We love shopping and paying bills online. We love Google Maps and Waze. We love Nest. We love our apps. All good. But technology also has a dark side. Cyber-bullying is dark, very dark. Digital trolls are dark. Phishing is dark.
Election meddling is another really dark side. The U.S. Senate’s Select Committee on Intelligence released Volume 1 of its report on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election is as dark as it gets. The report summarily states that “the Russian government directed extensive activity, beginning in at least 2014 and carrying into at least 2017, against U.S. election infrastructure at the state and local level.”
Here’s a thought: if a corporate CIO, CTO or CISO experienced the degree of hacking the US election system has experienced – and, according to the report, continues to experience – they would shut down their networks until they eliminated the threats. If they failed to do so, they’d be fired. But very strangely the US has yet to eliminate the threats which have been around – according to the report – at least since 2014. How many CIOs, CTOs, or CISOs do you think would be given five years to eliminate breaches to their computing and communications infrastructures? I cannot imagine the conversation I’d have with my boss about cyber-insecurity: “well, boss, I tried … I really, really tried (at least a little) to get the competitors out of our systems but you know what? They can still read our emails, get into our R&D files and even our sales data. But how much damage can they really do? I’m sure you agree.”
Here’s what the (heavily redacted) report describes as just some of the elements of Russian activities:
- Access to election infrastructures in many U.S. states
- Efforts to research U.S. voting systems, processes, and other elements of voting
- Activity directed at voting machine companies
- Efforts to observe polling
- Activity and its relationship to misinformation campaigns ...
The report also states that “in 2016, cybersecurity for electoral infrastructure at the state and local level was sorely lacking; for example, voter registration databases were not as secure as they could have been. Aging voting equipment, particularly voting machines that had no paper record of votes, were vulnerable to exploitation by a committed adversary. Despite the focus on this issue since 2016, some of these vulnerabilities remain.” (Italics mine.)
What else? “Throughout 2016 and for several years before, Russian intelligence services and government personnel conducted a number of intelligence-related activities targeting the voting process … the Committee found ample evidence to suggest that the Russian government was developing and implementing capabilities to interfere in the 2016 elections, including undermining confidence in U.S. democratic institutions and voting processes.”
Incredibly, the report also states that “the cybersecurity vulnerabilities of the U.S. election system cannot be separated from Russia's efforts to influence American voters. As the January 2017 Intelligence Community Assessment (ICA) concluded, and as the Committee report notes, the Russians were ‘prepared to publicly call into question the validity of the results’ and ‘pro-Kremlin bloggers had prepared a Twitter campaign, #DemocracyRIP, on election night in anticipation of Secretary Clinton's victory.’ This plan highlights an additional reason why nation-wide election cybersecurity standards are so critical. If Russia's preferred candidate does not prevail in the 2020 election, the Russians may seek to delegitimize the election.”
More? “While not formally part of the U.S. election infrastructure, the devices and accounts of candidates and political parties represent an alarming vulnerability in the country's overall election system. Russia's campaign of hacking the emails of prominent political figures and releasing them through Wikileaks, Gucifer 2.0, and DCLeaks was probably its most effective means of influencing the 2016 election. The Committee has received extensive testimony about these operations, the vulnerabilities that allowed them to occur, and the threat those vulnerabilities pose to the integrity of American democracy.' Yet little has been done to prevent it from happening all over again.”
Would corporate CIOs, CTOs and CISOs keep their jobs if the emails of C-suite executives were hacked and published for everyone to read?
There’s much more to come. Additional volumes will look at how President Obama handled the “meddling,” how social media was used to influence the election and, ultimately, the Trump campaign’s possible role in all this. The volume on social media will focus on Russian Facebook ads and disinformation efforts. The first volume just released solidifies Russian involvement in the election and its attempt to manipulate the outcome. Subsequent volumes will provide detailed evidence about how they used digital technology to interfere in US elections across the country.
What are we to make of this horrid use of digital technology – or the lack of response? Note that in 2018 the Congress appropriated $380 million – about the cost of one F-22 Raptor fighter jet – for all of the states to improve election cybersecurity – a pittance of what’s actually required to prevent interference. Why would anyone underfund election security? What if a corporate CIO, CTO or CISO in the face of multi-year, massive, persistent competitive digital attacks asked for 5% of what’s necessary to stop the attacks? What would happen next? As a former CTO responsible for digital security in a Fortune 500 company, I can answer the question: my office would be empty in a matter of hours.
