As the pandemic hastens a cyberpunk future, hackers put democracy at risk
One year after 20,000 cybersecurity professionals gathered in Las Vegas for Black Hat USA, no one traveled to the city this time, convention center hallways were dark and the world felt more perilous than ever before.
Reflecting on a dystopian future described in a subgenre of science fiction known as “cyberpunk” in the 1980s, a somber Jeff Moss, Black Hat’s founder, opened this year’s all-digital event by capturing the state of computer security in a newly altered world.
“There will be two types of networks: those that respect rule of law and those that don’t,” Moss said. “Just like everything else, the pandemic has accelerated our cyberpunk future.”
Respect for the rule of law may become increasingly more difficult if the technology industry cannot find a way to secure a leaky infrastructure. Although Black Hat was all-online this week, plenty of hacker mayhem ensued.
Satellite internet communications were proved easy to intercept using only $300 of off-the-shelf equipment. Healthcare robots used in hospitals to assist patients were found to be vulnerable to hijacking by cyberattackers. And researchers documented a carefully coordinated set of attacks by a Chinese group to steal valuable intellectual property from semiconductor manufacturing companies in Taiwan.
Focus on election meddling
However, keynote presentations on both days of the conference and three additional sessions this week highlighted a central question very much on the minds of a broad cross-section of the security community: Will November’s elections in the U.S. be secure?
From the standpoint of the country’s voting infrastructure itself, the answers ranged from “absolutely” to “good luck.”
Citing a dedicated focus on security by the U.S. government following attempts by Russia to hack voting machines in 2016, Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency or CISA, indicated that intrusion detection systems in the form of “Albert monitors” had been installed across all 50 states.
“We have better visibility across the election sector than any other sector in the critical infrastructure space,” said Krebs. “2020 will be the most secure and protected election in U.S. history.”
However, security researcher Matt Blaze, in his keynote remarks on Wednesday, cast doubt on the ability of the U.S. to secure electronic voting machines throughout the country.
“Software ends up touching almost every component of a modern election,” Blaze said. “And software is really hard to secure.”
That said, Blaze, McDevitt Chair in Computer Science and Law at Georgetown University, cited two developments offering rays of hope that the issues surrounding election security could be finally improved. One was research from Ron Rivest, co-inventor of the RSA algorithm, that would prevent changes or flaws in software code from altering votes.
The other involved recent work by Philip Stark, professor of statistics at the University of California at Berkeley, that relied on “risk-limiting audits,” statistically modeled samplings of election results to ensure a tamper-free outcome.
Yet at least for an election that’s less than 100 days away, the current system is what the U.S. will use.
“Every piece of computerized voting technology so far has been terrible,” Blaze said. “This attack surface and range of threats in the voting model is very broad.”
Perhaps in response to concerns raised by Blaze and other security researchers, the nation’s largest provider of voting machine technology – Election Systems & Software Inc. – announced on Wednesday that it had implemented a vulnerability disclosure program and provided a “safe harbor” for researchers who found and notified the company of system bugs.
Working with researchers, the company had already uncovered and patched vulnerabilities in firewall ports and a QR code scanner, said Chris Wlaschin, vice president of systems security and chief information security officer at ES&S. One flaw in its web based VoterView application was identified by a 17-year-old high school student.
“Researchers are not waiting for a policy to be put in place,” Wlaschin said. “They are actively working on election security issues and I’m proud to report that collaboration is working.” He added that crowdsourced penetration testing is in play at the state level.
Impact of social media
Efforts to shore up defenses in voting machine technology may provide increased confidence on election day, but there’s another perspective on the threat matrix that’s raising alarm bells among security professionals. Why go to the trouble to change tens of thousands of votes on a machine when it’s possible to affect tens of millions through social media?
In her keynote remarks on Thursday, Renee DiResta, research manager at the Stanford Internet Observatory, described how systematic disinformation campaigns by powerful nations using social media are alive and well in the U.S. Instead of voting machines, voters themselves are being hacked.
China has been especially active in the first half of 2020 to control the narrative around COVID-19, according to DiResta, with posts from fake news agencies and fictitious journalists praising China’s response and criticizing the U.S.
“It began this full-court press to hack public opinion with regard to COVID-19,” DiResta said. “They really didn’t do a very good job of getting people to pick up their content and amplify it. But this is a strategy it is now committed to and will likely be getting better at.”
More significant has been control of social media by Russia, which has followed a complex strategy designed not so much to make itself look good but to create narratives that distract and divide U.S. voters.
DiResta presented visual examples, gleaned from social media sites, such as a content source labeled “BlackMattersUS” that turned out to be run by a Russian contractor in the Soviet city of St. Petersburg.
“Its media outlets have fewer Facebook followers, only in the range of 39 million, but they have a lot more engagement,” DiResta said. “Russia is much better at segmenting their audience and creating custom content that plays into their narratives, entrenching and dividing their audiences. They are also better at picking the right types of media for the audience and social network, e.g. videos for young millennials.”
Will election meddling by nation states using social media affect the 2020 elections? The answer remains unclear, even among professional researchers such as DiResta and others within the security community. This is about fighting ghosts through every takedown of fake accounts on Twitter and Facebook, with no reliable way to prevent their return or measure the impact.
“False stories are internalized by real people,” DiResta said. “We can see how people are reacting to this stuff, but we can’t see how it changed hearts and minds.”
Photo: Mark Albertson
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.