The quarterly incident response (IR) threat report from Carbon Black isn't usually such an exciting read, aggregating as it does data from across a number of partners in order to provide actionable intelligence for business leaders. The latest report, published today, is a politically charged exception. Not only does it reveal that nation-state politically motivated cyberattacks are on the up, with China and Russia responsible for 41.4% of all the reported attacks, but that voter databases from Alabama to Washington (and 18 others) are for sale on the dark web. These databases cover 21 states in all, with records for 81,534,624 voters that include voter IDs, names and addresses, phone numbers and citizenship status. Tom Kellerman, Carbon Black's chief cybersecurity officer, describes the nation-state attackers as not "just committing simple burglary or even home invasion, they're arsonists." Nobody relishes their house burning down, even figuratively speaking. Which is why, according to another newly published report, this time from Unisys, suggests one in five voters may stay at home during the midterms as they fear their votes won't count if systems suffer a cyberattack.
Amongst the key findings of the Carbon Black report, however, is the fact that China and Russia were responsible for 41.4% of the investigated attacks analyzed by researchers. The two also lead the pack when it comes to which countries incident response teams are seeing cyberattacks originating from. China was top of the table on 68% with Russia second on 59%. While the continent of North America (the report does not contain statistics that break this down to attacks from the United States alone) was third on 49%$, Iran, North Korea and Brazil were next in line. Earlier this year, Venafi surveyed security professionals with regards to election infrastructure risk. That research revealed that 81% of them thought threat actors will target election data as it is transmitted by voting machines. Worryingly, only 2% were 'very confident' in the capability of local, state and federal government to detect such attacks and only 3% thought the same about their abilities to block those attacks.
It's just as well, then, that it has been reported the United States Cyber Command has now started what is believed to be the first cyber-operation to protect against election interference from Russia. "The attack surface in the US is incredibly broad and fragmented making security highly challenging" says Simon Staffell, head of public affairs at Nominet, who continues "but the response that has taken place in the US is also of an entirely different magnitude to anything seen before." Yet this response does not appear to target Chinese threat actors. Some may find this omission a surprise, considering that Vice President Pence stated earlier this month that "what the Russians are doing pales in comparison to what China is doing across this country" and suggested that China wants to turn Trump voters against the administration.
Fraser Kyne, EMEA CTO at Bromium, would not be amongst the surprised though. He tells me that Bromium researchers have been working with Dr Mike McGuire to look into the impact of fake news on the US midterms. Early indications appear to suggest accusations against China are most likely unfounded. "Whilst China is funding local campaigns like the advertising taken out in US newspapers to promote US-Chinese trade" Kyne says "there is little evidence at the moment to suggest China is attempting to subvert democracy and influence the midterm elections."
Meanwhile, some 68% of respondents to the Carbon Black report, representing a cross-section of some of the leading cybersecurity professionals across the globe, believe that cyberattacks will influence the midterms. This isn't any kind of surprise when you take in the amount of election hacking and meddling resources that those same researchers found to be on sale through the dark web. These range from the aforementioned voter databases, through to social media election influence kits to target thousands of Instagram, Facebook, Twitter and YouTube accounts as well as the services of freelance hackers for hire who are offering to target government entities "for the purposes of database manipulation, economic/corporate espionage, DDoS attacks and botnet rentals."
So, what kind of cyberattacks can we expect to see from state-sponsored actors as far as the midterms are concerned? Tony Richards, group CISO at Falanx Group, expects there will be some minor and likely not state sanctioned hacking attempts on electronic voting machines. "The fallout if a nation state was identified as the perpetrator would be considerable" Richards told me "so this would have to be a deniable operation." It would also have to be done by someone with physical access to the voting machines in order to exploit many of the vulnerabilities that have been identified by researchers. "Voting machines are not usually connected to the Internet" explains Rafael Amado, senior strategy and research analyst at Digital Shadows, which means "the ability for attackers to tamper with voting ballots and results is greatly hindered."
Some go as far as suggesting that to take the hacking concern out of the equation, elections should look back rather than forwards. The 'right' solution, according to Ryan Kalember, senior vice-president, Cybersecurity Strategy at Proofpoint, is paper. "An election system can be extremely resilient to fraud if there are paper records for registration and the votes themselves" Kalember insists, agreeing that this "may seem anti-modern, but is where we find ourselves in 2018." Other cybersecurity experts suggest that the focus, when it comes to mitigating risk of interference in the midterm elections, simply needs to extend beyond voter registration and voting machine security altogether. "It's important to take a look at the entire digital voting system" says Cindy Provin, CEO at Thales eSecurity, "how citizens register, how they find their polling places, how they check in, how they cast their ballots and how they find out who won." This is an argument that is also made by Joseph Carson, chief security scientist & advisory CISO with Thycotic, who told me that the biggest challenge is that cybersecurity is only taken seriously in the voting infrastructure "when it is lacking in candidate campaigns, leaving the US open to serious cyber influence from foreign nation states."
Maybe the notion of cyberattacks during the election process itself is something of a red-herring altogether? Especially given that there is such a global media appetite for Russian meddling stories, which will surely lead to this being such a high risk maneuver that it's unlikely to be executed in any meaningful way. "The main effort will likely be in attempting to generate genuine conversations with organizations and individuals that have influence over a significant audience" says James Monckton, strategic communications director at Verbalisation, who thinks that the 'influencing the influencers' approach would be a highly effective method with a low level of attribution risk. The idea of shaping the debate by amplifying a particular viewpoint isn't new news, but it is the most obvious meddling methodology we will see. Or rather, not see. "In the long term, it spreads mistrust as it becomes harder to distinguish the true from the fake" concludes Emily Orton, co-founder and director at Darktrace, "and has profound effects on democratic societies..."
One thing is for sure, according to Michael O'Malley, vice president of marketing with Radware, and that's the threat of election interference will continue unabated until the US moves from the current fragmented state-by-state model to a nationwide election system. "We need a one person one vote approach and the US must make the necessary security upgrades to prevent voter fraud, foreign influence campaigns and hacking of our election infrastructure" O'Malley insists, warning that "Federal legislation needs to be introduced to make this happen..."
