Our CTO John Sebes was a featured speaker at Cyberscoop’s recent San Francisco CyberTalks held last week in downtown San Francisco. A huge success, SF CyberTalks was a TED-like conference for the cyber-security leadership community that brought together top influential leaders from the cyber-security community, technology industry and the government.

Cyberscoop’s Chris Bing moderated the Election Security Panel that John participated in, which followed excellent speakers from NSA and DoD who spoke about (among other things) the reality of nation state actor threats to U.S. government systems and other critical systems.  This Fireside chat, moderated by Cyberscoop’s Greg Otto discussed the increasingly wide range of systems being targeted, including critical infrastructure, IoT (Internet of Things) and our democracy (as separate examples of disparate targets).

For John’s panel, his two co-participants were:

  • Curtis Dukes heads up the Security Best Practices & Automation Group at the Center for Internet Security, or CIS. Prior to going CIS, Curtis spent more than 20 years at the NSA, including multiple leadership positions leading the agency’s cyber defense mission, known as IAD, or the information assurance directorate.
  • Steve Grobman is the SVP & CTO of McAfee, one of the largest cybersecurity firms in the world. Steve is a longtime cyber-security expert that’s been focused on the development of innovative technologies to stop hackers.

The panel discussion was comprised of a three-part discussion that flowed from one “part” into the next. We recount the parts, their questions, and John’s responses below.

Each section was intended to build on itself; giving the audience a conversation that while brief, remained informative.  Of course, that’s a challenge in this space where everything from consistency of terms and terminology to the basic difference between an election system and a voting system are chocked full of nuances.   The objective was to avoid wandering into the weeds.  Let’s start with a recap from John about the Panel.

Panel Recap

In our panel we focused on nation state adversaries and cyber-security threats to elections. Each of us emphasized the blended threat of cyber-operations together with information operations and social media—our adversaries have capability in all these areas, and there are multiple adversary nations.  Chris started by asking about threats to integrity of votes. I was pleased by the opportunity to build on the prior remarks to point out that cyber-attacks to tamper vote totals are only one means-to-an-end sought by adversaries, to disrupt our elections and discredit results. Whether it is ballots or voter records or web sites or county IT systems broadly, a visible and detected successful cyber attack has the most value for a blended operation. Mr. Dukes was particularly knowledgeable about the broad integrated capabilities of our adversaries based on his years working at the NSA .

Mr. Grobman made the excellent point that the distributed and varied nature of election infrastructure is actually a double-edged sword.  Yes, there is no mono-culture or single point of failure, but there is so much variety that cyber-operations have a broad and varied field of targets.  We’ve said this all along and it is an important distinction to others who trot out the misguided “diversity helps security” rationale.

At this point, I thought it helpful to recall for the audience that election infrastructure (EI) is officially critical infrastructure (CI), and many are still in the starting gate of putting together a critical infrastructure protection (CIP) program including a cyber-security program, incident response protocols, etc., and many local election organizations still don't understand CI or appreciate the threats of nation state actors (which is also true for a few state election officials as well).  We've written extensively on the topic of critical democracy infrastructure.

That helped frame the rest of discussion as being not just about cyber-security but the cyber-side of national security and homeland security, with regard to both EI and the overall election process.

I also noted that an inconvenient truth is that the majority of election organizations are small operations that are still in the starting blocks for CIP and cyber-security in any form.

I commented that the value in a blended attack of a penetration of a small jurisdiction EO IT operation is nearly as good as a large jurisdiction.  I made the case that a strong attack on the credibility of the upcoming 2018 midterm election results could cast in doubt the results of maybe 5 congressional districts out of the 100+ "in play.”  Those would include small jurisdictions with limited cyber-security capability and no incident response plan.  Their strategy is likely to be a broad attack surface, with many targets, and without focusing solely on small number of larger-sized, better defended targets. Collaterally, adversaries could also train on a large number of small size targets without any cyber-security.

This led to the question of “What’s the greatest concern at present?”  From our perspective, I observed that we should be concerned about local election officials’ back office network and systems, which is:

  1. A vector into the Election Management System (EMS), running on ordinary 90’s-era PCs with windows, and running the EMS software; and
  2. A central target for cyber-operations, where subversion can undermine integrity of the vote tabulation process.

I observed that paper ballots and audits can help detect these, but a successful attack is a big win for adversaries regardless of election officials’ ability to perform recounts from the paper ballots.  And of course, this begged the question, “What can we do?”

I explained that, first we must remember that it's not “election meddling.”  It is about election disruption and the ultimate target is our trust in elections and their outcomes. The first and last line of defense is in each of our own minds; defending against attacks on credibility of our elections. Credibility depends in part on our hard working election officials (EOs) who are ultimately public servants, and from our experience deeply committed to election integrity and the patriotism of their service.  And they deserve our support more than ever.  I note here, that support for EOs should amount to advocating for sustained election administration funding, including cyber-security for critical infrastructure protection.

Election Security Panel Recount: Questions & Answers

Below we recount the discussion, focusing on John’s answers to Chris’s questions, bearing in mind that both Mr. Dukes and Mr. Grobman offered valuable answers, comments, and contributions as well.  We captured only Mr. Sebes’s responses for this article of record.

The first part of the conversation set some context and provided some background.  During this first part, a thematic query was,

What sort of general challenges stand in the way of defending election systems compared to other IT systems?”

Our CTO kicked things off by explaining that election systems are managed by election organizations, which are small with little or no professional IT staff dedicated to election infrastructure, and most do not employ or use any professional cyber-security staff.  The key operational concept is that elections are an ingredient to a larger set of administrative tasks they have in serving their constituents’ typical needs that have anything to do with licensing, permitting, or legal recordings. 

These small government are often called the “county registrar” and election administration is but one of many its tasks. Historically, there has been very little funding to increase efforts to digitally secure their operations because in all practicality for decades their work appeared to be low risk for attack or compromise. 

Clearly, records keeping and the duties associated with issuing a variety of licenses and managing elections always had a notion of careful stewardship and data provenance, but a far cry from where the attack surface has encroached and the risks have risen in a digital age.  

Candidly, that’s not tremendously different from the low level of IT defense in similar small-size enterprises, but it is a huge difference from other critical infrastructure operators — which is what election administration organizations have become post 2016.

The discussion moved on to a description of the general relationship between the federal government and states officials when it comes to the process of election administration. In particular, the Cyberscoop moderator, Mr. Bing asked,

How does this existing structure contribute to some of the security challenges we see today?”

Our CTO continued…

In 2018 the federal government has a much larger interest in the security of elections than seemingly many election organizations do, yet the responsibility falls on 1000s of state and local election organizations that lack the personnel and resources to meet the goals and objectives of Federal officials including relevant House and Senate committees, Department of Homeland Security, etc.  

The Federal government is disbursing $380 million in its Omnibus budget to states for the first time in over a decade, but as a one-time grant—the size depending on an allocation formula managed by the U.S. Elections Assistance Commission (EAC).  But this funding won’t make a significant change in the cyber-security of elections (emphasis on “cyber”).

Chris turned attention next to what’s looming, and asked,

In terms of what we’ve all seen in the news of the last year, what key points do you think should be made and/or corrected, and how would you define the risks looming over the 2018/2020 elections?”

John:  The key thing to understand is that foreign state sponsored activity to disrupt, discredit, and even potentially derail U.S. elections will continue and expand.  This is “game on” for our adversaries, who in the digital age, see expansive opportunities to interfere with our sovereign right to free and fair election.  Our team has written on this topic—the question is whether such interference with our sovereignty; that is attacks on our critical infrastructure of democracy, is tantamount to an act of war. 

I’ll leave that to the great public policy experts, and instead focus on an important point:  these attacks are not focused on vote tampering.  They might have a goal of derailment through tabulation tampering. But doing so is not necessary to achieve their objective, which is not to ensure one candidate wins over another, but instead to make it impossible to determine which candidate won.  Doing so can be achieved through disruption and discrediting attacks using tools of weaponized content for cyber and information attacks.  I don’t believe tampering with ballots is a means of interest.  I’m less skeptical about the end-game means being tampering with tallies. But I am quite concerned about extensive information operations—using weaponized content. 

And one simple example of that would be taking the results of a post election audit where the bad news is an anomaly is detected, but the good news is it can be rectified because we can recount the individual ballots.  The challenge is the attacker will weaponize the news about the audit anomaly in a digital world where a lie can circle the globe before the truth can find the keyboard.  If all an attacker needs to do is call into question the voracity of an election and then claim it was “hacked” “rigged” or “tampered,” then confidence in the election and its outcome can collapse.  In democracy, trust is the imperative foundation.  Diminishing trust becomes the end game.

Cyberscoop moved on to Part 2.

Cyberscoop Comment: Moving beyond the context and background introduction, this is a good point to revisit recent events and go further into some important concepts that are pertinent to the broader discussion.  Over the last two years, the general public has learned that Russian hackers targeted election technology vendors and also that State election systems were targeted. While no voter tallies were changed, based on previous reporting, the risk of more grand sabotage now exists.

Chris: “In your mind, what steps should be taken to ensure confidence in the vote?”

John:  Focus on confidence, prepare for disruption and disinformation—just assume its going to happen, and prepare to be completely transparent about compliance with the current protections on election integrity: physical security, chain of custody, ballot audits, etc.  Realize that modest increments in cyber-defense are not going to effect confidence.

Cyberscoop Comment: Looking at the vulnerabilities that exist across the board in the election process, we have multiple different stakeholders. Among the laundry list are the election technology vendors, which consist of private companies developing and selling election systems to different jurisdictions.

Chris: “Can you speak about the inherent challenges that exist in protecting a private computer network—and by that I mean beyond the scope of vision possible by say NSA or DoD?”

John: The vendors are small companies with slim profit margins, products that were never intended to be critical infrastructure or “CI”, and corporate IT infrastructure that was never intended to be robust against state-sponsored adversaries.  I’m sure that they try their best with the resources they have, but there’s a fundamental mismatch that’s really not their fault.

Cyberscoop moved on to Part 3.

Cyberscoop Comment: Let’s wrap up the previous ideas and also speak about the future including possible predictions, etc.  In addition, this last part should provide ample opportunity to plug ideas concerning broader industry themes and tactics and best practices.

Chris: "Let’s ask a broad question: would you define cyber-enabled election meddling as an act of war (in the context of cyber warfare)? "If so, what is the appropriate response?" "What sort of active defenses could be potentially installed to deter future meddling by not only Russia but also other governments?"

John: [Ed. Note: John added the following to his comments after the session] So, that’s a large question probably deserving of a session of its own. Our general counsel, Christine Santoro broached this subject in a blog post last June, and my co-founder, Gregory Miller and one of our analysts, Sergio Valente published a brief essay last month on protecting elections as a matter of national security, where this question of whether attacking election infrastructure is tantamount to an act of war.  I believe the jury is out, with good arguments going either way. 

Let me say this, the OSET Institute believes any attempt to disrupt American sovereignty runs dangerously close to an act of war. After all, public confidence in elections can be linked back to national security.  America learned during the Vietnam War that the success of military operations often rests on how much public support they receive. So, for the public to support its government’s national security efforts, it must also have faith that the government representing them is legitimate.

So, we believe in this digital age attacking our elections is certainly a significant act of aggression.  Remember, the goal of these foreign state actors is to cause chaos in our elections in order to make it impossible to determine who won. Arizona Senator John McCain has suggested the 2016 meddling rose to such a stature, but as our General Counsel’s article observes, the question remains a difficult one.

Chris: "How do you believe 2016 changed the course of history when it comes to cyber-enabled election meddling?" "How can other countries build on this example?"

John: This was the first time that the public was made aware of cyber-operations by state sponsored adversaries.  2016’s actors demonstrated to a broad range of other actors how easy it is to have an impact.  The Intelligence Community tells us that multiple countries have the cyber-weapons, the crews, and the capabilities to use them, and that we should expect continued cyber-ops or info-ops and likely both.

Summary

In summary, beyond John’s remarks to that last question, we’ve all heard the experts’ testimony that summarily makes the point that the Russians and several others are not just returning; they’re already here.  Our co-founder and COO, Gregory Miller likes to rely on a sports analogy and characterizes the events of the 2016 election orchestrated by the Kremlin as amounting to “spring ball” for U.S. football fans.

To Chris Bing’s last point, the events of 2016 will dramatically alter the course of democracy administration going forward.  Not only do we face the daunting challenge of shoring up trust in our information and news services to supply factual content for us to make considered decisions in casting our ballots, but the very infrastructure on which we rely to cast and count those ballots, and ensure that ballots are counted as cast, is in legitimate doubt. 

In the 21st century, our ill preparedness for cyber attacks (of any sort), combined with weaponized content in information operations has American election administration disconnecting and reverting to 20th century means.  Yet, as our society becomes increasingly digital in all aspects, this particular element—the administration of democracy—may ultimately have to find its way back to the future. Arguably, election administration in the 21st century, regardless of the compulsory requirement for paper ballots of record, will require a new higher integrity, lower cost, easier to use and far more secure platform if we’re to ensure citizens remain engaged and preserve trust in elections and their outcomes.

Comment