With the U.S. presidential elections a mere few weeks away, the security industry is hyper-aware of security vulnerabilities in election infrastructure, cyberattacks against campaign staffers and ongoing disinformation campaigns.
Past direct hacking efforts, such as the attack on the Democratic National Committee in 2016, have left many nervous that this time around, the actual election results could be compromised in some way. This year, worries about the integrity of voting machines have popped up too, coupled with the expected expansion of mail-in voting due to COVID-19.
Perhaps most concerning, according to Matt Olney, director of Talos’ Threat Intelligence and Interdiction at Cisco, is cybercriminals “going after the minds of the American people and their trust in the democratic institutions that we use to select our leaders.”
The good news, Olney, said in a recent video interview with Threatpost, is that awareness of election-security threats has increased since the 2016 elections. That’s been both on the part of the federal government, as well as by U.S. citizens themselves, who have gotten better at calling out content that may be associated with disinformation campaigns.
Below find a lightly edited transcript of this interview.
Lindsey O’Donnell-Welch: Hey, everyone, this is Lindsey O’Donnell-Welch with Threatpost. And I am joined today by Matt Olney, the director of Talos’ threat intelligence and interdiction at Cisco. So Matt has been working with election officials firsthand, to make sure that they are prepared for the November presidential election. And he’s also spent the past four years studying election security, and misinformation, and all these different security threats that we’re seeing related to the elections. So Matt, thank you so much for joining us today.
Matt Olney: Happy to be here. Thank you.
LO: Now, the elections are right around the corner. And we’re seeing a ton of news about the debates and the political part of it. But a big undercurrent that we’re seeing with this upcoming election is security and disinformation campaigns. So first of all, let’s set the context here for this upcoming election, in comparison to previous elections – what are the similarities that we’re seeing and the differences we’re seeing, going into November 2020, as opposed to 2016?
MO: I think we’re seeing far less active exploitation in 2020 than we saw in 2016. There’s a general agreement between the intelligence community and the security industry that there is not a lot of evidence of what we would traditionally think of “hacking” into election systems, election infrastructure, and what activity that we have seen is generally coinciding with activity you would see anywhere on the internet. So we think it’s just attempts that you would have just by virtue of being part of the internet, as opposed to being election specific.
What we do continue to see, as we saw in 2016, is a lot of disinformation, a lot of misinformation, both foreign and domestically sourced. And that is what does look like 2016.
LO: Mm hmm. Right. I feel like also, we’re seeing kind of the, the cyber criminal piece of all this, but I do think, you know, on a positive note that there is a lot more awareness, I feel like, personally from a news side, I’ve seen a lot more crackdown from Facebook and Twitter, and on different disinformation campaigns. And they’re being a lot more vocal about the fact that their platforms are being leveraged in this way. So I mean, I think that is kind of a good step forward. But on the other hand, as you mentioned, I mean, cybercriminals are also recognizing that this new awareness from social media platforms is happening, and they’re consequently kind of switching up their own tactics. Have you seen new techniques and new methods being utilized from the cybercriminal front?
MO: I haven’t haven’t seen a lot of differences, but I would echo your your understanding of that defensive difference between 2016 and 2020. Where across the board, both on misinformation, disinformation, and like traditional computer security issues, a great deal more awareness in the election community, but also in the general public.
LO: Right. Right. I think that’s a really good point to make. And taking a step back, I feel like the election cybersecurity problem that we’re facing is two forked in that we have election security, which impacts the infrastructure itself and kind of the security of election machines and whatnot. And then we also have disinformation. So, you know, looking at, as you say, this content that’s being spread and consumed online and on social media. So what would you say is kind of the the bigger issue that is facing the U.S. as we go into the presidential elections, at least for this year, of those two issues?
MO: Right, while I agree that they are they are separate in how to address them, those two in our assessment, those two kind of prongs of the problem are tightly coupled. So even in the 2016 operations, for example, the hack of the DNC, was in actions in order to further disinformation campaigns. So we see we see those kind of as two actions with a common kind of purpose. And so what we what we want, kind of everyday Americans to understand is that election security includes them. It isn’t something just for secretary of states and county auditors and board of elections depending on where you are, to worry about. It is something for each American who’s concerned about democracy to kind of to be concerned with. So everybody has a role in that. So disinformation currently, I would say, is the kind of the most prevalent, and the most pressing issue. But the solution for that has to come from better information hygiene from the public, better communication pathways from the federal, state and local governments. And in a general level of patience, so that if there is an issue that it can be resolved within the correct procedures that have been laid out.
LO: Right. And I know both Microsoft and Google TAG warned of attempted cyber attacks on both Trump and Biden’s campaign staffers earlier, I think it was earlier in June. So that’s an issue as well, I feel like there’s always kind of new incidents that are surfacing on the election security front.
MO: Yeah, I mean, you have to understand that the the point of election hacking and the point of disinformation campaigns isn’t to be successful with hacking or disinformation campaigns. These are politically motivated actions that are looking to achieve a political end. And so they will go after whatever mechanisms they feel will further those ends. And so campaign security is also a really important piece, and probably one of the most challenging pieces, because they’re temporary environments, they’re generally under-resourced and understaffed, they kind of come up real quickly and get turned down very quickly. And it’s difficult to build super-secure campaign infrastructure on a temporary, low budget method. So yeah, there are people in other countries whose job every day is to find a way to achieve the political ends. And they will go after campaigns, they will go after the election infrastructure, but ultimately, their goal is to go after the minds of the American people and their trust in the democratic institutions that we use to select our leaders.
LO: Right, right. And, kind of piggybacking off of that point, disinformation has really become more of an industry and much more sophisticated over the past few years, as I’m sure you’ve seen, and state sponsored threat groups are working, even with at this point, independent, third-party entities, who are private digital marketing companies, to engage in these global influencing operations. So it’s really become something that is a lot more of an industry here. And I know that Cisco Talos has done a ton of research into how that’s playing out and what that means. What’s kind of the impact there? And can you give us kind of a look into how this industry works?
MO: So when you talk to the researchers – disinformation is a pretty broad topic – but when you talk to the researchers who dug into the infrastructure components, they were really surprised to find this kind of emerging disinformation-as-a-service market. And there’s lots of companies globally, they carefully advertise their services, and they don’t come out and say, “Hey, we’re gonna mislead people and lie about stuff.” But ultimately, that is the service that they’re providing, an expertise in kind of dirty tricks.
And ultimately, I mean, that’s a kind of anathema to Western democracy, even though it’s kind of got a history, you have to have an informed electorate for this all to work. And they have to be informed by truths, not by mistruths.
LO: Right. And I feel like a lot of recent news stories that I’ve seen relating to election security, what attackers will do is they’ll compromise legitimate, news organizations or third-party websites, and they’ll input their own content into that. So it seems like they’re really taking steps to make their material more legitimate and really trying to kind of raise the bar there.
MO: Yeah, they done a lot like that, they’ve created their own news organizations to kind of run and then hope that those kind of news organizations, that traditional media will pick up their stories without doing a real good back check. But, you know, on the extreme end, certainly they could compromise these organizations and place stories. I think that generally is a less successful path for them because it’s something that you know, can ultimately kind of backfire, but they’re much more interested in kind of corrupting the information pathways to the public, by inserting these stories off at the fringes, at the low levels, in kind of the collective thought processes of people to get it to seep into traditional media, and then get it distributed more broadly.
LO: So switching gears for a second, I also wanted to ask you — you mentioned earlier about further awareness on the end of social-media consumers, and you also had mentioned the need for more awareness coming from the government in terms of relaying these threats and concerns. And I think that I’m curious if there is more of awareness on the side of the federal government and election vendors as well, because, for instance, in August voting machine maker Elections Systems and Software formally announced a vulnerability-disclosure policy. And I’m curious if that’s indicative of more awareness when it comes to infrastructure security, related to elections, or if we still have kind of a ways to go there in terms of the relationship between this industry and the security space.
MO: Yeah, so one of the things that we’ve been pretty consistent on our side is, we’ve been optimistic about elections in general, because we look at it as an industry. And what we’re seeing is a maturation of their security processes and understanding. And we’ve seen it before, we’ve seen it with companies that are now seen as security leaders in terms of folks like Adobe and Microsoft, where they had to come to an understanding of how to work with the security community, how to develop securely, how to apply resources to security, while still maintaining profitability. And, that takes time. And despite the fact that there’s people out there that have gone through it, and security experts, everything else, the industry itself has to come to those conclusions, ultimately, and learn those lessons for themselves. And so that’s what we’re seeing, we’re seeing an incredibly engaged election community that is truly aware of this of the threats and very keen to to dig in on security issues. In addition to the example you gave, the state of Ohio, Secretary of State’s office of Ohio, recently announced a disclosure policy for vulnerabilities. So that’s part of creating a safe space for experts to convey their their findings. And that’s important. And so part of what Ohio did was say, if you do these things, within the following very reasonable constraints, then you will not be subject to any kind of penalty. And so it creates a safe space for talented and motivated experts to examine those systems and then provide their findings back to the state. And it’ll be the same thing with the SNS. And those are important. And I hope that other other voting machine vendors are quick to follow their lead.
LO: This is obviously a very strange election year, we’ve got COVID-19, we’ve got PPP loans. And I think normally there would be a lot more, not just cybercriminal focus, but news focus — and a lot more focus on on the elections. But you know, we’ve also are in the middle of a pandemic here. And there’s a ton of other current events that are happening as well. Are you seeing the pandemic changing how cybercriminals are approaching election security? Have you seen any kind of notable differences this year between previous years? Or is it kind of the same as normal?
MO: I think it’s the same as normal. I think the difference is that you have more more folks working at home. I mean, where it’s affected the election is, you have states that are trying to very quickly change how votes are cast and counted. And any election security person you talk to, any election expert, will tell you that that mail-in voting can be done securely. What the challenge that we have now is that many states that haven’t traditionally relied heavily on mail-in voting are now having to turn to it, in a very compressed timeframe. That compressed timeframe is what’s challenging more than just about anything else. So that’s certainly the place where where the pandemic has had the most impact. But more broadly, there are certainly concerns about about actors, but I don’t see a a rush to do anything other than perhaps ride the the concerns about it and have custom spam that has COVID-19 themed messaging.
LO: Well, before we wrap up, I did want to ask, are there any future threats that you foresee that we need to look out for when it comes to election-security threats in the future? I know that there’s always emerging technologies and innovation – like deep fakes or whatnot – that are being leveraged by cybercriminals. What are you seeing, from your perspective?
MO: I have a pretty firm rule against making guesses about the future, just because a lot of folks have failed to make calls and what’s changed in the past. And I’m not special in that regard, either. What I would say as a kind of a closer instead is to reiterate that everybody has a role in election security. And that includes the election community who have gone that problem aggressively over the last four years; the public, which has largely adopted a more skeptical eye towards information as it comes out, for better or worse. But politicians also have a role, and they, they have to ensure that they are not handing victories to our adversaries. So they have to speak carefully. They have to reinforce the American democracy, and they have to work towards making sure that all voters understand that their votes are desired and welcome and will be counted properly.
LO: Right, well, I do appreciate kind of you ending this on a more positive note in terms of what we can do to better spread awareness and as we look at election security moving forward. So, Matt, thank you again for joining us today on Threatpost Now, to talk a little bit more about election security.
MO: It’s good to talk to you. Thank you.
LO: Great. And once again, this is Lindsey O’Donnell Welch with threat post. If you like what you heard today, please subscribe to our Threatpost YouTube channel. And if you have any comments or questions or your own thoughts and observations, please do leave a comment on our Threatpost YouTube page. Thanks again for tuning in to Threatpost Now.