How companies are amping up cybersecurity to prevent election meddling

Theresa Payton, CEO at Fortalice Solutions, discusses cybersecurity, election meddling, and Russia's involvement in 2016 US presidential election with CNET's Dan Patterson.

How companies are amping up cybersecurity to prevent election meddling

CNET's Dan Patterson interviewed Theresa Payton, CEO at Fortalice Solutions and former White House CSO, about cybersecurity and Russia's involvement in the 2016 US presidential election. The following is an edited transcript of the interview.

Campaign 2018: Election Hacking is a weekly series from TechRepublic sibling sites, CBS News & CNET, about the cyber-threats and vulnerabilities of the 2018 midterm election.

Dan Patterson: Theresa, help us understand the spectrum of threat actors, whether they're nation-states, oligarchs, private organizations, or even lone wolves. Help us understand the threat presented by each of these organizations.

Theresa Payton: Sure, absolutely. You sort of hit them all. Let's start with the lone wolves. The lone wolves could be they've got a cause that they really believe in, or maybe they have a cause they don't agree with that they see happening, and they wanna take matters into their own hands and either leverage fake personas or even their own persona to crowdsource and create flash mobs on social media and the internet. They may actually go a little further, though. They may decide to take it upon themselves to hack into election databases, websites, to try and create harm and create alarm by doing things through digital methods, but oftentimes those lone wolves are just that. They only get so far.

Now, if you move ahead and say, "Okay, now we wanna look at foreign state-sponsored syndicates," this is where it gets a little trickier because what we're finding is that individuals who may be state-trained by day, by the government or the military of a certain country, they may also be moonlighting at night to actually provide for their family because in many cases, their economy's not really that great and they wanna make an extra income. When we're looking at some of the digital tracks that are left behind, sometimes it is hard to discern. Is this a group acting out on their own? Is this a lone wolf? Or is this truly a state-sponsored, state-directed activity that's going on?

Then of course the oligarchs. What we have seen about the oligarchs as it relates to elections, as it relates to even just freedom on the internet, is they have no hesitation in pulling the internet plug and blocking certain forms of social media, certain search engines, certain news sites, most of which are headquartered in America, if they decide they don't like how they're being portrayed. They use it to actually usually not to meddle as much in other countries' elections, but to meddle within their own.

SEE: Network security policy template (Tech Pro Research)

Dan Patterson: If I understand you correctly, the knowledge and skills proliferate. They're not siloed within an organization or a physical munitions siloed within a silo.

Theresa Payton: Yeah, those capabilities, obviously, are the capabilities of the state-sponsored syndicates. They're highly trained, they're paid to do what they do. They have directives, they have units. Obviously those tend to be a lot more sophisticated, but a lot of the techniques and tactics that they use, some of those are readily available for purchase on the dark web. Some of them are talked about in the open on the web that you and I are on every day transacting business. It might be on GitHub, it might be on Reddit, these different social sites. There may be hints of it on social media, such as Facebook and Instagram and Twitter.

Then you follow these links along and you can actually find your way to buying whatever it is wanna buy. You wanna buy a distributed denial of service attack against a state website for registering for the election? Go ahead. If you want to actually get user IDs and passwords and maybe you think they might be working on a particular political campaign, you can buy them. All of those things are available, those tactics are available, for a price and you'd be surprised to see how inexpensive sometimes those methods actually are.

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

Dan Patterson: When we look at the state actors that are heavily involved in cyber, obviously every state is involved in one way or another, but we're particularly looking at Russia, China, Iran, North Korea. When you rank those in terms of cyber capabilities, which ones are most concerning to elections in the west?

Theresa Payton: As it relates to elections in the west, this is interesting, too. Some of the disagreements with the US and her allies tend to make strange bedfellows as it relates to other countries deciding to get along. You may see more collaboration across Russia and Iran, North Korea and China in some regards, because of these unholy alliances that come about as it relates to trying to get back at the US and her allies.

As it relates to the election meddling itself, Russia clearly had the platinum playbook for election meddling that went everything from hacking into campaigns, hacking into servers, trying to actually do damage to voter registration databases, as well as social media manipulation. They clearly had that playbook. But what we have seen, which is incredibly concerning, is you had these other countries, Iran, North Korea, and China, pay attention, take notice, see what they got away with, and we're now starting to see them flex their muscle as it relates to misinformation, disinformation, and manipulation campaigns.

Facebook just announced that they shut down fake personas that they tied back to Iran and these fake personas were stoking the social sentiment as well as, potentially, stoking issues that are gonna be important not only in the midterms, but in the next presidential election cycle.

SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research)

Dan Patterson: I wanna circle back to those personas, influence campaigns, and fake accounts in just a moment. First let's talk about software. You mentioned a moment ago databases.

Theresa Payton: Mm-hmm (affirmative).

Dan Patterson: How vulnerable are voter registration databases, even databases that have nothing to do necessarily with voter registration, but contain consumer information that may be sensitive and tied to other databases compiled? What about JavaScript and other things that power the consumer web that we use every day?

Theresa Payton: Here's one of the things that I do want people to take away from this. A lot of lessons were learned. I'm not saying we had enough time to fix them all, but coming out of 2016 and the meddling that was seen and the forensics that were done by law enforcement and the states themselves who control the election process, whether it's the federal or a local election, it's really controlled by the states. A lot of good work has gone into place. DHS has visited most of the states. The states are talking to each other and they're sharing information on a level they didn't before. We're out of time and they've done the best they can, but a lot of good work has been done.

SEE: Cybersecurity and the 2018 Midterms (TechRepublic Flipboard magazine)

But as it relates to- Let's talk about, you mentioned the JavaScript which powers most of the consumer web that everybody knows and loves today, but it also means that your local and state election authorities, when you go there to find out what precincts are open, maybe you're requesting a form to change the party you're affiliated with or to change your address so you're registered to the right precinct for voting, you could in effect be visiting a site that could be infected. It could have vulnerabilities. It could be leading your information to the wrong place.

We then have the issue of your MI data has been hacked so many times in so many different ways across multiple organizations, one of the largest notably, not to pick on them, was Equifax, and a lot of that information that's in there is information that could be used to register you to vote. It's everything that you would need. It's your last addresses, your mother's maiden name, and a lot of things about you that could be used to guess that your party affiliation most likely would be, and then use that information to vote.

SEE: Security awareness and training policy (Tech Pro Research)

Then we go back to the actual databases themselves. We know that the state of Illinois actually had a problem in the summer leading up to the presidential elections and they actually had to take the database offline just to make sure everything was good. We know that over 15 voter registration databases were targeted. That doesn't mean anything bad happened, but they were targeted and these were confirmed targets.

Now, what are some things people could do? People might say, "Well, I'm already under identity theft credit monitoring, what's the worst thing that could happen?" What if you show up to vote and you're told you're not in the database? What if your record was deleted? That's voter suppression. What if records are added for people who aren't legitimate voters? Now you cast doubt as to whether or not the person who won is the rightful winner. We can't afford to have that happen.

I mean, our elections are considered some of the most free and open, democratic elections in the world. We're considered one of the role models and that's why we have to vigorously defend these websites. We need to be looking at all the vulnerabilities, whether it's in the JavaScript or the actual way the websites are created. We have to be looking at these voter registration databases and making sure they are truly under monitoring and locked down.

Also see