Amid the cybersecurity whirlwind that has been May and June—when the world got its first taste of what widespread ransomware attacks (WannaCry) and the continued wave of attacks that is still unfolding (Petya/NonPetya)—the public’s attention has yet again been pulled away from the news most relevant to the United States and our future: A Department of Homeland Security (DHS) official in Trump’s administration targeted election-related systems in 21 states ahead of the 2016 presidential election.
In the wake of all the recent ransomware news and last year’s Russian cyberattacks, a new 2017 survey by Carbon Black found that 27 percent of eligible U.S. voters “will consider not voting” in the future elections because of their concerns regarding cybersecurity. This means that in the next presidential election, 58.8 million people might not vote. With the 2018 mid-term election drawing near, this could have dire consequences on the future of voting in our country.
As a result of the 2016 cyber attacks, the U.S. learned what security experts have shouted for years: We are vulnerable! While we have significant potential for cyber defense and offense, we are plagued by internal breaches like those that released CIA attack tools and external compromises such as the Shadow Broker attack on the NSA. Noting this imbalance, Russia launched a targeted disruption campaign against the U.S., not specifically to change votes or directly alter the election, but to sow mistrust and concerns among American citizens.
What can be done to prevent election hacking in 2018 and beyond? Can we restore faith in the American voting system, or is the damage already done?
The government must heed Comey’s words: ‘They will be back’
The 2016 election cyber attacks had a silver lining: voters are starting to open their eyes to the problem. It is now the task of lawmakers to regain the trust of the public by creating public-private partnerships that seek to extend and broaden the scope of effective cybersecurity; spend funds on critical infrastructure protection to harden against cyber attacks; assist in educating the general population to beware of social engineering and email phishing attacks; and share known exploits and issues so that organizations can patch systems ahead of the attack.
In our last election, 25 percent of Americans voted using electronic voting machines. Many of these machines used outdated software on aged machines with inadequate cybersecurity. Thus, the potential for meddling with these machines is there, and our dependence on electronic voting machines may create an unnecessary vulnerability in our election process.
Therefore, in order to restore the public’s confidence in our voting process it is crucial that we invest in hiring and infrastructure to support hand-voting in the majority of areas until electronic voting can be made secure. Marking a paper ballot that can later be used to verify a vote will make our future elections as secure as possible and help the country trust our election process again.
Citizens can also take cybersecurity into their own hands
While the government needs to make adjustments in order to preserve the integrity of our voting system, citizens too can take a proactive approach to ensure that they aren’t victims of the next cyber attack.
If nothing else, the 2016 election attacks demonstrated that we are all vulnerable to the simplest email phishing ploys. To better protect the integrity of our voting system, citizens need to leverage advances in cybersecurity technology and develop processes to make it difficult for Russia (or any adversary) to succeed in future attacks.
A few general rules for individuals to follow in order to avoid email hacking:
Don’t click links or open attachments in email unless the email is first verified
Use authentication and encryption to protect data if a compromise occurs
Deploy numerous verification techniques like two-factor authentication to set up layers of security around precious information
Americans’ insatiable desire for rapid communication has often resulted in shortcutting the security necessary to authenticate and verify information. Our abuse of email as the primary method of business communication has made us vulnerable to email phishing or social engineering attacks that exploit a person’s trust. Businesses also need to do more in policing these simple cybersecurity rules for all employees.
Building a secure voting future
Designating is a step in the right direction and by committing to investing in infrastructure, we can start to regain the trust of voters, while lawmakers can ensure that our elections will not be hacked in the future. Since citizens are a part of an information sharing system most likely to be attacked, security must also move as close to the people it serves as possible.
Cybersecurity solutions must then focus on the endpoint – the device in a human’s hand – in order to prevent mistakes and spies from exploiting the weakest link in our security systems, the users of these devices.
Putin and his fellow cyber spies will seek to continue voting disruption campaigns, so we must be especially vigilant in our upcoming 2018 midterm elections. The government must invest time, money and attention in a robust cyber counterintelligence community that hunts attacks and provides warnings to industries before, not after, the breach occurs, while our citizens must be diligent to protect themselves from email phishing schemes.
Together, we can protect our voting system, and most importantly, our democracy.
Eric O’Neill is a national security strategist at Carbon Black’s where he specializes in counterterrorism and national security matters. A former FBI operative, he is nosw a practicing attorney who specializes in cybersecurity vulnerability assessments, counterintelligence and counterterrorism operations, investigations into economic espionage, internal investigations, and security risk assessment consulting.