Cyber Scene #45 - Cyber Offense and Defense: The U.S. Election 3D Chessboard
Cyber Scene #45 -
Cyber Offense and Defense: The U.S. Election 3D Chessboard
Coming to terms with the magnitude of cyber's role in the 2020 election and how it will be impacted by the COVID-19 pandemic is daunting. "De-globalizing" as the U.S. and other nations such as the U.K. have tried to do recently is difficult if not unfeasible.
As for a framework to clarify this conundrum, Cyber Scene proposes the analogy of Joseph Nye, the "soft power guy," to provide a visual framework for U.S. election vulnerabilities under the pandemic. Although not a cyber expert, Dr. Nye has experience across U.S. government sectors and academia: head of the National Intelligence Council, Deputy Undersecretary of State for Security Assistance, Deputy Assistant Secretary of Defense for International Security Affairs, and Dean of Harvard's - Kennedy School.
In 1994, he posited his theory of the world functioning as a 3D chessboard: the three strata, through which events passed, were foreign policy, economics, and military issues. Building on his model, Cyber Scene offers that a pandemic exceeds the definition of an event. Rather, let us consider it as the black - and red - chessboard squares; cyber serves as the connections that move decision-making of world leaders--kings, queens, autocrats, presidents and other nation-state and technology leaders; bishops, other religious organizations as well as radicalized quasi-religious entities; knights as military leaders, and the less prestigious pawns--all the rest of us. Cyber permeates all our lives as it enables movement--across the board and across essential segments of everyday life. The global aspect of this board can also be confirmed by Thomas Friedman's dissection and country sourcing of his computer components, as discussed in his initial version of "The World is Flat." So we have Dr. Nye's 3D model with "cyber-pandemic characteristics."
With this graphic image as our framework, let's examine the June 2020 status of U.S. election security threats--direct and indirect, foreign and domestic, intentional and unintended. The intensity and mutation of these threats multiply under the COVID-19 pandemic closing in on us. As we hunker down we are all trying to determine our next move (or vote) on the board, be we kings or pawns. Cyber is the path to the objective and success.
On 7 June, New York Times (NYT) reporters David Sanger, Nicole Perlroth and Matthew Rosenberg opine in "Amid Pandemic and Upheaval, New Cyber Risks to the Presidential Election" that as America attempts to secure the health and safety of U.S. voters by expanding remote voting, largely Vote-By-Mail (VBM), and other measures to protect those working the polls and those going to them, an ugly vulnerability is identified. The authors believe that the pandemic "...could open up new opportunities to hack the vote--for President Vladimir V. Putin of Russia, but also others hoping to disrupt, influence or profit from the election." They dismiss the claim that the problem could be fraud, noting that Stanford and other research concludes that voting by mail might increase voting for both parties, with no advantage to either, and that five U.S. states that have being using and tracking VBM for many years found little fraud.
Rather, the concern regards online voting systems created quickly by many states in light of the pandemic, as well as existing online voter registration systems. The former were considered by the Department of Homeland Security (DHS) as "high risk" and the latter assortment of state registration systems among "chief targets of Russian hackers in 2016." These attacks were viewed by American officials as a dry run for the next opportunity. In 2019, DHS hired the RAND Corporation, a prominent think tank, to re-evaluate election security. RAND's conclusions were grim: "state and local registration databases could be locked by hackers demanding ransomware or manipulated by outside actors." Since then, DHS's Christopher Krebs who leads the Cybersecurity and Infrastructure Security Agency (CISA) has been working on countering these vulnerabilities. This includes calling for backup systems with paper printouts of poll books for registration purposes in the event that the hacker in the basement or a powerful nation state have another go at it.
Because of the pandemic, states accelerated VBM opportunities even for those not voting absentee, per se, for reasons of health and safety. Many of these issues, per the NYT, have gone to court with justices across the country, rendering differing opinions. The U.S. Supreme Court (SCOTUS) has just, on 26 June, decided a Texas case involving VBM rights, judging that the 26th Amendment does not guarantee everyone the right to vote by mail. Texas will continue to offer VBM to those over 65, those disabled, those in jail, and absentee voters but not to others who wish to avoid physical voting at a polling location.
With this knowledge, the University of Michigan and MIT did identify one platform, called OmniBallot, used by several state jurisdictions (voting procedures are generally not even standardized within a state), that may be vulnerable. So some states are hesitant regarding VBM as the number of polls and those able to work the polls are dwindling due to COVID-19 issues. While VBM has been in existence since Union troops in the Civil War were able to mail their votes, cyber interference is a new concern.
The NYT reporters underscored that foreign threats are real: U.S. officials identified Russia as again meddling in the presidential election: "The National Security Agency (NSA) warned that Russian state hackers had targeted an email program used by dozens of congressional candidates to steal emails, as Russian hackers also did four years ago." Google also observed Chinese hackers targeting email accounts of campaign staff members of presumptive candidate Joseph Biden. Iran had targeted Donald Trump. This was also reported on 6 June by the London Times which observed from abroad that this happens as the U.S.-Chinese trade war, political snipes, and debate over COVID-19 escalate.
The NYT article of 15 June entitled "Made-in-America Conspiracy Launched by Russia." recounts how Russia passed along a conspiracy theory to likely unwitting Americans who were duped by RT, Russia's TV channel aired in the U.S... They propagated the original, malicious information to 20,000 twitter readers in 2016. Instead of implanting a nefarious intrusion into a system, the "elegant" approach was to implant dangerous lies into RT programs and into a twitter or two, and activate the minds of vulnerable Americans online.
But there is no easy answer. The lack of any standardization of voting registration and/or VBM makes any one solution for 50 states and all their jurisdictions an upward battle in the near term. However, Congress is trying to mitigate this cyber intrusion so potentially disruptive to the 2020 elections. Among other endeavors, DHS testified "before," in the digital sense, the U.S. House of Representatives Committee on Homeland Security on Coronavirus and Homeland Security.
The video testimony, under the rubric "Election Security and Integrity During a Pandemic, Part II," voices concerns and ways forward to counter the threats noted earlier in this Cyber Scene. The testimony is chaired by Congressman James Langevin (D-RI) who authored a 1999 book entitled "Responding to the Threat of Cyberterrorism Through Information Assurance." In addition to Congress allocating $4B to secure election systems, DHS official Wendy Weiser maintains that as part and parcel of the COVID-19 threat to health and safety of voters, the cyber threats are imminent, real, and three-pronged:
1) that U.S. election systems and procedures under the pandemic are insufficiently secure to provide credible and fair elections, and that not mitigating this would be helping out our foreign enemies;
2) foreign cyber interference has occurred across all 50 states in the past, and there has already been significant activity, as documented, this round;
3) the threat of disinformation regarding fraud would undercut the very fabric of trust at the heart of democracy.
The intent of Congress is to work with all 50 states, fueled by funding, drive and urgency, to secure fraud-free, credible and fair 2020 elections despite the pandemic.
Even as Congress takes action, U.S. efforts to rethink cyberspace defense is addressed by The Economist on 28 May in "Cyber-defence: Policing the Wild West." This too outlines FBI and DHS concerns about election threats from cyber-actors affiliated with China, Russia, Iran and North Korea and various attacks on elections and COVID-19 issues. These are ultimately intertwined. The article lays out why today's cyber attacks are similar to 9/11 and how difficult it is to define the problems in resetting cyber defense. Despite the work to support the Pentagon’s Cyberspace Solarium Commission, Senators Angus King (I-ME) and Mike Gallagher (R-WI) presented their recommendations just as the COVID-19 lockdown occurred. The Commission maintains that jurisdictional boundaries "hobble" cyber defense, with responsibilities strewn across several agencies (FBI, NSA, CYBERCOM, DHS, CISA, et al). It again calls for a national cyber director within the White House, working more closely with the private sector, establishing a platform for public-private exchange as the U.K.'s GCHQ has, and moving forward with Cyber Command's 2018 "persistent engagement" and "defend forward" approach. The article continues, noting under "Taking Offence," that defending too far forward looks like attacking and that "punching back by other means" might offer some alternative.
Meanwhile, countries across the globe struggle to contain the virus. Again, cyber plays an essential role in identifying those who are afflicted or not. Unfortunately, contact tracing, which as of May 2020 appeared quite appealing, has suffered in implementation on both sides of the Atlantic. The U.K. has reportedly, per 19 June London Times, scrapped its 3-month attempt to create its own smartphone app for contact-tracing. Instead, Health Secretary Matt Hancock said the U.K. is looking to Apple and Google technology for something better.
The Brits are not alone. As of 21 June NYT report by Sharon Otterman, New York City's attempts to launch an ambitious contact-tracing program with 3,000 tracers program has disappointed, according to. During its first 2-week trial, only 35% of 5,347 who tested positive for COVID-19 gave information about contacts to tracers. Apparently, New York City has actually executed contact-tracing in the past for tuberculosis and measles, but on a much smaller scale compared to the pandemic's challenges. Massachusetts, whose contact-tracing work has been in place for some time, said that only 60% of infected individuals answered their phone when contact tracers called. Privacy is part of the reluctance, whereas the article points out that in other countries, information from businesses, for example, is required. Ms. Otterman notes that China, South Korea and Germany have reaped some success. In South Korea, for example, folks at karaoke bars, weddings or funerals are required to cede their names and phone numbers for contact purposes.
Quarantines across the U.S., facing alternative risks, loop us back to the chessboard: what moves are safe, and how will cybersecurity or lack thereof impact the endgame?