Category Archives: Opinion

U.S. Election System Under Attack

O P I N I O N

Christopher Krebs, The Undersecretary for the National Protection and Programs Directorate (NPPD) of DHS said individuals voting rights were safe despite persistent attacks on the voting infrastructure.

He said, that by law, if you show up to vote and there is a problem with your registration,  you have the right to request a provisional ballot.  It can take time and be disruptive, but if you are persistent, you can get a ballot.

Krebs says that they haven’t seen as persistent an effort by the Russians to compromise this year’s election as they saw in 2016 – that statement by itself seems at odds with what his boss, the President has said.

DHS is planning to launch an initiative to manage the risk.

I agree that if you are willing to create a scene, you can get a provisional ballot, but is that really where the risk is?

Certainly, it is possible that an attacker could try to delete voters from the voting rolls, but that seems like a hard way to effect the outcome of the election.  After all, how do you know how that voter will really vote.

Much more likely and not mentioned by Krebs since DHS isn’t doing much about it, is the likely attacks on campaigns web sites and email of candidates and their teams.  When the President says that there is no evidence that Russian interference in 2016 didn’t change any votes, I have no idea how he can prove that.  If what he means is that the Russians didn’t cast any fraudulent ballots one waay of the other on behalf of a voter, I believe that.

If, however, he means that the relentless social media attacks for and against different candidates, illegally funded by Russian controlled front companies recently indicted by the federal government didn’t change people’s choices as to who to vote for, that is completely unprovable and likely just wrong.

For the last year and a half DHS has not processed the security clearance requests of state and local voting officials so that they can receive classified intelligence.  A few officials have gotten their clearances, but many more have not.

All in all the administration is picking and choosing their talking points to make things look better.  Overall, they have done very little to improve the situation as compared to 2016.

When Krebs said that they have not seen Russian interference at the levels of 2016 this year, he should have added the word YET.  This is still early and likely the Russians will increase their efforts in that direction.

I have no clue which side they plan to attack; but which ever side it is, it will be to further their own interests, not ours.

Stay tuned, this is far from over and we don’t have an effective strategy to counter it.

Information for this post came from FCW.

Facebooktwitterredditlinkedinmailby feather

To Cyber War or Not to Cyber War – That IS the Question

O P I N I O N

To butcher a very famous quote, are we at war or not?

It is clear that the Chinese and Russians are at war.  We have some pretty clear information about what they have been doing and what they have stolen.

What is much less clear is whether WE are at cyber war.

For the most part, the government has played down the hacking by foreign powers.  While they have not said why, it is likely partly due to being embarrassed about the loss of billions of taxpayer dollars of research on defense programs like the F-35 and, more recently, Sea Dragon.  It is partly because they do not want to scare people and partly due to the fact that U.S. businesses depend on people using the Internet and if they are scared about that, they will spend less.

During World War II, the government was pretty clear about what was going on (minus a lot of classified details, but those details are not really needed to get the point across) and what every loyal citizen needed to do to help the war effort.

But here is the rub.

According to a recent Verizon security report, only 14% of respondent organizations had implemented even the most basic cybersecurity practices, while 32% said that their organizations sacrifice mobile security for business expediency.

One result of this is that Internet of Things cyber attacks have spiked 600% in one year (see here).

It appears that, in the absence of being forced to improve security, most companies (i.e. 100%-14%=86%) have made the business decision to worry about cybersecurity after the horse is out of the barn.

Laws like the new California privacy law, which allows individuals to sue businesses after a breach, even if they cannot show economic damage, could, possibly, change that.  Assuming California doesn’t change the law (not surprisingly, businesses are not happy about that part of the law).

If we take a modest breach of say, 500,000 records – small by today’s standard – and multiply that by the midpoint of what the law allows consumers to sue for – say $425 – that creates a potential liability in that breach of a little over $200 million.  Add to that, of course, the cost of dealing with the aftermath of the breach.

At the point at which a company is in the boat of having to write a check for a quarter billion dollars – well, enhancing security may seem like the better choice.

Up until now I don’t really blame U.S. businesses for ignoring cyber security.  First of all, the odds of getting caught are low.  Then, you may be able to get away with not saying anything about it.  Some countries in the EU have reported that the number of breaches reported to them in the month of June – the first month after GDPR went into effect – was equal to the total number of breaches reported in all of 2018 prior to the law going into effect.

Why were so many breaches reported in Europe in June?

Not because Europe was under some new form of attack.

Rather, it because willfully not reporting a breach could result in a fine of the larger of 20 million Euros or 4 percent of your global annual revenue.  That is a pretty strong inducement.

SO what do you think?  Should U.S. companies HAVE to meet security standards?  Financial institutions, doctors and hospitals and recently, sort of, defense contractors, have to.  What about the rest of U.S. businesses?

If we are in a cyberwar, what is our responsibility as U.S. citizens to do about protecting ourselves and our country?

Right now people don’t worry about their credit cards being stolen.  Why is that?  Because they have either very little liability or no liability if the card is misused, because of the law.  I am not suggesting changing that law, but the law does impact behavior.

I say that we are seriously losing the cyberwar to the Chinese and Russians and others – and not doing very much about it.

Why?  because it is inconvenient and, truthfully, many people say that it is not their problem.

What do you think?

Please post your thoughts here.

 

 

Facebooktwitterredditlinkedinmailby feather