Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Governance & Risk Management
Election Security: FBI Combats Information OperationsSenate Calls Social Media Firms to Testify as Election Security Bill Stalls
It's less than 10 weeks until your country's elections; do you know where your government's information warfare defenses and election security strategy are?
See Also: How to Use Risk Scoring to Propel Your Risk-Based Vulnerability Management Program Forward
With the U.S. midterm election primaries already well underway, the FBI this week launched an informational website that describes the bureau's actions to counter propaganda and influence operations being run by foreign governments (see Redoubling Efforts to Secure Midterm Election).
"Stymied by a lack of shared understanding of what happened, the government's sclerotic response has left the United States profoundly vulnerable to future attacks."
"Foreign influence operations - which include covert actions by foreign governments to influence U.S. political sentiment or public discourse - are not a new problem," the FBI's site notes. "But the interconnectedness of the modern world, combined with the anonymity of the internet, have changed the nature of the threat and how the FBI and its partners must address it. The goal of these foreign influence operations directed against the United States is to spread disinformation, sow discord, and, ultimately, undermine confidence in our democratic institutions and values."
The informational site notes that the FBI takes the lead on investigating foreign influence operations, and that in the fall of 2017, FBI Director Christopher Wray launched a new, cross-government Foreign Influence Task Force designed to combat such operations.
The FBI has also released educational information security videos on such topics as patching, firewalls, passwords, browser safety and social engineering (see Nation-State Spear Phishing Attacks Remain Alive and Well).
It says these are intended to help "to raise awareness among political campaigns about the best ways to fend off possible attempts - by criminals, foreign agents or others - to infiltrate their information technology infrastructure."
DHS and States' Defenses
This isn't all that is being done. The U.S. Department of Homeland Security is in charge of protecting national critical infrastructure, which includes some aspects of election security. DHS says that since last year, it's been working with states and voting machine manufacturers to coordinate election defense. DHS also says it's offering briefings to up to three election officials from each state on the latest threat intelligence, although some security experts have questioned the usefulness of such briefings (see Will Congress Lose Midterm Elections to Hackers?).
States, however, are responsible for their own infrastructure, and some are better prepared than others.
"Only two states - Colorado and Rhode Island - have audit requirements in place that can reliably detect and remedy incorrect election outcomes if they occur," the Center for American Progress, a nonpartisan think tank, warned in April.
Senate's 'Secure Elections Act' Stalls
Last week, meanwhile, a bipartisan bill moving through the Senate that was designed to improve election security stalled.
Co-authored by Republican Sen. James Lankford from Oklahoma and Democratic Sen. Amy Klobuchar from Minnesota, the bill would "streamline cybersecurity information sharing between federal intelligence entities and state election agencies; provide security clearances to state election officials; and require adequate post-election auditing procedures so each election can be double-checked and verified."
Klobuchar slammed the delay, saying all Democratic senators had planned to vote for the bill. "With only 76 days before the election, with cyberattacks from Russia and other countries and criminal enterprises being revealed every day, with no national requirement for critical security protocols such as audits or backup paper ballots for our nation's election infrastructure, we must take action before the next election," she said. "To do nothing before the next election would be irresponsible."
The chairman of the Rules Committee, Roy Blunt, a Republican senator from Missouri, said lack of Republican support as well as concerns raised by some states' secretaries of state led the bill to stall.
Some of the states' concerns centered on recent drafts of the bill not mandating sufficient levels of election security.
"The latest markup ... misguidedly removes the requirement for a manual tally of paper ballots during post-election audits, instead allowing machine audits of machine tallied results," California Secretary of State Alex Padilla said in a statement. "Given the cyber threats to our voting systems, only audits of physical, paper ballots can provide the security we need and the confidence voters deserve to have in the accuracy and integrity of election results."
Backers say they're working as quickly as possible to prepare a new draft.
Given the timing, however, it's not clear that the bill, if it were to pass tomorrow, would have any meaningful impact on the 2018 elections.
Social Networks Finally Step Up
Belatedly, social networks have also been stepping up to address information operations. But doing so is complicated because propaganda comes in many forms.
Facebook, however, has pledged greater security spending to help counter these types of threats. And on Monday, after months of horrific violence in Myanmar that some observers say was fueled by social media propaganda campaigns, Facebook finally suspended 20 accounts tied to Myanmar's military, including Senior General Min Aung Hlaing, commander-in-chief of the armed forces. "While we were too slow to act, we're now making progress - with better technology to identify hate speech, improved reporting tools and more people to review content," Facebook said.
Alphabet's Google and YouTube, as well as Facebook and Twitter, have also started reacting more quickly to name, shame and suspend nation-states' information warfare operations.
On Sept. 5, officials from Google, Facebook and Twitter are set to testify before the Senate Intelligence Committee about what they're doing to counter influence operations being run on their platforms.
The social media giants have some progress to report to the Senate. Unfortunately, the Senate itself has made little progress on the issue.
What Is Good Election Defense?
In the bigger picture, however, do the FBI and DHS efforts - including informational security videos aimed at candidates and their campaign operations - as well as some states' proactive approaches to cybersecurity and social networks moving to more forcefully counter information operations, represent a complete election security strategy?
The emerging consensus from some information security experts is that not nearly enough is being done - or even proposed (see How to Secure US Elections - Before It's Too Late).
Last week, Alex Stamos, a former CISO of Yahoo and Facebook who has spent years studying and battling information operations, warned that Russia's GRU military intelligence agency and Internet Research Agency troll farm have given the world a playbook for leveraging social media networks for information operations against the U.S. (see Secure 2018 US Elections: It's Too Late).
"The uniformed officers of the GRU and the jeans-wearing millennial trolls of the private Internet Research Agency turned American technology, media and this country's culture of discourse back against the United States," Stamos said in his blog post. "Stymied by a lack of shared understanding of what happened, the government's sclerotic response has left the United States profoundly vulnerable to future attacks."
Don't Just Focus on 2016 Problems
One major proposal fielded by Stamos: Create an independent U.S. cybersecurity agency devoted solely to defense that's free from any military, law enforcement or intelligence responsibilities.
"In the run-up to the most recent French and German elections, the respective cybersecurity agencies of these countries had access to intelligence on likely adversaries, the legal authority to coordinate election protection and the technical chops to work directly with technology platforms," Stamos says. "These organizations were independent enough to work directly with the relevant political campaigns, and their uncompromised mandates made them effective partners for multinational tech companies."
Securing elections - and ensuring the integrity of political discourse - is a massive undertaking. But unless government planners are willing to embrace big-picture ideas, such as those Stamos offers, they risk seeing election security become an even bigger failure.