The old saying goes, “Fool me once, shame on you. Fool me twice, shame on me.”
When it comes to technology, the new saying is, “Hack me once, shame on me.”
That new saying isn’t entirely fair to technologists or technology users. Malicious cyber actors have continued to get more creative in their tactics to steal sensitive information or to create havoc.
Of course, you might still occasionally receive an email from a foreign prince who wants to transfer his millions to you if you’ll just give him your bank account information. But that trick is tired and obvious.
Cleverly disguising that email as being from someone you trust with something appealing, like a gift card or an award notification or a voice mail, something you want to click on, that’s the form they now take. Then after you click, just enter your bank account information and you can collect the prize. Shame on you.
Cyber criminals attempting to infiltrate networks and cause disruption operate with the same types of disguise. What may begin with an innocent looking email may end with a bad actor gaining access to a system or sensitive data. But sometimes, it doesn’t take a disguise at all.
In fact, most data breaches result from known unmitigated vulnerabilities. The person(s) responsible for securing data or a system knew they were vulnerable, but did not take steps to prevent the intrusion. By analogy, they checked the windows and the back door, but knew the front door was unlocked when they went upstairs to bed. Someone broke into their house. Shame on them.
It is well-documented that Russia and others attempted to influence the 2016 U.S. elections. It is also well-documented that not a single vote was changed. However, while actual intrusion into state election systems was largely unsuccessful, the bad actors succeeded in creating some confusion and distrust in the election processes. They compromised political email systems by trying a few “front doors” in other states and finding them unlocked. They also used social media platforms to disguise themselves as political or social entities to inflame conflict and sow discord. Shame on … who?
As a result of the efforts by nation state actors, the U.S. government declared elections as part of national “critical infrastructure,” along with our water systems, electric grid, nuclear power plants, financial/banking industry and health systems. The Patriot Act defines critical infrastructure as “systems and assets so vital to the U.S. that their incapacity or destruction would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” In short, that means everything surrounding elections in our country is now to be treated with the greatest level of sensitivity and protection.
Technologists have been identifying and implementing ways to secure networks and systems for decades. Election administrators have made exceptional progress with identifying and implementing ways to make elections more efficient, accurate and secure for the foreseeable future.
In the shadow of an increasing threat, with several aspects of the elections ecosystem employing some type of technology, both technologists and election administrators must now work cooperatively to ensure that ecosystem is protected. Central to that mission is determining who is responsible for protecting what.
Clearly, the U.S. government takes its role in protection quite seriously. It was recently reported that then-President Franklin D. Roosevelt staged somewhat of a “Doolittle’s Raid” in response to the Japanese attack on Pearl Harbor. In April of 1942, U.S. Army air forces bombed Tokyo and other locations to show American capability and boost morale. Similarly, during the 2018 midterm elections, U.S. Cyber Command disrupted a Russian internet troll farm in St. Petersburg to prevent Russia from spreading propaganda or disinformation aimed at undermining confidence in the midterm vote or the results of the U.S. election.
The West Virginia Secretary of State’s Office understands the gravity of elections being critical infrastructure. Secretary Warner has taken a leadership role in opening the lines of communication between state and local election officials, political parties, candidates and the media. The result is a developing culture of risk determination, cybersecurity awareness and incident response planning.
Secretary Warner also takes seriously the responsibility of his office to protect its systems and information, elections-related or otherwise. Another saying in technology is, “There are two kinds of companies: Those that have been hacked and those that don’t know they’ve been hacked.” According to data recently published by a noted computer security company, it takes an average of 19 minutes for Russian hackers to move throughout a network after initial penetration. That means detection is just as important as protection.
In the past two years, the Secretary of State’s Information Technology Division has enhanced the already advanced cyber-posture by adding a cybersecurity expert, whose sole focus is to act as a “cyber guard.” You don’t have to understand phishing filters, file hashes, vulnerability scans or threat tactics to understand that this person’s job is to determine whether all who “enter the house” are welcome. You also don’t have to understand rogue devices, intel sharing or malicious domain traffic to understand that this person checks to see if anyone has “entered the house” unwelcomed.
The voting population in our state bears a responsibility to be informed, aware and cautious when perpetuating any potential misinformation. They should also take comfort in knowing that their vote resides in a house where the windows are always checked and the doors are always locked.
If they’re not, shame on us.
David Tackett is the chief information officer and director of the information technology division for state Secretary of State Mac Warner.