So I’ve commented on this before, but it seemed like a good time to recap. As you know, we’re starting to get more information about the (ahem) “situation” that transpired in the 2016 US presidential election. As of now, we know that:
- Voting machine manufacturers were targeted and compromised
- 21 states were targeted for systematic attack during the election process
- Voter registration records were compromised and leaked in at least one jurisdiction (Illinois)
There’s a lot of speculation about other stuff, but those are the things that at this point are indisputable. I have three things to say about that.
#1 Politics still influencing coverage
My ire got raised this morning because I happened to notice that the Girl Scout merit badge for cybersecurity got 3x the coverage in the trade press compared to the analysis of the new details about the election attack. I know because I counted the items in my feedly – not scientific, but the best I can do with a half hour before the workday starts. For reference, you can see the relative search interest here:
Now, I’m all about the girl scout badge (seriously, go go girl-scouts — this is an awesome thing you’re doing), but… priorities. We need to cover this. Because, like I said before, this isn’t the last time it’ll happen. In fact, now is our opportunity to study it before it gets more subtle and attackers hone their tradecraft so it’s more efficient next time around. Get over the politics and let’s discuss how to prevent this next time.
In my first post on this (linked above), I outlined why it isn’t in anybody’s interest to give into the temptation to not cover this is the trade press because it’s too “politically loaded.” It isn’t – or at least it shouldn’t be. Here we have ongoing cyberwarfare between nation states. Covering it like it’s something else – or not covering it at all – detracts from our ability, as people interested in security and the scientific process, to analyze and discuss what occurred. It’s not “meddling” (this isn’t old Mr. McGillicuddy in a mask scaring tourists away from the abandoned mine). It’s also not tampering, fiddling, coaxing, diddling or gently massaging. Call it what it is: “warfare” – slap a cyber in front of it if you must (cyberwarfare). But either way, let’s talk about it so it doesn’t happen again.
#2 There’s malware
So there was a hesitancy on the part of folks testifying from the law enforcement community to comment on whether or not there was malware installed in election systems due to the fact it’s an ongoing investigation.
Here’s the deal: there’s malware. If Russia got into election systems (which we know they did because Illinois) and they had sufficient access to exfiltrate data — which again we know they did — there’s absolutely malware on there. In fact, if they didn’t install malware, I’m taking away their “intelligent adversary” merit badge right now.
Installing the back door rootkit is “bad-guy shenanigans” 101. I get it that people don’t want to confirm it or whatever, but let me save you some time because of course they did. So, please to go fix that.
#3 The threat model is wrong
The last thing that strikes me is that the threat model that we have around protecting the election process in the first place is wrong. It has to be. It’s decentralized – every state has their own voting methodology and every individual precinct has the responsibility to protect their voting records at the municipal level.
Is this a good idea? Let’s frame it this way: say you have a thousand small businesses – like your local grocers, car dealerships, “mom and pop” antique stores, etc. Is it reasonable to assume that all of them will maintain sufficient defenses to protect against a nation state? Not just any nation state, mind you. But arguably the second or third best in the world at this kind of attack? I’m going with no. You could probably protect one or two given ridiculous levels of investment, but all of them? Even if it was at the state level, you’d be hard pressed. Because the bad guy has to find just one way in and you have 50 environments to defend against.
From an economics point of view alone, centralization has to be the way to go. Or come up with something that is designed to be distributed in the first place and self-enforces integrity. Like, oh I don’t know, maybe some kind of distributed Merkle tree with a corresponding proof of stake algorithm and use that to tally votes? Hmm. I wonder where we’d find such a system. Nah, that’s probably too “SciFi” to realistically implement. </sarcasm>