After high-profile interference by Russia in the 2016 presidential election, and amid the ongoing coverage of the relationship between President Donald Trump and Russian President Vladimir Putin, the security of the 2018 midterm elections is top-of-mind for many U.S. citizens. As Americans plan to go to the polls in November in what most see as a high-stakes event for the future of both parties, Theresa Payton, former White House Chief Information Officer under President George W. Bush and CEO of the security consulting company Fortalice Solutions, warns that the Russians have not backed down in their efforts to influence the outcome.
Threatpost sat down with Payton to discuss ongoing concerns around the security of the upcoming election cycle, where the weak links are, the Russian playbook and possible approaches to combatting the threat.
Threatpost:Special counsel Robert Mueller recently indicted 12 Russian nationals, and accused them of hacking into the Democratic National Committee to sabotage the 2016 presidential election. It seems as though we’re onto what the Russians are doing. Are we in the position to effectively block their influence in the midterms?
Payton: It’s a known fact that Russia had a platinum-level playbook for the last election cycle that they executed on perfectly. Russian hackers attacked every major system in our democratic process, from stealing private DNC emails to possibly altering state databases of voter registration data.
It’s critical to understand that these hackers are entering the 2018 midterms with an even better understanding of the flaws in our cybersecurity than they had before.
Time is not our friend right now—time is on the side of Russia and others that want to meddle.
Also, it’s worth noting that Russia would be foolish to use the same tactics. We know what they did and how they did it. They’re working on revising their tactics to catch us off-guard. These attackers are highly creative, motivated and well-funded.
It’s up to us to close the loopholes that we know about, and be just as creative in our defense – we have to plan out the chess moves. What do we think they’ll do next? Every single aspect of our election process is under attack.
Addressing this cannot be a partisan issue, and the president has a prime opportunity to send a message through the State Department to say, we know what you’re doing, and this cannot stand.
TP: Speaking of that, Trump has been less than vigorous in his denouncement of the 2016 meddling, leaving a question mark in the air as to whether Russia was really behind it. Is this problematic going forward?
Well let’s start with the president’s comments after the summit with Putin, where he confirmed that he stands with the intelligence community – that was a sort of a retraction from the press conference and a bit of waffling. Going forward, the president has a unique opportunity to push the conversation forward with Russia, and I think it’s a positive that he’s talking about hosting Putin at the White House. Between now and then, there needs to be a concerted effort to secure our election processes, involving the Hill, the White House and also the private sector, which has a huge role to play.
In May, Silicon Valley reps [from Amazon, Apple, Facebook, Google, Microsoft, Oath, Snap and Twitter] met with United States intelligence officials to discuss preparations for this year’s midterm elections. They got a briefing and shared information, which is fantastic – that’s a much-needed first step. But there’s more work need to be done.
TP: What are some of the other ways we can be better prepared?
Payton: While we’re sure to see new tactics from Russia, the biggest area of meddling is not likely to be direct hacking of voting booths and registered voter rolls but the use of social media, with fake personas, to shape the debate and create misperceptions and false news stories designed to advantage of or hurt certain candidates.
The media has done a good job about making this issue front-and-center since it was such an important factor in 2016. We have to have an honest conversation about these things. I believe the playbook used in the 2016 election was mainly used to disenfranchise people and encourage people to not get out and vote. Efforts were made to change people’s minds, make them stay home and in some cases the efforts even incited people to physical violence.
We just have to hope for the midterms that Americans don’t feel that they can’t trust the election process; in that case, they stay home or get apathetic.
Also, we’ll find out pretty soon where the Republican and Democratic National Conventions will be held next time, which will give cybercriminals the ability to know what cities to target so they can start moving in. To foreign hackers, large events for both political parties, such as conventions and gatherings, have a bullseye on their back.
TP: How is working with our allies going to be important?
Payton: A lot of other countries are watching what we’re doing on this front, and waiting. In the last Freedom on the Net report in 2017, it sounded the alarm that 18 countries in 2016 had elections meddled with in some fashion. That wasn’t just Russian actors, and it wasn’t even external in many cases: Often the attacks came from within the country and even from their own governments in some cases. But the fact remains that elections worldwide are under attack, and we need to address it holistically.
To that end, we really need some type of an international cyber-coordinator that manages the proactive sharing of intelligence between the allies, so we can come to a consensus on what’s working and what’s not working when it comes to making sure that our elections are secure. Another thing that we can do is stand up a threat-hunting team, and, we need an official incident response team: Right now, we’re counting on volunteers and a stretched-thin staff to figure out a response.
TP: Where does diplomacy come into play here?
Payton: There are a lot of people, processes and diplomacy issues that come into play – it’s not just a simple question of “patch the machines.”
Political espionage has been happening forever – just read ancient history. They do it, and we do it – it’s a way to understand enemies and frenemies, and to make sure your friends are really your friends. Generally, we have gentlemen and ladies’ agreements in the form of international treaties around what level of spying is acceptable without triggering a diplomatic incident.
But what we saw in 2016 was espionage on a level that supersedes any ground game that preceded it. The effort was so vast. And the reality is that we haven’t negotiated ladies’ and gentlemen’s agreements for the digital age.
These need to be determined, not just around elections and attacks on individual citizens, but also when it comes to economic espionage.
TP: Switching gears for a minute, what needs to be done at the state level?
Payton: A lot of work has been done since the last election cycle regarding state-level security, but there’s much more to do. The government has warned that voter registration databases need to be more secure, for instance, with better backups. There would be nothing worse than if we show up to the polls and we’re told we’re not registered to vote in the database. It would be shocking and horrifying, and too late at that point to register again to vote. And this is well within the realm of possibility. So, we need to see a renewed focus on that.
Even if Trump takes a strong public stance on election meddling, we still need to treat state elections as critical infrastructure and defend them as such.
TP: Election Systems and Software, America’s leading voting machine vendor, recently admitted that it had lied to New York Times reporter Kim Zetter about having remote-access enabled on the machines. In a letter to Sen. Ron Wyden (D-Ore.), it said that it “provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006.”
Payton: They got caught when the ethical hackers did their research. It’s like when you see the cookie crumbs all around your toddler and he keeps saying he didn’t eat the cookies – you have to follow the evidence because it seems like he actually did eat the cookies.
State level ethical hackers last summer were given access to all kinds of voting machines, and they were able to show that with the right know-how and proximity, they could alter the vote.
We have had a false sense of security. And that’s because conventional wisdom says that if they’re not connected to the internet directly, then we’re okay. But that’s not true. In many cases, these voting machines have remote access software installed in order to do maintenance and support. If that’s not stood up with two-factor authentication and all of the other digital hygiene attributes that we need, then these are vulnerable.
State agencies have said that there’s been no evidence of a successful attack, but questions need to be asked of the state boards of elections and manufacturers about how we would know if they’ve been compromised. Is there a trust-but-verify audit log where it’s possible to do statistically significant sampling to see if the votes that were cast have been counted accurately?
Ethical hackers also found outdated software and parts with no security patches, so the question now is, do you stay with these machines, or, decide that you don’t have enough time, funding and resources to replace them? If the latter, you have to make sure all remote access is turned off.
TP: What advice do you have for people working on individual campaigns?
Payton: As we go into the midterms, it should be understood that Russia will go after the inner workings of campaigns. Anyone working on campaign teams should know that they’re being socially engineered and that they’re actively under attack, and they should especially be hyper-aware of links and attachments.
That awareness is not there, unfortunately, and I don’t blame people working inside the campaigns, they’re so busy. But there are simple approaches that could be put in place to help, such as setting up an email rule that if a message is from the outside, a banner alert pops up to flag that. You could also enforce a policy that attachments are always opened in the cloud, so if there are viruses etc., they’re quarantined.
TP: Going forward, should we also be concerned about other adversaries beyond Russia?
Payton: The Russian election meddling playbook absolutely may be adopted and used by other enemies, like China and North Korea. We know that China, North Korea and to some extent Iran all have advanced cyber-capabilities, and when China and North Korea don’t like the direction of something, they flex their cyber-muscle.
Just look at North Korea. They decided, we don’t like this movie – and they took out Sony Pictures.
As conversations go on regarding tariffs with China and China not being able to invest in U.S. companies at a certain level, diplomacy is going to be important, and negotiations will be really delicate. They may say, “okay we understand” when it comes to trade, and then turn around and launch an anonymous cyberattack behind our backs in retaliation.
I think it’s also possible to see problems coming out of Iran and even internally. Don’t forget we also have incredible cyber-capabilities in America, and it’s possible that hacktivists, if they don’t like where things are headed, could meddle in the elections themselves, by doxing politicians and candidates, or intruding on voter databases.
The Trump playbook to counter all of this must be a “kitchen-sink” approach, to fully prepare for the onslaught of attacks around the midterms and beyond. This needs to include intelligence-sharing with allies, protecting underfunded local governments and appointing an international cyber-coordinator.
Decisions need to be made in terms of how we’re going to fight this – the only wrong answer is inaction.