizations in Arizona and share best policies,” he said. “We need to focus on our people who are typically our weakest link and first line of defense. ...and develop a culture of security to contribute to this idea of baking security into the system.”
As we look forward to the 2020 elections, the focus on security will only become greater. Election officials will need to continue to look outside the ballot box, moving towards a more holistic approach rather than a narrow focus on a single part of the problem.