Monday, July 22, 2019

Let's Destroy Democracy

Election security through an adversary's eyes


By Matt Olney.


Executive summary

Over the past few years, Cisco Talos has increasingly been involved in election security research and support, most recently supporting the Security Service of Ukraine in their efforts to secure the two Ukrainian presidential elections in April. Experiences like these, along with discussions with state and local elections officials and other parties, have helped us better understand the election security space. These discussions are especially important to us because combining their expertise with our experience in the security space — and specifically our understanding of some of the actors that may be involved — is a powerful model to achieve the ultimate goal of providing free and fair elections.

Based on our research and real-world experience working to secure elections, we have recommendations for several different groups, each of which have a role to play in working against attackers who would interfere in free and fair elections:
  • Everyone should understand that interference in, and attacks on, the election system are part of a larger, coordinated attack on the very concept of free democracies.
  • Security improvements in election security can best be achieved by combining the expertise of election officials with that of traditional security practitioners.
  • Election officials should extract maximum value from this period of heightened interest in election security.
  • Security practitioners should recognize the specialized nature of the elections environment and be careful to provide the best advice for that unique environment.
  • Everyone has a role to play in ensuring that faith in democratic institutions is reinforced and that social divides aren't unnecessarily aggravated.

In this post, we will outline potential scenarios that a hypothetical attacker may take to disrupt any country's election. But it's important to remember that just because we present a scenario in this post does not mean that it is viable in the face of the security work that the election community has put in place. For example, we'll discuss an attempt to change votes on a voting machine. However, it would take an additional post to discuss the hurdles that an actor would face to achieve this. We urge everyone to not underestimate the significant work that the election community has already done in terms of security.

Now. Let's have some fun.

Building a better opponent

So how does one design an opponent? Well, a lot of people concentrate on the "how," but we also need to know the "why." Then, when we start to try and guess what an actor may be trying to do, we can make better assessments. So while we'll definitely look at the historic record — everything from obscure legal filings of relatively unknown federal prosecutors, to public findings from the entire U.S. intelligence community — we'll start with some more fuzzy, geopolitical assessments.

You might look at the recent history of interference in U.S. elections and wonder what the underlying intent of the actions were. Foreign Affairs has an excellent article that explains why an adversary might target elections and agitate the electorate. They propose that U.S. adversaries see the support of democracy as an attempt to extend U.S. influence, and specifically cited interference in the 2016 election as being intended, at least in part, "to tarnish U.S. democracy." But more specific to our actor, the article says adversaries of the U.S. share a "belief that weakening democracy can accelerate the decline of Western influence and advance [the U.S. adversaries'] geopolitical goals." This is our "why."

We're going to build the "how" based on two things: the concept of hybrid warfare and a roadmap we found for destroying democracy. Hybrid warfare is an excellent description of the actions taken by a country that is attempting to avoid traditional, kinetic warfare, but still achieve fairly ambitious geopolitical objectives. Read the paper, but for our purposes, the important concept is that actors adopting this model rely on "subversive instruments," including information operations and offensive cyber operations.

If you wanted to damage something, an easy way to do that is to try and destroy it and be content with however much injury you inflict. This is where our roadmap comes into play, courtesy of Diskin, Diskin and Hazan's paper "Why Democracies Collapse: The Reasons for Democratic Failure and Success." The authors review the root causes of failures of democratic governing structures in the past. The most serious commonalities between these failing governments are: foreign involvement in domestic politics, a history unfavorable to democratic norms and processes, a malfunctioning economy and "social cleavages" — rifts in the social fabric that divide a country.

We will, by definition as a state-sponsored actor, be a foreign interference. However, we can't change history, and the world's economy is interlaced enough that it is hazardous to go poking at it for purely political objectives. But in many ways, the U.S. is ripe for someone to come and pull at the loose threads that make up its social fabric. So, following the map laid out in the paper, this will be a major objective for our adversary — to assault the electorate's faith in democracy and to rend the social fabric of the U.S.

Finally, let's make sure we've captured recent history. The intelligence community has assessed that, in addition to undermining public faith in the U.S. democratic process, that actor also had a preference in terms of a specific candidate. Certainly some of the information operations activities we've seen, such as the conduct of the Internet Research Agency, have targeted particular candidates, but that activity has also shown a desire to inflame existing divides in U.S. culture and society. Finally, we have a few publicly known cases of cyberattacks against election systems infrastructure, in particular, the voter registration databases of several states.

Taking all of that together, we can construct a grossly simplified adversary. Things are more complex in reality, but an actor with the following basic traits will serve our purposes for thinking about general election interference:
  • A desire to drive a wedge into existing social divisions.
  • A desire to undermine faith in democratic processes.
  • A preference toward certain candidates.
  • Willingness and ability to attack voter registration databases.
  • A desire to conduct their work remotely.

Define the attack surface

Talented adversaries are fun, but they really sparkle when you have something shiny to catch their attention. Luckily, elections are super shiny, and our model actor would begin to investigate what makes up the election system. To put it in more technical language, our model actor would begin to analyze the available attack surface. Here is a list of common election system elements they would find, with a basic description of the roles they play:
  • Voter Registration Database (VRDB)
    • A statewide database that contains a roster of those state's residents who are eligible to vote.
  • e-Pollbooks
    • Electronic devices at voting locations that contain some portion of the information in the VRDB and are used by local voting authorities to ensure that individuals are permitted to vote at that location.
  • Vote-casting devices
    • What most of us call "voting machines," these are the devices where the individual voter would interact with the ballot and cast their vote.
  • Vote tallying systems
    • These are the machines that actually count the votes.
  • Election Night Reporting Systems (ENR)
    • This is the collection of systems that collate the results from various districts and make them available to media and other interested parties. These results are unofficial, but are important because, otherwise, Wolf Blitzer wouldn't be nearly as dramatic on election night.
  • Internal and public-facing communications
    • You might not think of this as a key part of the election system, but once you start to consider what the adversary is trying to accomplish, you'll understand why the Center for Defending Democracy highlighted these systems.

4 ways to destroy democracy

In case you missed it, our model actor would really want to destroy democracy. They want to reduce the influence of western democracy and damage the image of U.S. democracy to erode U.S. influence globally. For our model, attacking elections is one part of a wider effort to disrupt the political processes that are interfering with the geopolitical aspirations of our state sponsor.

Now the best part: we, as defenders trying to understand the adversary, become the adversary. We know the playing field, we know what we want to achieve and we're an all-powerful APT actor — just like in the movies. We've been tasked with attacking the election system. What are our diabolical plans? Let's pretend this is all as easy as some think it is.

Remember: This is a hacker fantasy, and doesn't account for any defenses. These are assessments of what an adversary might want to achieve, without worrying about pesky things like network isolation, patching, firewalls, antivirus software and certainly avoiding any heroic election IT staff.

Scenario 1: Let's get the obvious one out of the way. We have a preference, and we're just going to pick that candidate. To get this done, we would have to target either the voting machines directly, or the vote tallying machines. But specifically picking a winner is risky, and if detected, it might solicit an extreme response. So maybe...

Scenario 2: Let's create an election night and certification nightmare. We could manipulate the ENR system in swing states to show that the loser actually won. We likely wouldn't get away with this for long. At best, as certification went through it would become apparent that the other candidate won. We would, however, seed arguments, lawsuits and bad blood for years in a hotly contested election. But the election may not be close, so maybe...

Scenario 3: How about we turn this into an information operation and pick at the divisions already present? First, we pick a state that has been involved in some sort of election argument — accusations of gerrymandering, voter suppression or insufficient safeguards. Then, we breach the voter registration database and we deregister 10 percent of voters who are registered for the party that isn't in power. If we can't do that, we'll make the changes on the ePollbooks when they're loaded with data. Voters will have to cast provisional ballots, lines will lengthen because the process takes longer, the media will report on it, a pattern will emerge of who is affected, accusations will begin to fly. And, as a bonus, we'll also steal a lot of the registration data to make our information operations more efficient in the future.

Scenario 4: Make Scenario 3 worse. Why not? We have full APT power! Let's really dig into those wounds. Let's manipulate the communications of elections officials and change documents to make it appear this was intentional. Let's create social media accounts of "insiders" who claim to know what actually happened. Finally, let's hand the burning ember we've created to our information operations folks as an early Christmas present. They'll work to fan it into full-on flames.

Not time to panic yet. First, a history lesson

It's easy to sit here and fire off imaginary attacks at paper services. But, we haven't given thousands of election and security professionals their say yet. The past three years have been monumental in terms of the work done on improving election security, and those three years of work are built on a foundation of decades of work before that. Which reminds me...

I have something to say about the last few years. And I think this is important: To a large extent, the security community came late to the election security problem and we immediately started to go about trying to fix it. But some of us failed to take enough time to understand the deeply challenging environment we were working in, and that led to frustration on both sides.

To give an example of how complicated this space is, let's go back to December 13, 2000 and see what was going on that night in the Old Executive Building. Al Gore is giving his concession speech, conceding a tightly contested presidential race to George W. Bush. New Mexico had been decided by 363 votes and Florida by just 537 votes. It was not just close, but also by some measures deeply flawed. One MIT study estimated that between 4 and 6 million ballots out of the 100 million cast were not counted. We'll come back to Mr. Gore shortly, because what he said here is important in the larger scope of things, but let's concentrate on those 4 - 6 million lost ballots.

Congress responded, and did so in a bipartisan manner. In 2002, the House voted 357 - 48 and the Senate voted 92 - 2 to pass the Help America Vote Act (HAVA), which established the Election Assistance Commission, allocated $3.65 billion to assist states in upgrading their voting infrastructure and required states to have a centralized, computerized voter registration database. In doing so, they fixed many of the problems that existed during the 2000 election, ensuring more votes would be properly counted in the future. However, in doing this, they also unintentionally created almost the entirety of the threat surface that we are dealing with today.

In one fell swoop — and one enormous injection of funds — Congress set the country on a path to rearchitecting the election system. I'm not going to try to dissect the economics of dropping billions of dollars onto a problem like this. But I will point out that it is problematic that those funds are not guaranteed to exist every year, and there have been stretches of years where money was not supplied to states, leaving them to have to fund the maintenance and replacement of these systems themselves.

To cut this history lesson short, and get to the point: The history of computerized elections is complicated. As security practitioners, we bring with us a wealth of expertise in technology and security. But every one of the more than 8,000 election jurisdictions in the U.S. is in some way unique, and is run by people who understand that they wait at least a year between the main event and then pull it off on that one day with no failure. To do this, they have become masters of contingency planning.

Takeaways

The way that U.S. elections are run by thousands of different precincts, a fact that stems from the very founding concepts of the country, makes providing specific recommendations difficult, especially since we try to avoid just giving rote "patch your stuff" recommendations. So, instead, I have general guidance for three different groups: election administrators, the security community and everyone.

For election administrators, I'd first apologize. I know things are aggravating right now with all these strangers marching in and trying to sound smart. My recommendation to you is that you completely abuse this situation. I know that it can be years between when people even think about elections, so with everyone so focused right now, I'd say make sure you extract every piece of value you can.

Vendors are stumbling over themselves to help solve your "problem." Election security is very much in the spotlight right now and it makes a vendor look good to be involved. Make sure you talk to their experts, take advantage of any free offerings, get extra training and basically make them earn the right to say that they are part of the solution. And make sure they understand the entirety of your specific form of the problem before they start pitching their solution.

Specific recommendations for election officials:
  1. Demand more of your vendors, especially ones that show up out of nowhere when HAVA money appears.
  2. Be clear about your resource limitations and work with your vendor's experts to correctly allocate those resources.
  3. Think like an attacker, and prioritize fixes and upgrades to those systems they are most likely to target.
  4. Our assessment is the most likely targets are voter registration databases and election-night reporting systems.
  5. This includes systems that interact with the VRDB such as the DMV, online registration services and outside systems like the Electronic Registration Information Center.
  6. You don't have to be security experts, but you do need to find trusted partners who can work with you on security issues.
For the security community, I'd ask you to be at your best. And I don't just mean technologically, but also in your soft skills. The people you'll meet in the election community are rich in experience and well-versed in their subject matter. You'll also find them to be patriotic, diligent and fully aware of the weight of their responsibilities and the limitations in their resources. Don't underestimate them just because they aren't experts in cybersecurity. Work hard to build trust and to find a way to combine their expertise and yours in ways that improve their overall security stance.

Also, know that there is a ton of momentum today that you need to be aware of. A lot has happened since 2016. The federal government has declared elections critical infrastructure. While federal law enforcement and national security agencies were certainly already at work on election security, this change provides focus and prioritization that helps. The Election Infrastructure ISAC has been stood up offering threat intelligence and network monitoring assistance to election administrators. Additional funding has been allocated to the states to address security issues — more than $380 million dollars through HAVA, the first such funding since 2010. We're much more clear on the threat than we have been, with indictments and reporting detailing the kind of attacks we're facing. In short, a great deal of progress has been made.

Finally, my recommendation to everyone. This brings me, at last, back to Mr. Gore, standing before the nation. Having lost a contentious and problematic race, including what was, for this election, a brilliantly on-brand, narrow 5-4 Supreme Court decision, Mr. Gore faced the nation to share his thoughts. Think of all the things he could have said. Think of some of the things he probably wanted to say. Now, know that he chose to invoke the words of Sen. Stephen Douglas, who after losing the election to Abraham Lincoln said to him, "Partisan feeling must yield to patriotism. I'm with you, Mr. President, and God bless you." Both Sen. Douglas and Mr. Gore chose to mend when they easily could have chosen to rend.

Remember how hard adversaries are working to drive wedges into the cracks and crevices that divide us along cultural, social and political lines? So much investment in terms of money, time and technology to drive toward this goal — it must be very important to them. Everyone has a role in standing against this effort, it cannot fall just to one small group. We are each targeted, so we must each consider how to respond.

Each of us is given opportunities, in near infinite forms, to help. But to just constrain our topics to election issues, know that every software design, network architecture, resourcing and risk acceptance decision, along with every stump speech, interview, argument, tweet and blog post is an opportunity. These are opportunities to reinforce faith in democracy and to mend the social fabric through transparency, accuracy and a commitment to free and fair elections. These opportunities can also be squandered, and when they are squandered, they hand an unearned victory to our adversaries.

Choose wisely.

Note: Want to hear more about election security? Check out our election security episode of the Beers With Talos podcast.

No comments:

Post a Comment