LAS VEGAS — With the U.S. still dealing with the fallout of the 2016 presidential election, and with the 2020 vote just 15 months away, the state of election security was top of mind at the Black Hat and Def Con security conferences last week.
Leading experts and hackers, members of congress and vendors all had something to say about what can be done to secure the election process from interference, fraud or misinformation, but the bottom line is that no one is really sure what will happen, despite better levels of preparedness from all parties.
At a Def Con panel, “Hacking Congress,” former California Congresswoman Jane Harman said a fundamental problem with Congress’s ability to deal with security is that elective bodies are “analog in a digital world,” she said, and that more help is needed from the hacker community. “The U.S. Congress needs you,” she told attendees. “If we don't work now and close the gap between the traditional silos of our two communities, then we will miss opportunities to consider what solutions exist.”
The panelists went further than to ask for help on security matters and encouraged more personal involvement in engaging their own representatives. A show of hands revealed that few in attendance had called their representatives to move on election security. “Abraham Lincoln had it right when he said that public sentiment is everything. With it, nothing can fail. Without it, nothing can succeed,” said panelist Rep. Ted Lieu (D-CA), who has been trying to get two bills, HR 1 and the SAFE Act, both passed by the House, to get through the Senate.
Overall, the hacker community seems more optimistic than the elected officials. “I've been optimistic last 20 years,” said Cris Thomas, Director of IBM’s X-Force Red Team, and a former member of the L0pht hacking group under the alias “Space Rogue.” He said: “Hackers want things done, but Congress and government and corporations don’t work at the speed of the hack. And so it takes 20 years to go from hackers in Congress to Congress [coming to] DEF CON. And I'm still very optimistic. And I am going to go forward and hopefully continue to encourage people to get involved engaged.”
Weak Infrastructure
Despite the good feelings inspired by the Def Con panel, others are not so optimistic about election infrastructure. “We’ve done absolutely nothing,” said security expert Bruce Schneier, at a press conference at Black Hat. He said that infrastructure security is about more than just the voting machines themselves, and also includes voter registration databases and the tabulation and distribution process. “All three areas are vulnerable,” he said, pressing for less digital in the process. “We know paper ballots work and leave a verifiable audit trail.”
At Def Con, hackers attacked all kinds of machines at the Voting Machine Hacking Village. Several machines were found to be running old or outdated software, and in one case administrator controls were easy to find.
Despite the worrisome state of voting machines, some security experts feel that machine hacks don’t scale very well, because usually, hackers have to get access to the machine to change it. But, said Eric Cornelius, CTO of BlackBerry Cylance, the “cacophony” of voting systems also is hard to defend when skills are short and budgets are tight. He said his company, which formed as a merger between phone maker Blackberry and security firm Cylance, is coming out with free tools for the election season.
Deep Threats
As became clear in the 2016 election, social media is a powerful tool of hackers to amplify or distort the news. A looming threat is the so-called deepfakes video technique, in which AI can spoof video footage so it looks as though a politician said something he or she did not intend.
To help, vendor ZeroFox announced the release of an open-source deepfake toolkit, called Deepstar, which enables users to create testing tools that can be run against deep fake videos. ZeroFox also plans to release more election security tools this week, officials said.
While most of the deepfakes that have been released have been done as proof of concepts in a lab, or as pranks, security experts are still waiting for the inevitable “Big One” to hit—a fake video of the right person on the right subject at the right time that could sway an election, or worse, said ZeroFox CTO Mike Price. “All of the tooling is there for somebody to take the next step and do something crazy,” he said. “The circumstances mean this will happen. It’s a matter of time before people start abusing it.”
Enterprise Strategies Work
With a lot of the discussion around election security focusing on voting machines or things like Deep Fakes, experts say that real influence is more subtle, made possible by social media and filter bubbles.
Matt Olney, Manager of Threat Intelligence and Interdiction at Talos, which is a unit at Cisco, said adversaries may not necessarily be interested in changing votes or outcomes. Rather, they have a bigger target, which is undermining the concept of western democracy. “Attackers always have the easier part of the job. They just have to find a weakness. Unfortunately, our adversaries have found a weakness in us. We are the thing that is being hacked, and we can’t be patched. The culture and society of the west is what needs to be addressed, and there doesn’t seem to be a rapid rush to do that.”
Failing that, security basics—backing up files, patching systems and educating users on phishing—will go a long way to protecting the process, said Sean Frazier, Federal Advisory CISO at Duo Security. “We are living in world of weaponized internet, but if you can do the basics well and don’t make it easy on the bad guys that’s a great place to start.”
