Next week we will publish our third annual “Defending Against Critical Threats” report; a roundup of some the most impactful cyber attacks from the past 12 months.
Included in the publication are articles about how cyber criminals sought to take advantage of the COVID-19 pandemic. We also cover Big Game Hunting attacks, whereby cyber criminals seek to monopolize a ransomware deployment in a ‘post compromise’ phase.
Of course, last year saw one of the most momentous general elections in United States history, and Cisco Talos have spent the last four and a half years conducting hands on research into election security. In the publication coming next week, we have an interview with the leader of that research, Matt Olney, to capture his thoughts post-election.
We didn’t have room for the interview in its entirety however, so whilst we’re dotting the i’s and crossing the t’s on the final report, we thought we would bring you some extracts from my conversation with Matt, as a bit of an aperitif of what’s to come next week:
Four and a half years ago you and the team decided to put a large amount of resource into researching and investigating election security. What triggered this decision?
The inciting event was the 2016 breach of the Democratic National Committee servers. The news first emerged in the Washington Post, and was quickly confirmed by the New York Times.
We started gathering information, and it soon became clear that this was a case of a foreign adversary orchestrating an attack on our elections. The decision part was easy: I wanted our team to be able to help fight against this.
At that point, did you know how much research you were going to undertake? How did you start your investigation?
I had a sense, yes. But at that point in 2016, I also didn’t know what I didn’t know.
To start things off, I called David Liebenberg, who is still on my team and now heads my strategic analysis team. I asked him, “Could you call all 50 secretaries of states and ask them how they handle security?”
The secretary’s offices weren’t super enthusiastic about someone who cold called them out of the blue, wanting them to answer questions about the security of their system. But that’s what we did, and thanks to David’s efforts we got several breakthroughs.
For example, the Georgia Secretary of State’s office redirected us to an expert at Kennesaw State University, where they had a research organization into elections.
They were the first people to talk to us about the uniqueness of the economy that surrounds election security, and the relationship between vendors and the Secretary of State’s office and how conscious of mitigations they are.
What was the political context at the time, and what was the overall process for election security in 2016?
After the 2016 DNS breach, the Department of Homeland Security became the critical infrastructure touch point from the federal government for election security. But that wasn’t without pushback.
This was at point when Barack Obama was still President. There were very strong counters, primarily from Republican states, against federal intrusion into state elections.
That was a very difficult time, because the United States is made up of counties, and the states themselves run the elections. The federal government had no real role in the administration of them. So there was a lot of challenges there.
At the time I remember thinking that this was crazy, and that there really should be more federal involvement in election security. But I came to acknowledge that it was going to be a very challenging ask in 2016 to have the federal government provide any real value (in terms of assistance into election security) before the elections that happened in November of that year.
Amongst those challenges, what was your next step?
The Mississippi Secretary of State’s office invited us to come on site for a week to dig into how their systems are built, and learn what mitigations they have in place. We were also able to share our insights into adversary behavior, and how attackers might target election infrastructure.
We learned an incredible amount about how election administrators think about elections because of that experience.
We also had had a really useful ally at the Cyber Threat Alliance, Neil Jenkins, who is the Head of Data Analysis and Intelligence. In 2016, he was the point person at the Department of Homeland Security for election security issues.
We sat down with him and had a conversation, and he was the first person to point out that the people behind running elections are absolutely outstanding. They think in terms of contingencies, because they know that they have one chance to run an election on one day. They therefore anticipate thousands of different scenarios, from everything down to the whole county being flooded.
I think that’s one of the things that’s hard for a lot of people to understand. When you run an election in a country with 328 million people in it, there’s inevitably going to be problems that come up. But those problems aren’t an indication of malicious behavior necessarily. And so how you handle the situation is what determines your success. That’s why election officials are so outstanding – because they have so many standards and procedures in place.
This became very apparent in our conversations in Mississippi. We were constantly asking, “What if this happens?” or “How do you control for this?” And every single time they had an answer, no matter what we threw at them. There was never a point where they said, “Oh, we never thought of that.”
I think about this a lot when I see all the election security conspiracy theories. When someone can think of something that would cause that system problems, they immediately assume that they’ve found some nefarious backdoor. But the system is built to handle things like this.
There’s a great example from Ohio. Ohio was the second state we visited and I remember sitting down with the election officials team, discussing how they handled disinformation campaigns.
They told us a story about how they were monitoring Twitter. They had a system with a whole bunch of keywords set up, and any time a keyword showed up they would get an alert. And they found a gentleman in Ohio who was going from precinct to precinct, voting at each of them. He then went onto Twitter and YouTube and videoed himself saying, “Look, I can vote multiple times and they’re letting me do it. This election is a sham.”
The team in Ohio reached out to this gentleman and said, “A couple things: One, the first time you cast your vote it was counted, but every subsequent time you cast your vote, you actually cast what’s called a provisional ballot, because you were at the wrong precinct. So before that ballot is counted, you’re going to be checked to see if you voted previously. Also, you’re kind of committing a felony here.”
From the outside, the story is that this guy voted 10 times, but that’s not how the system works. It’s built, as per federal law, from the Help America Vote Act, where provisional ballots help to assure Americans that, even if there’s a small hiccup in the process, that there’s a chance for their vote to be counted. And that vote will be validated and then counted.
It’s all part of the controls that the system has in place to protect the franchise of American voters. Yes, it’s a complicated system, and it’s different in every state, but there are controls at every point along the way.
What would you say is the greatest challenge that you came up against during the course of your research over the four and a half years?
There isn’t a huge amount of transparency about election security, for obvious reasons. But it’s also partly because, in the past, certain security researchers have taken a very antagonistic approach to talking about these issues.
There was one example which I can recall from a presentation at DEF CON. It was by a security researcher who shall remain nameless. The National Association of the Secretary of States came back after the presentation and said it didn’t fully represent the defensive state of elections.
The response of the researcher was to turn around and say, “Well, you’re just a bunch of ******* luddites.”
A few years later I sat in a meeting with the National Association of the Security of States, and the Director just so happened to be sitting next to me.
I said to her, “I’m here to learn about what makes your systems unique, and to share my expertise in this space. I’m here to be a partner, I’m not here to tell you what to do or to cause problems. I would never, for example, call you a luddite.”
She turned to me with a grin and said, “A ******* luddite.”
The insult, quite understandably, had stayed with her all this time.
Because of that type of behavior from others in our field, for every interaction we had with the Secretary of State’s offices, we had to get over that hurdle of, “We’re not here to be that person. That’s not the kind of experience we want you to have.”
I’m not overstretching this by saying that election security officials had a PTSD mentality with threat researchers. Those researchers weren’t looking for a partnership, they were looking for notoriety.
We were very clear that we wanted to be a partner in this process, because we understood that they are the people who specialise in elections. We specialise in nation state actors. Between the two of us, we could come out of the other side of this with a better outcome.
Don’t miss the full interview with Matt in next week’s publication of ‘Defending Against Critical Threats: A 12 month roundup’.
In the meantime, you can subscribe to the Security Stories podcast to hear more about the topics in the report in the next episode out on Tuesday.
Be sure to check out Talos’ election coverage