The upcoming U.S. presidential election cycle falls at a very unique time in our history. We knew coming into 2020 that we’d likely be facing adversaries attempting to influence our campaigns, elections and democracy as they did four years ago.
I don’t think anyone realized we’d also be dealing with a global pandemic or highly emotional protests on top of that. As troubling as this year has been for people around the world, and Americans in particular, it’s pure gold for the enemy. Not only are they preying on our emotions and vulnerability during an especially difficult and unprecedented time, but they’re also working in overdrive on ways to corrupt, undermine and remotely disrupt our daily lives.
Information operations are nothing new. Disinformation, propaganda and attempts to manipulate public perception have been documented since some of the earliest records exist, morphing as new methods of communication emerged. First campaigns leveraged paintings, then cartoons, posters, pamphlets, films, radio and TV shows, and now they use the full global reach and impact of modern digital communications. In information warfare, nation states continue to deliver on the same goals as they did when dropping pamphlets by plane on soldiers during wartime — but with the anonymity, speed and scale now enabled by modern social media tools and the far-reach of the internet.
What is new is the weaponization of content in an attempt to achieve the broadest societal impact via online influence operations, leaks and extortion. While cyber espionage has traditionally had a tremendous and negative impact on the global economy through the drain of intellectual property, the attacks we’ve witnessed on the election process and infrastructure further amplify those risks. These threats cut through the heart of the modern democratic process. As a former FBI official, I witnessed attacks as far back as 2008 on both the Obama and McCain presidential campaigns. It was espionage, plain and simple, to collect intelligence on the candidates’ strategies and policies.
Although adversary interventions during the 2018 midterm cycle appeared more muted than in the 2016 race, we should not assume that they will sit on the sidelines in 2020 and beyond. Election security leading up to November is key — a vital pillar to the health of the democratic process. Similarly, one of the main components of any reasonable cybersecurity program is the health of the system. Adversaries are looking to collect intelligence that will help them understand candidates in terms of policies, economic values and the like. And the security posture of the various electoral systems will determine the adversaries’ success. They will always use the path of least resistance to conduct a breach. They are patient, thorough, and take the time to learn and exploit vulnerabilities.
We need to ask the most basic, albeit incredibly important, questions. How are electoral assets secured? How are the systems configured? What is the breakdown of access control? Is software and hardware patched? Are existing vulnerabilities identified and secured such that they can’t be exploited? How is DNS traffic being filtered? How are campaigns preventing phishing operations among their staffers? The list of questions is simply too long to cover comprehensively here.
Fortunately, it’s promising that people now seem to recognize more than in prior years just how widely dispersed our electoral system and infrastructure is. But it is critical to execute on that knowledge and mitigate the risk — awareness must translate to action. I would argue that with the success of previous election interference events, there will be other nation states that use this vector as part of their toolset and electoral officials need to be cognizant of that. They have taken on the responsibility of administering the election system and must take that responsibility seriously. Their failure to protect the infrastructure could result in a failure in democracy.
On a larger scale, it’s also noteworthy that the U.S. is not the only country under attack by interference and disinformation campaigns. The reconnaissance and theft of intelligence related to electoral processes is a global issue against the majority of Western democratic operations. The growing threat that we first saw against our systems has now been replicated throughout the world in Taiwan, India, Finland, France, Israel, Germany, Ukraine and others. Globally, information and intelligence sharing on emerging threats, new technologies and fresh techniques is critical. We must look from country to country to determine adversary actions and attempt to stop them in their tracks.
Where should we focus?
So how do we do this? First, we need to ensure we aren’t focusing solely on election tampering in our defensive posture. The adversaries are taking complete advantage of social media and what the internet can provide at their fingerprints. They’re using it to foment unrest during the pandemic, the protests and the campaign cycle. Whether it be through misinformation operations, social engineering or DDoS attacks, they’re actively working to instill confusion and unsettle civil discourse. And there’s nation-states sponsoring these activities over and over again.
Second, we must recognize the three individual pillars of cyber risk in this context and how to combat them. They include disinformation campaigns, hack-and-leak criminal techniques, and targeting of infrastructure.
Traditional media, social media and other public-facing communications should aggressively root out coordinated inauthentic activity that seek to amplify political messages. Utilizing smart social media practices and taking appropriate steps to monitor and stop disinformation campaigns remains a core component of keeping democracy safe.
Hack-and-leak criminal techniques
Many times, adversaries may first attempt to breach the organization’s IT networks in an effort to move laterally into more sensitive elections-specific infrastructure, gaining access to potentially damaging information if leaked. Speed of detection is key in thwarting this threat. CrowdStrike recommends the implementation of the ‘1-10-60 Rule’ — detect adversary activity within one minute, investigate it within 10 minutes, and isolate the threat or eject the adversary within 60 minutes.
Given the complex and distributed nature of western elections processes, campaign entities must utilize a risk-informed approach to defense. This means safeguarding the infrastructure that administers elections. Recognizing that inherent disparities in cybersecurity resources and experience across jurisdictions creates vulnerabilities, it’s essential to have sound infrastructure. The technical system is the primary means to detect an adversary and expel them from the network before a successful attack. Campaigns and public sector election entities should also be incredibly vigilant and consider leveraging cloud-based security solutions and managed services that proactively prevent, rapidly detect and remediate intrusions.
What’s next for 2020?
We know through CrowdStrike intelligence reporting that various state and federal agencies, educational institutions, and critical infrastructure sectors are actively being targeted by Russia-based adversaries, not unlike those that disrupted the 2016 election cycle. Through spear phishing, intrusion and password-spraying attacks, they’re gaining access to systems vital to our daily lives.
On top of this, the FBI is warning of malign foreign influence, defined as “operations by foreign powers to influence US policy, distort political sentiment and public discourse, or undermine confidence in democratic processes and values to achieve strategic geopolitical objectives.” This includes cyberattacks on election infrastructure and systems, campaigns, political parties, and acting public officials; subversive influence campaigns to either assist or harm a particular candidate or party; and overt disinformation operations and efforts to manipulate public opinion, sow discord and disrupt government processes and policies.
I often use the age-old government mantra “one team, one fight.” It’s never been more prevalent than now in this time of global cyber warfare. We have to unite against the adversary, protect our infrastructure, and be cognizant of who is reporting what we believe online. We cannot let our 2020 election cycle be the next cybercrime statistic and strip us of a fair and uncompromised voting experience that will determine the next four years of our history. Every second counts in defending our democracy.
Shawn Henry is chief security officer of CrowdStrike and president of Services