Category Archives: Opinion

In Honor of Election Day

First of all, if you haven’t already voted, please vote!

Time did a nice piece on election security (see link at the end).  In a somewhat self-serving statement, Homeland Security Secretary Kirstjen Nielsen said that she FELT confident that this year’s election would be the most secure election we have ever had.  Ignoring for a moment that the paper ballots that we used for the first 150 plus years of our country are probably way more secure than what we are doing now and while I appreciate her feelings, they really don’t give me a lot of confidence.

That being said, we probably have improved the security of the election process since the last presidential election.  If she had said that we have the most secure election we have ever had since 2016, I would probably agree with her, but that would not offer a good sound bite.

Secretary Nielsen said that no matter that the U.S. Intelligence community and law enforcement officials sounded the alarm last month about ONGOING efforts by Russia, China and Iran to influence our elections, that is different.  Her view of election security is limited to hacking of voting machines, not changing the outcome of the election.

While my rant above is possibly a bit harsh, it does point out something that is important.

We need to be concerned about changing the outcome of the election, whether that is by hacking voting machines, spreading disinformation or voting early, voting often, as it was said about Chicago under Mayor Daley.   What matters is that this is our election and not Russia’s.  Or China’s.

It is good that we haven’t seen any sustained effort by foreign powers to hack voting machines.  That, to me, is the absolute hardest way to change the election.  Maybe hacking the central tabulating system at the County or State level might make sense, but hacking individual machines – that is a lot of work.

Time says that 44 states and the District of Columbia did participate in a three day exercise this past summer to put election systems to the test.  Part of the exercise was to test the Fed’s ability to share hacking data with local election officials.  All that seems like a good thing.

Since the Feds, under President Obama, declared election systems critical infrastructure, over the objections of many local officials (fearing that the feds were saying that they were not doing a good job), the Feds created an Information Sharing and Analysis Center or ISAC for Election Infrastructure as a formal way to share information all around.  Another good idea.

1,300 of the 8,880 local election jurisdictions are participating in this system.  Why the rest are not is scary.  Maybe these should publish their membership list so the voters can vote on that!

The Feds have developed a threat detection system that they use called Einstein.  All Federal Internet connections use it and while it is not perfect, it is way better than was was being done before.  Einstein has a cousin called Albert (cute huh?) that the Feds have given (or sold, it is not clear) to 43 states to help them detect threats.  These two are similar in function but completely different implementations.  Still both achieve the same goals – look at Internet traffic and try to ferret out the bad guys.  See this article in Fedscoop for info on Albert.

The Feds also offered to conduct a penetration test of election infrastructure for the states.  Only 21 states asked for help.  While some states do their own pen tests, if you can get another one for free, exactly why wouldn’t you accept?  Unless you were worried.

DHS is also doing remote weekly scanning for 36 state and 94 local governments and providing them with vulnerability reports.

The fact that everyone has not asked for help is just an indication that, for politicians, ego often wins.

Oregon solved the problem (as does Colorado).  Oregon uses paper ballots.  Hack that from Russia! Of course there are counting machines, but hopefully they are not on the Internet.

I do believe, in spite of the above, that we have IMPROVED the security of election systems somewhat since 2016, but there is a long way still to go.  The ExpressPoll-5000 voting machine still uses a root password of “password” and a master administrator password of “pasta” .  That’s got to be pretty secure, no?

And of course, we really have not done much about the disinformation campaigns, which are way easier than hacking a voting machine and, apparently, pretty effective.

The Cybersecurity 202 newsletter talks about disinformation campaigns like Twitter “news” that says that Immigration officials will be at polling stations to check citizenship status which might deter legal immigrants that don’t want to be hassled or hacks to local election or news sites.  We have also seen disinformation email campaigns telling people to go to the wrong place to vote.  DHS says check your information source, but sometimes that is easier said than done.

What do you think?

Information for this post came from Time.

 

 

 

Facebooktwitterredditlinkedinmailby feather

U.S. Election System Under Attack

O P I N I O N

Christopher Krebs, The Undersecretary for the National Protection and Programs Directorate (NPPD) of DHS said individuals voting rights were safe despite persistent attacks on the voting infrastructure.

He said, that by law, if you show up to vote and there is a problem with your registration,  you have the right to request a provisional ballot.  It can take time and be disruptive, but if you are persistent, you can get a ballot.

Krebs says that they haven’t seen as persistent an effort by the Russians to compromise this year’s election as they saw in 2016 – that statement by itself seems at odds with what his boss, the President has said.

DHS is planning to launch an initiative to manage the risk.

I agree that if you are willing to create a scene, you can get a provisional ballot, but is that really where the risk is?

Certainly, it is possible that an attacker could try to delete voters from the voting rolls, but that seems like a hard way to effect the outcome of the election.  After all, how do you know how that voter will really vote.

Much more likely and not mentioned by Krebs since DHS isn’t doing much about it, is the likely attacks on campaigns web sites and email of candidates and their teams.  When the President says that there is no evidence that Russian interference in 2016 didn’t change any votes, I have no idea how he can prove that.  If what he means is that the Russians didn’t cast any fraudulent ballots one waay of the other on behalf of a voter, I believe that.

If, however, he means that the relentless social media attacks for and against different candidates, illegally funded by Russian controlled front companies recently indicted by the federal government didn’t change people’s choices as to who to vote for, that is completely unprovable and likely just wrong.

For the last year and a half DHS has not processed the security clearance requests of state and local voting officials so that they can receive classified intelligence.  A few officials have gotten their clearances, but many more have not.

All in all the administration is picking and choosing their talking points to make things look better.  Overall, they have done very little to improve the situation as compared to 2016.

When Krebs said that they have not seen Russian interference at the levels of 2016 this year, he should have added the word YET.  This is still early and likely the Russians will increase their efforts in that direction.

I have no clue which side they plan to attack; but which ever side it is, it will be to further their own interests, not ours.

Stay tuned, this is far from over and we don’t have an effective strategy to counter it.

Information for this post came from FCW.

Facebooktwitterredditlinkedinmailby feather

To Cyber War or Not to Cyber War – That IS the Question

O P I N I O N

To butcher a very famous quote, are we at war or not?

It is clear that the Chinese and Russians are at war.  We have some pretty clear information about what they have been doing and what they have stolen.

What is much less clear is whether WE are at cyber war.

For the most part, the government has played down the hacking by foreign powers.  While they have not said why, it is likely partly due to being embarrassed about the loss of billions of taxpayer dollars of research on defense programs like the F-35 and, more recently, Sea Dragon.  It is partly because they do not want to scare people and partly due to the fact that U.S. businesses depend on people using the Internet and if they are scared about that, they will spend less.

During World War II, the government was pretty clear about what was going on (minus a lot of classified details, but those details are not really needed to get the point across) and what every loyal citizen needed to do to help the war effort.

But here is the rub.

According to a recent Verizon security report, only 14% of respondent organizations had implemented even the most basic cybersecurity practices, while 32% said that their organizations sacrifice mobile security for business expediency.

One result of this is that Internet of Things cyber attacks have spiked 600% in one year (see here).

It appears that, in the absence of being forced to improve security, most companies (i.e. 100%-14%=86%) have made the business decision to worry about cybersecurity after the horse is out of the barn.

Laws like the new California privacy law, which allows individuals to sue businesses after a breach, even if they cannot show economic damage, could, possibly, change that.  Assuming California doesn’t change the law (not surprisingly, businesses are not happy about that part of the law).

If we take a modest breach of say, 500,000 records – small by today’s standard – and multiply that by the midpoint of what the law allows consumers to sue for – say $425 – that creates a potential liability in that breach of a little over $200 million.  Add to that, of course, the cost of dealing with the aftermath of the breach.

At the point at which a company is in the boat of having to write a check for a quarter billion dollars – well, enhancing security may seem like the better choice.

Up until now I don’t really blame U.S. businesses for ignoring cyber security.  First of all, the odds of getting caught are low.  Then, you may be able to get away with not saying anything about it.  Some countries in the EU have reported that the number of breaches reported to them in the month of June – the first month after GDPR went into effect – was equal to the total number of breaches reported in all of 2018 prior to the law going into effect.

Why were so many breaches reported in Europe in June?

Not because Europe was under some new form of attack.

Rather, it because willfully not reporting a breach could result in a fine of the larger of 20 million Euros or 4 percent of your global annual revenue.  That is a pretty strong inducement.

SO what do you think?  Should U.S. companies HAVE to meet security standards?  Financial institutions, doctors and hospitals and recently, sort of, defense contractors, have to.  What about the rest of U.S. businesses?

If we are in a cyberwar, what is our responsibility as U.S. citizens to do about protecting ourselves and our country?

Right now people don’t worry about their credit cards being stolen.  Why is that?  Because they have either very little liability or no liability if the card is misused, because of the law.  I am not suggesting changing that law, but the law does impact behavior.

I say that we are seriously losing the cyberwar to the Chinese and Russians and others – and not doing very much about it.

Why?  because it is inconvenient and, truthfully, many people say that it is not their problem.

What do you think?

Please post your thoughts here.

 

 

Facebooktwitterredditlinkedinmailby feather