Is your phone or smart home device spying on you? Picks of the Week
Are your sensors spying on you? | Science Daily
Technology is infused in our modern life. Attempts at attaining perspective often fall to historical comparisons. Images frequently circulate of warehouse-sized computers from the 1960s which can hardly compare to the computer power, size, speed, and functionality that even a low-end smartphone possess today. Much has been written on the blistering pace this technological infusion has taken since those early images. Innovation in the technology sector barrels forward. For a short golden age, we marveled at the change, the improvements in our daily lives, and the increase in efficiency, productivity, and global reach that technology afforded us. Yet, in our haste to constantly deploy new technology, masked in a liberative utopian narrative, we may have missed a shift. A slope downward from our zenith. The host of new technology, now pervading almost every aspect of our lives, paired with our physical proximity to all those technologies and connected devices and sensors, creates a variety of privacy and security problems.
A smartphone is a patchwork of technology. Complementing the most obvious sensors (e.g., touch screens, microphones, cameras), smartphones have also Global Position System (GPS) connections, accelerometers, gyroscopes and orientation sensors, bluetooth, light sensors, and Near Field Communication (NFC) to name just a few. Culturally, we have acclimated to living with smartphones in our hands for an average of ~9 hours a day. The constant connection and instant feedback this miniaturized computer affords us creates a bargain: we must provide our phones the information it asks for and allow it to “follow” us around. When installing any smartphone application, the app will proposition a phone for permissions, asking the phone for the ability to interface with sensors on board. Most users do not read the permissions when installing an app, and even if they did and wanted to refuse any part of it, they would not be able to install the app. Some of the sensors built in those devices do not even require permissions to access the data on the phone. While using our smartphones for simple tasks, a number of apps interface with a multitude of sensors in any given moment. Recently, researchers in the United Kingdom revealed the ease with which malicious websites, as well as installed apps and built-in sensors, can spy on us and be exploited by hackers, in one case using the orientation sensor (the sensor phones use to calculate which way it is facing) to crack the pin number of the user. Despite the variety of cyber threats these vulnerabilities expose us to from phishing attacks to identity theft, research shows that people are unaware of the risks and most of us have little idea what the majority of the 25+ different sensors available on current smartphones do.
Our closeness with technology has expanded outward from our pockets and personal computers. The rush has served to saturate the “real world” with Internet-enabled devices. Recent events have highlighted the potential danger of our increased reliance on technology, and media reports have highlighted a series of vulnerabilities in popular consumer-oriented, Internet-connected light bulbs, DVRs, thermostats, security cameras and GPS trackers. In October, hundreds of thousands of insecure IoT devices were used to launch a large-scale distributed denial of service (DDoS) attack on the Domain Name Service host “Dyn” interrupted service for swaths of the Internet. The attack is believed to have launched from compromised “Internet of Things”(IoT) enabled devices, like DVRs, cameras, and baby monitors. Other IoT devices like Amazon’s Echo and Alexa have come under intense scrutiny over concerns of information collection and utilization. Records collected by Alexa are stored by Amazon and have often been subpoenaed by law enforcement, and Alexa records have even been sought as evidence in at least one murder case.
The metaphor used ad nauseum of our current situation is Jeremy Bentham’s panopticon, a circular prison in which a guard can watch all prisoners but the prisoners are never sure if they are being watched. For Bentham, the possibility of always being watched would keep the prisoners behaved. In the modern world, we are always being watched but, unlike Bentham’s prisoners, we are not held in a prison cell. To keep ahead of these developments at best appears overwhelming, and at the worst sisyphean. Privacy, as we conceived by modern society, may be on the path to extinction, but as consumers we can hold on to modicums. Paying attention to the permission requests of apps on your smartphone, reading carefully the functionality of new devices purchased, checking what purchases require an Internet connection, only installing applications from approved app stores, and keeping our phone operating system and apps up-to-date can be effective steps to preserve those remaining fragments of privacy and certainly increase our security online. Encouraging awareness and piecemeal observations may seem a lackluster solution, but it requires a necessary self-reflection on the intent and purposiveness of our technology, and the nature of our increasingly connected society and ‘always on’ devices. – Francesca Spidalieri and Francis Quigley
More Women Needed to Close the Cybersecurity Workforce Gap: Picks of the Week
The 2017 Global Information Security Workforce Study: Women in Cybersecurity | Center for Cyber Safety and Education, (ISC)2, and the Executive Women’s Forum
No Woman’s Land: Cybersecurity Industry Suffers from Gender Imbalance, Discrimination | Law.com
Women May be the Key to Unlocking Cybersecurity Workforce Deficit Puzzle | Bloomberg
Information security demand is far outpacing the supply of knowledgeable and experienced cybersecurity professionals capable of addressing the numerous cyber threats that the modern world is faced with. The widening gap between the burgeoning demand for cybersecurity talent and the supply of a professional workforce has been a common theme throughout my studies in the past few years. As I wrote before, the shortage of a highly trained cybersecurity workforce can be felt across all sectors, from the federal government to Fortune 500 companies, with potentially negative consequences for national security and the global economy. Over 209,000 cybersecurity jobs are currently estimated to be vacant in the United States alone, with the number predicted to rise to 1.8 million globally by 2022.
The tech and cybersecurity industries are among the most in-demand, profitable, and critical fields in modern history. But, although cybersecurity professionals are in great demand and can command impressive salaries, there is still a critical shortage of talent worldwide and, in particular, of women – who represent an astonishingly low number of current professionals in the field and who face a much harder path to reach the upper echelons of the corporate world.
According to a new report, while women represent 43% of the global workforce, they only fill 11% of cybersecurity positions. The newly released Women in Cybersecurity workforce study, published by the Executive Women’s Forum on Information Security, Risk Management and Privacy (EWF), and the Center for Cyber Safety and Education, sheds light on the persistent challenges that women face when entering this growing field due to wage gaps, missed or delayed promotions, and discrimination. The study surveyed over 19,000 information security professionals from 170 nations.
As the Lynn Terwoerds, EWF Executive Director, said in a press release: “the under-representation and under-utilization of female talent is both a critical business issue and a hindrance to the development of world-class cybersecurity organizations and resilient companies, as well as the overall safety and protection of our country.” The new report found also that women in cybersecurity earn less money than men at every level, are four times less likely to hold executive positions, and are nine times less likely to hold managerial roles, despite having higher levels of education and certification than men (half of the women surveyed held a master’s degree or higher, compared to 45% of men).
The shortage of cybersecurity professionals, and especially women, is often exacerbated by a lack of objectivity and consistency in competency models and measurements to ensure men and women are entering and moving up in the industry equally, and by unconscious and conscious biases present all the way through the recruiting and hiring performance evaluations. These endemic aspects are compounded by a lack of clarity in job descriptions, competing professional certifications, and multiple different training and education standards, which in turn make it harder for organizations to properly identify, recruit, place, and manage the cybersecurity workforce they need.
Solving complex problems, such as preventing, responding to, and mitigating sophisticated cyber threats, requires diverse experiences, different talents and backgrounds, and many ways of thinking. We cannot expect to close the widening gap between supply and demand of cybersecurity professionals without including more women and minorities, so diversity has to be part of the solution.
While no single panacea exists to attract more women to this growing field and to close the workforce gap to equilibrium, organizations in both the public and private sector can start by focusing on developing programs to further educate and retain their existing workforce. This include: ensuring that all staff is regularly trained and tested so that they understand and fully appreciate their role in maintaining a strong cybersecurity posture; providing employees with opportunities to connect with mentors within and outside of the organization to help navigate some of the perceived or actual barriers and to further develop their skills; offering other incentives such as flexible work hours and paid maternity leaves; and addressing the wage disparity issues by establishing clear pay structures based on merit and movement through the profession. Leadership, sponsorship, and skill development programs can also help build the pipeline, since women who’ve completed these programs report feeling more valued in their organizations, according to the study. Other effective mechanisms that can help organizations identify, recruit, manage, and retain cybersecurity professionals, including women and minorities, include: taking a proactive role in promoting gender diversity in the cybersecurity field; looking at the universities that have higher percentages of women and minorities participating in cybersecurity or related programs and recruiting from these institutions; joining other recruiting alliances that promote workforce diversity; placing increased value on real-world experience (versus solely qualifications); and establishing an employee referral program to recruit talented and trusted cybersecurity professionals from employees’ personal networks (e.g. universities, professional associations).
Addressing the critical pipeline issue of women in the cybersecurity workforce, however, has to start at the leadership level. Senior leaders need to commit to reversing this trend — from our universities to our board rooms — and working to create a workforce with a diversity of thoughts, genders, and backgrounds before the issue becomes irreversible. – Senior Fellow Francesca Spidalieri
Trump, Twitter, and the Tide of Cybersecurity: Picks of the Week
Obama officials: There is hope for cybersecurity under Trump | The Christian Science Monitor
The Rules of the Brave New Cyberworld | Foreign Policy
This year’s RSA Conference—one of the largest cybersecurity conferences in the world—broke attendance records with over 40,000 participants, including cyber professionals, academics, and public servants. Although the conference has historically been focused primarily on security tools and technologies, it has increasingly attracted policy-makers and government officials as both attendees and keynote speakers in an effort to obtain the government’s views on cybersecurity, to facilitate government interaction with cyber experts, and to encourage the tech industry to work collaboratively with the government.
Markedly absent from the crowd this year, however, were officials from the Trump Administration.
While no one from the current administration appeared to be in attendance, the impact of ‘cyber insecurity’ on government was widely discussed, as many panels and side events explored cybersecurity policy and government responses to cyber attacks. A leaked draft of an executive order on cybersecurity provided the fodder for much of the discussion, however the order itself has been in limbo as the Trump Administration remains entangled in controversy around its other executive orders and actions.
The leaked draft of the executive order on cybersecurity received mixed responses from the community of cyber professionals and industry experts, largely because there was not much in it beyond past policies established by the Obama administration, and a request for federal agencies to report back to the White House within 60 to 180 days.
In the meantime, there is an increasing push in Congress for a full investigation over the alleged Russian meddling in the 2016 presidential election. The Trump Administration’s plans to improve U.S. cybersecurity for the government and the private sector—or to commit to any sort of norms of state behavior in cyberspace—remain unclear. On the campaign trail, Mr. Trump had vowed to make cybersecurity a top priority if he were elected, and even promised comprehensive reports from intelligence officers on hacking by foreign actors.
The reality of governing has seemed to transcend the promises of the campaign trail, however, as cybersecurity appears to have taken a backseat to other issues facing the Trump Administration. Some of the participants at the RSA conference, such as Virginia State Governor Terry McAuliffe, suggested that instead of waiting for the federal government to act, it might be up to the states to assume a larger role in promoting cybersecurity. Indeed, as I have argued before, states cannot wait for the federal government to provide all responses and solutions before taking action, and they must start developing comprehensive strategies to strengthen their cybersecurity posture, improve their cyber resilience, and ensure that their citizens can rely on safe and secure Internet connectivity.
In an effort to address cybersecurity headwinds, various committees, think tanks, and experts have published a variety of policy proposals and reports in recent months for the Trump Administration to consider, and have emphasized that the new president begins his tenure at a time of considerable cyber risk to the U.S. government and businesses, and a growing public awareness of these issues.
As cyber threats continue to grow in scope, volume, and sophistication, however, there are relatively few indications as to how the Trump Administration will approach the significant cybersecurity challenges that the government will need to address both domestically and internationally, and how it will prioritize competing interests. It remains to be seen how an administration highly skeptical of active government regulation will contend with a problem that, because of its scope, will likely require the federal government to take a leading role. It also remains unclear whether the President’s use of Twitter will eventually bring cybersecurity issues to the forefront.
Data Privacy Day: How to Protect Yourself and Your Organization Online: Picks of the Week
Americans and Cybersecurity | Pew Research Center
Data Privacy Day: know the risks of Amazon Alexa and Google Home | Naked Security
Today is Data Privacy Day (DPD), an international effort held annually to raise awareness about data privacy and promote data protection best practices. This event is celebrated every year on January 28th in commemoration of the signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection. Across the country and around the globe, organizations like the Pell Center at Salve Regina University have held DPD events throughout the week aimed at raising consumer and corporate awareness about data privacy issues, including the Internet of Things (IoT), data breach security, identity protection, and sophisticated new cyber threats.
While this year’s theme is focused on Respecting Privacy, Safeguarding Data, and Enabling Trust, many of the discussions around the country have centered around the implications of IoT devices – from fitness trackers to cars, smart TVs, baby monitors, children’s toys and any other device that is being connected to the Internet – on security and privacy. The sensors embedded in these devices and their deep penetration into people’s lives, businesses, and homes enable them to listen to our conversations and collect incredibly private data about individuals and organizations, which in turn could be used to quickly triangulate people’s identity from mere fragments of data, exposing our lives to a variety of cyber threats. Indeed, while the IoT allows for virtually endless opportunities and connections to take place – many of which we haven’t even thought of today – experts from tech companies, watchdog organizations, and universities agree that these devices also open up more avenues for companies, hackers, and governments to violate our privacy.
With new data breaches emerging daily and an increased use of information as a tool of political warfare, individuals and organizations should take advantage of every opportunity to discuss the importance of protecting personal data and empowering leaders to take better actions to safeguard information and digital assets. Ensuring the integrity of data and controlling its use is critical to maintaining trust not only in private companies, but in public institutions and government leaders’ ability to make decisions. This not only means having the right policies and security solutions in place, but also making sure everyone in every given organization that comes into contact with confidential data knows how to protect it. Organizations should recognize that data privacy starts with the individual users and that employees can actually become the first line of defense if they receive proper training and know what they can do to not only protect their organization, but also protect their own personal information. As many of the events hosted throughout the week – including at the Pell Center – reminded us, holding regular data privacy and cybersecurity seminars and trainings for employees can serve to develop a culture of security and privacy across the entire enterprise, communicate internal cybersecurity policies and procedures, address specific security and privacy issues, and remind everybody of their fundamental role in maintaining an organization’s strong cybersecurity posture.
Basic tips for any individual to be safer online include locking down logins, adopting dual-factor authentication, making sure all Internet-connected devices are up to date, and if something looks suspicious, deleting it instead of clicking on it or opening an attachment. A few other recommendations include:
- Share with care – What you post can last a lifetime: Any information you share online can easily be copied and is almost impossible to take back.
- Personal information is like money. Value it. Protect it.: Information such as your online purchases, web searches, and contact lists has value ‒ just like money. Understand the value of your information and be more selective with the information you provide to apps and websites.
- Post only about others as you would like to have them post about you: Remember the golden rule and that it applies online as well. What you post online can positively or negatively impact other people.
- Own your online presence: Review your privacy and security settings on your apps, games, and social media platforms.
- Don’t connect sensitive accounts to your smart home devices (e.g. Echo, Alexa) and mute them when not in use: The mute/unmute button is right on top of the device. The “always listening” microphone will shut off until you’re ready to turn it back on.
- Stay current. Keep pace with new ways to stay safe online: Keep up with new technology and ways to manage privacy. Visit staysafeonline.org or other trusted websites for the latest information about ways to stay safe online.
Raising visibility of initiatives like DPD and spurring ongoing discussions will help to maintain global awareness, even as single celebrations and cybersecurity headlines fade from the front page. While recent research shows that half of Americans feel that their personal information is actually less secure than it was 5 years ago, the hope is that efforts like Data Privacy Day continue to increase individuals’ awareness about safeguarding their own privacy and highlight why it’s important for nations, organizations, and people to be responsible data stewards.
Will 2017 finally be the year of cybersecurity? Picks of the Week
Cybersecurity stories dominated the headlines in 2016, so it is unsurprising that new reports and many cybersecurity experts claim that 2017 will see continued nation-state cyber attacks, bigger and more damaging data breaches, targeted ransomware and Distributed Denial-of-Service (DDoS) attacks, and longer downtime and increased financial costs caused by successful attacks.
Organizations in both the public and private sectors strengthened or launched new cybersecurity initiatives in the past year, including addressing issues such as endpoint security, cloud security, cybersecurity funding, security controls, and cybersecurity staffing. This is important because 2016 was a year of unprecedented cyber attacks and massive data breaches, from the high-profile hacks of Democratic political organizations by the Russian government in an attempt to discredit American democracy and interfere with the US election, to the mega breaches that plagued Yahoo, LinkedIn, and numerous others (compromising millions of personally identifiable information and other sensitive data in the process), to cyber disruption involving critical infrastructure services such as the attack on the Ukrainian power grid by Russian hackers, to blackmarket ransomware and DDoS attacks that can take control of critical IT systems and then leverage it for extortion.
Much of what we saw in 2016 will evolve in complexity, scope, and sophistication in 2017. Cybercriminals will continue following the money trail, with ransomware and DDoS attacks becoming more widespread and increasing in scope and severity. Hackers will continue finding new vulnerabilities to exploit and ways to evade detection systems. Nation-states will increasingly rely on cyber espionage and cyber warfare as instruments of state power in order to gain an advantage on the battlefield, infiltrate and manipulate critical infrastructure services, such as the case with the Ukrainian power grid, and coerce adversaries toward a desired outcome. At the same time, U.S. and international law have not kept pace with technological innovation and enforcement of existing laws in cyberspace is intrinsically difficult, with some countries still refusing to cooperate in prosecuting cybercriminals.
We’re now at a tipping point in the digital age and the Internet economy: as we continue to adopt the Internet of Things (IoT), embed connected devices into all our essential services and every part of our lives, and rely more than ever on technologies that are inherently insecure, we’re also becoming increasingly less resilient and exponentially more vulnerable to cyber attacks.
Cybersecurity is not a new problem, nor is it a unique concern to world powers, large companies, or specific sectors. Despite an exponential increase in attention and awareness about cybersecurity and much activity on the international stage and within government to tackle these issues over the last decade, we are still at risk (and increasingly so!) and much is left for governments and organizations around the world to do to ensure a secure and stable digital environment that promotes innovation and supports continued economic growth, while also protecting personal freedoms and national security.
A new report released this week by the Center for Strategic and International Studies (CSIS) addresses these specific issues and provides detailed recommendations for the next administration to strengthen the cybersecurity posture of the United States. The CSIS Cyber Policy Task Force behind the report included members of Congress and identified specific policies, organizational improvements, and resources needed for progress in this challenging area. The report, titled “From Awareness to Action: A Cybersecurity Agenda for the 45th President,” builds on the report published in 2009 by the Commission on Cybersecurity for the 44th Presidency – a foundational document for creating a strategic approach to cybersecurity – and follows the December report of the Commission on Enhancing National Cybersecurity, established by President Barack Obama in February 2016. Two of its widest-ranging recommendations included the creation of an appointed post of assistant to the president for cybersecurity and the establishment of a new program to consolidate all civilian agencies’ networks into a single network. CSIS’s report included the first, but not the second.
As Sen. Sheldon Whitehouse (D-RI), Ranking Member of the Senate Judiciary Subcommittee on Crime and Terrorism who served as co-chair of the CSIS Cyber Policy Task Force, said upon the release of the report, “this past election has proven just how important it is for the President-elect and his national security team to appreciate the scope and the severity of the cyber threat.” Building on strategies the Obama’s administration established, the CSIS report recommends that the next administration improves and reorganizes oversight authorities, elevates the role of the White House cybersecurity coordinator, establishes an independent cyber agency within DHS and a Division of Data Protection within the Federal Trade Commission, clarifies the cyber defense roles of civilian and military agencies, better secures critical infrastructure and services, and works closely with allies against common cyber threats.
Although President-elect Trump continues to express skepticism about the Russian government’s attempt to orchestrate pre-election cyber attacks to undermine the U.S. democratic process and has yet to offer details about his cybersecurity priorities and agenda, this report will hopefully provide a blueprint for the next administration to follow since one of its key authors, Karen Evans, is now a member of the Trump transition team.
Will 2017 finally be the year of increased cybersecurity? And what will it take?
Don’t Get Grinched by Cybercrime During the Holiday Season: Picks of the Week
“5 Ways Retailers Can Stay Safe Over the Holidays” – Dark Readings
The holiday shopping season is about to get into full swing and retailers are gearing up for another record season of online sales. Research group eMarketer expects that online retail sales will bring in at least $94 billion – or 10.7% of the total retail sales – from now until the end of the holidays, a 17.2% increase in online sales from last year.
But as millions of consumers pick up their smartphones and tablets to go holiday shopping and flock the Internet as their preferred, convenient “one-stop-shop” for all gift-buying needs, hackers and cyber criminals are not too far behind… In fact, this is prime cybercrime season for digital crooks timing their phishing emails, malicious links, and other online scams and attacks to Black Friday, Cyber Monday, and through the rest of the holiday season. They prey on the naiveté of shoppers looking to score a holiday deal or take advantage of a special reward to trick them into downloading malware, giving up login credentials and credit card information, or send payments to bogus sites.
Consumers and retailers alike should be prepared for an even higher risk of online fraud and social engineering scams across all channels than in past years. A new report from cybersecurity company Kaspersky Lab shows that the number of online attacks during this high sales season is 9% higher than the average number of attacks that happen during other months of the year, and 2016 is on track to be a record season for online sales… and online scams!
While security experts continue to work to find possible solutions against the latest malware and scam techniques, here are some of my yearly tips on how to protect yourself from online Grinches this holiday season:
- Before, during, and after the holidays, keep an eye on your bank and credit card accounts for signs of suspicious activity, mystery charges, or “micro-charges” – Hackers often test cards to see if they are valid by charging small amounts of $1 or $2. If those cards are found to be valid, they can then sell them to other crooks for a premium. If you notice any unauthorized charges, immediately contact your bank.
- Buy only from reputable merchants and recognized websites – Be wary of emails and pop-up messages asking for your password, credit card number, or personal information. No established business would ask consumers to disclose such information via email or pop-up. Do not reply or click on the links in these messages as they may take you to copycat malicious websites. Instead, look for the ‘HTTPS’ in the address bar of your online retailer and check the specific email address and domain name of the sites to make sure it’s really from the retailer and not a close derivative. If in doubt, contact the legitimate organization directly to verify authenticity.
- Be aware of fake commerce apps – Download apps only from Google and Apple official app stores – which have more rigid requirements for banning malicious apps – and be skeptical of apps that ask for suspicious permissions like access to contacts, text messages, stored password, or credit card information.
- Avoid “free Wi-Fi networks” – Don’t use public Wi-Fi networks, especially when using your phone for banking and e-commerce. Personal and banking information should never be sent through unsecured wireless connections in public places. Get you Starbucks Peppermint Mocha and don’t stay for the free Internet!
- Be skeptical of deals that sound too good to be true – Do not fall for rock bottom bargains unless you make certain they are legitimate by contacting the merchant and asking questions before making a purchase. If a deal seems too good to be true, it probably is!
- Be alert for potential charity donation scams – Think before clicking on emails requesting donations. Make a contribution by navigating to the trusted web address of the charity, never through a link in an email.
- Use strong passwords and dual-factor authentication – Create long, complex passwords using upper and lower-case letters, special characters, and numbers, and use a different one for each online account. Various password management programs (1Password, KeePass, or LastPass) exist to help you manage your various passwords so that you are not overwhelmed. These programs are safe and secure, and they can generate hard-to-crack passwords for you.
- Do not send cash or wire money for payment – Pay with a credit card or, even better, gift/charge card. The best option is to keep a separate credit card for online purchases.
- Secure your computer and mobile devices – Update your devices to the most current operating system and keep your anti-virus and anti-spyware software up to date, along with your firewall. They will help monitor all online activities and protect your devices from viruses, worms, Trojan horses, and other types of malicious programs.
Some additional tips on how to protect your company from cyber threats and strengthen your overall cybersecurity posture:
- Protect your organization’s endpoints and servers – Scan your organization’s network environment for threats that may have been lurking for several months before surfacing as a malicious attack during the holidays. Harden your servers with good access control and security tools such as antivirus and antimalware software, and run frequent patches and updates. Consider advanced endpoint threat prevention tools that protect memory from experiencing distributed denial-of-service (DDoS) attacks and other complex advanced threats.
- Train your organization’s workforce – Before the holiday season starts, make sure all your employees receive at least some basic training in cybersecurity and cyber hygiene, and create an environment where they feel comfortable coming to managers if they see any suspicious emails or files.
- Have a documented and tested incident response plan in place – Make sure your employees know what to do and who to contact if they see something suspicious, and establish clear roles and responsibilities before a serious breach happens. The incident response plan should be regularly exercised and updated.
- Create a culture of security that starts from the top – if management is committed to a culture and environment that embraces honesty, integrity, security, and ethics, employees are more likely to uphold those same values. Cybersecurity is a shared responsibility!
Can the Vote Really Be Hacked? Picks of the Week
How Clinton, Trump Could Champion Cybersecurity | Dark Reading
Although we are aware of the efforts by the Russian government to discredit American democracy and interfere with the election, the chance that a malicious actor can carry out a hack that would change the outcome of the presidential election seems virtually impossible. Nonetheless, the recent high-profile hacks of Democratic political organizations and states’ voter registration databases by Russian hackers have already achieved the desired effect of sowing at least some doubts about the integrity of the US election, a concept reinforced repeatedly by Republican nominee Donald Trump in his proclamations that the election is “rigged.”
Skeptics have dismissed those concerns based on the fact that the electoral system is a decentralized system managed at the state and local levels, and that the voting machines themselves – which are what voters will use to cast their ballots – are standalone systems that are not connected to the Internet. Unlike state voter registration systems that have been hacked or probed in past weeks, the actual voting machines would be much harder to hack remotely and the probability of hacking at the polls remains low. The election may still be manipulated, however, through other cyber means such as bribing a machine operator to inject malicious software, rewriting software to change the way that votes are counted or tabulated, manipulating other weak points in the system, or directly exploiting a vulnerability in the machine’s software. So, if the question is, ‘Is it possible to hack the vote?’, the answer is yes, definitely!
Moreover, research shows that the technology behind most voting machines is grossly outdated – 43 states have voting machines that are at least a decade old – and that many of those machines are so riddled with vulnerabilities that almost anyone with rudimentary technical skills could break into them in order to corrupt voting results. And most states don’t have the funding to upgrade their equipment, which in turn doesn’t motivate technology providers to innovate those systems.
In addition to legacy systems and outdated technology, another concern with voting machines is that some of them don’t have any form of paper trail. Over the past few years, almost all states have moved to using paper ballots or electronic voting systems that maintain a verifiable paper audit trail of the ballots. Five states (Delaware, Georgia, Louisiana, New Jersey, and South Carolina), however, use completely paperless voting systems. If even one of the voting machines in those jurisdictions is hacked, or malfunctions, or if concerns arise about the legitimacy of a county or state’s election results, there is no independent means to audit individual votes in those particular precincts. Other states, including Pennsylvania, Virginia, Kentucky, and Tennessee, use a combination of paper ballots and paperless voting systems, depending on the jurisdiction. The concern with paperless systems is that they do not offer the same solid audit trail that a paper ballot does, and would make it much harder to prove with absolute certainty that votes were recorded as cast. Additionally, 31 states allow Internet voting, which could in principle be intercepted and subverted by a sophisticated hacker. Fortunately, most states that allow online voting restrict it to military and overseas residents or citizens with disabilities only. Many states also require voters to mail in paper ballots separately. Only Alaska allows for any registered voter to ask for and submit ballots electronically.
Another threat to the ballot box would be if hackers were able to delete voters from the database entirely, meaning when they arrived at the polls, their names wouldn’t appear in the system. In this case, however, voters could still cast a provisional ballot and then follow up to verify their registration in the days following the election. The process would be tedious, but not prohibitive.
While public officials continue to reassure us that the idea that someone could actually hack in any meaningful way into the election system so as to skew the result of the presidential election is far-fetched, rumors of hacking – even if not successful – or even one small case of electronic tampering or manipulation on November 8 could seriously undermine confidence in the election and play into a losing politician’s claim that the election was “rigged.”
So, what can citizens, state administrators, and federal officials do to ensure the confidentiality and integrity of these elections?
State boards of elections and law enforcement officials have been hard at work to safeguard elections, and the Department of Homeland Security is working with election officials to monitor suspected breaches on voting systems and bolster security in general. In particular, election officials should continue to implement proper security controls, scan all systems for flaws, test all equipment prior to the election, assure a chain of custody for voter records, maintain up-to-date master files of voter records separate from the public facing online system, put adequate physical security measures in place to prevent unauthorized access, and introduce contingency measures in case of equipment failure.
As a citizen, if you see anything suspicious such as signs of tampering with voting machines or any sort of intimidation of voters, you should alert local authority and election observers available at all the polling locations. In addition, you should carry your voter registration card and be reassured that most states keep also frequently updated back-up copies of voting rolls offline or in hard copy. Those back-ups could be used to rectify any wrong changes made by malicious actors.
– Francesca Spidalieri, Senior Fellow for Cyber Leadership
Championing Cybersecurity Awareness Month: Picks of the Week
Presidential Proclamation – National Cybersecurity Awareness Month, 2016 | The White House
October marks National Cyber Security Awareness Month (NCSAM) – a time when participating governments and organizations come together to raise public awareness about cybersecurity, provide citizens and businesses alike with tools and resources needed to stay safe online, and increase the Nation’s resilience in the event of a cyber incident.
NCSAM is a coordinated effort of the National Cyber Security Alliance (NCSA), the U.S. Department of Homeland Security (DHS), the Multi-State Information Sharing and Analysis Center (MSISAC), as well as companies, schools, and nonprofit organizations around the country. This year, the stakes are higher than ever: over 169 million personal records were exposed in the US in 2015 alone and, so far, 22% more breaches have been reported this year. The average cost of a data breach has risen to $4 million per incident, and US businesses are losing up to $300 billion in intellectual property theft alone. Hackers release a new piece of malware every 200ms (a couple thousands by the time you’re done reading this article), and hacking attempts show no signs of slowing. At the same time, the general public seems to be suffering from “security fatigue” and a feeling of helplessness when it comes to their online security, according to a new study. Compounding these issues, the integrity and legitimacy of the upcoming Presidential election seem to be hanging in the balance after the recent string of hacks of Democratic party’s organizations and voter registration systems.
Recognizing the importance of cybersecurity issues, President Obama designated October as National Cyber Security Awareness Month in 2004, and this year kicked things off with a presidential proclamation that highlighted his new Cybersecurity National Action Plan, as well as the establishment of a Commission on Enhancing National Cybersecurity – which has been hard at work to recommend ways to strengthen cybersecurity in both the public and private sectors and promote best cybersecurity practices. “Keeping cyberspace secure is a matter of national security, and in order to ensure we can reap the benefits and utility of technology while minimizing the dangers and threats it presents, we must continue to make cybersecurity a top priority,” Obama’s proclamation reads.
Salve Regina University is an official champion of National Cyber Security Awareness Month, and for the second year in a row, the Pell Center is supporting this national effort and is actively participating to multiple discussions and initiatives across the country. In addition, the Pell Center is posting cybersecurity tips, resources, and insights on social media throughout the month, and is hosting cybersecurity-related events around campus, including a panel discussion on “Hacking the Election.”
In addressing pressing cybersecurity security issues, National Cyber Security Awareness Month has a distinct theme for each week. The overall message of this initiative is to “STOP | THINK | CONNECT” – stop to make sure security measures are in place; think about the implications of our increasingly digital and connected lives and the consequences of our actions and behaviors online; connect and enjoy the benefit of the global Internet economy. That’s actually excellent advice for any online activity, whether that’s uploading snapshots, signing up for a new online service, clicking through to a website, making an online purchase, or downloading the latest app.
While the upcoming week of National Cyber Security Awareness Month will be dedicated to “Creating a Culture of Cybersecurity in the Workplace,” the reality is that no individual, business, or government entity is immune to cyber risks and none of them is solely responsible for securing their own Internet connectivity and digital assets. All of us have a role to play in securing our critical services, our businesses, and the information we create, store, and process through the devices and networks we use. “Cybersecurity is a shared responsibility,” reiterated President Obama in his proclamation, and he stressed that everyone should do their part to ensure “our information is more secure, our data is safer, and our families and businesses are more protected than ever before. If we work toward this goal – as individuals and as a Nation – together we can realize our full potential in the digital age.” Indeed, individual actions have a collective impact, and when we use the Internet safely we make it more secure for everyone. If each of us does our part by implementing stronger security practices, adopting better cyber hygiene, and treating cybersecurity as an inherent component of organization’s policies and processes, we can collectively become a more secure, safer, and resilient digital society.
You can join in the conversation by following @PellCenter on Twitter and using the official NCSAM hashtag #CyberAware throughout the month, and can get additional information and resources by visiting Stop.Think.Connect, Stay Safe Online, and the European Cyber Security Month website.
– Senior Fellow Francesca Spidalieri
Is Russia Trying to Hack American Politics? Picks of the Week
Powell emails were leaked on a site linked to the Russian government | The Washington Post
World Doping Agency Says Russian Hackers Stole Medical Records of Olympic Athletes | The Wall Street Journal
The latest edition of the (almost) weekly hacks that appeared on the front pages of the newspapers this week featured the personal emails of former Secretary of State Colin Powell and the medical records of US and other Olympic athletes, both of which have been confirmed as authentic.
The World Anti-Doping Agency’s (WADA) breach, in particular, appears to be the latest in a string of hacks by the Russian government, which has allegedly been using proxy hackers to target numerous US government agencies, political organizations, and other perceived adversaries in an attempt to undermine confidence in the US electoral system and in the integrity of the democratic process. WADA said that US law enforcement officials were able to trace this breach to a group of hackers known as Tsar Team (Fancy Bear), and that the group had illegally gained access via an International Olympic Committee (IOC)-created account.
This latest episode may have been payback for IOC’s decision to ban numerous Russian athletes from the 2016 Rio Olympics and Paralympic in the wake of a doping scandal that cast a shadow on the country’s sporting establishment. The hackers claimed that the documents posted on the website of Fancy Bear showed the use of performance-enhancing drugs by top U.S. athletes, though they acknowledged the athletes didn’t break any rules.
Many cybersecurity and political experts have connected the WADA breach to various previous hacks, including those of the Democratic National Committee, the White House, the US State Department, and the US Joint Chiefs of Staff (although no public attribution has been made yet). Russian officials have denied involvement in the various hacks that the experts believe to be sponsored by Russian intelligence organizations. Analysts said to have also linked Secretary Powell’s disclosures to the same hacker group Fancy Bear, although it has to be noted that similar hacks have been carried out by mischievous teens in the past.
As I have stated before, if the recent cyber intrusions were indeed orchestrated by the Kremlin, it would be a whole new level of involvement by a foreign power in the US political system. The notion that a foreign country or third party can deliberately manipulate the American political process with targeted data breaches is both disturbing and dangerous, and it would open a new front in information warfare that could fundamentally change the value of data for national security. These hacks imperil the political process and could also yield data that can be used for other crimes as well: profiling, blackmailing, and even terrorist activity.
The next President of the United States will need to prioritize cybersecurity to protect and defend US government agencies and other critical sectors. In a new book out this week, Larry Clinton argues that the next President should make a more aggressive use of the “cybersecurity social contract” model, which finds its origins in the impasse between a previous hands-off government approach that relied on market forces to compel businesses to improve their digital defenses and the surge in recent years of cybersecurity regulations, compliance standards, and penalties for noncompliance. The cybersecurity social contract model “recognizes that regulators can’t keep up with the fast pace of development in cybersecurity technology let alone the evolution of digital threats” and instead it “ensures more industry and government collaboration for sharing information to confront malicious hackers.” The new book includes a trove of strategic and operational recommendations for the next administration to address cybersecurity. In particular, Mr. Clinton also offers 12 specific steps for the new administration to work on collaboratively with the private sector by using the cybersecurity social contract model more actively. If we are to deter and mitigate future hacks successfully, this collaboration should begin sooner rather than later.
– Senior Fellow for Cyber Leadership Francesca Spidalieri
It’s Time for Both Parties to Get Serious about Cybersecurity: Picks of the Week
U.S. Seeks to Protect Voting System from Cyberattacks | The New York Times
How to Hack the Election in 7 Minutes | Politico Magazine
In the wake of hacks that infiltrated the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and the Hillary Clinton campaign, in addition to the political fallout and the multiple warnings from cybersecurity experts about the potential for hacking to disrupt the election, state and national leaders are finally weighing in and proposing measures to protect parties’ sensitive information and the security of the entire election system.
Secretary of Homeland Security Jeh Johnson is said to be considering whether to designate the US election system itself as critical infrastructure, which could heighten cybersecurity at the ballot box and have significant implications on how federal officials would respond to potential cyber attacks. The DNC recently announced that it has assembled a cybersecurity advisory board in response to the recent hack “to prevent future attacks and ensure that the DNC’s cybersecurity capabilities are best-in-class.”
Simply deeming the US election system a new critical infrastructure (the US already considers 16 different sectors as so called ‘critical infrastructures’) or hiring a few experts and a more sophisticated IT team, however, won’t be enough to ensure voters’ trust and confidence in our national security and in the integrity of our election process. If the nation’s politicians and political campaigns don’t improve their overall cyber defenses and develop new approaches and advanced techniques to strengthen our collective security, mitigate cyber risks, and help us prepare today for tomorrow’s challenges, not only will American’s personal data be at greater risk but the entire democratic process could be compromised.
Many cybersecurity and political experts have connected the recent hacks and subsequent leak of sensitive emails back to the Russian government. If the cyber intrusions were indeed orchestrated by the Kremlin, it would be the first known state-backed cyber attack to harness the power of the Internet to manipulate a presidential election. The idea that a foreign or other power can deliberately manipulate voters and parties with targeted data breaches in an attempt to influence a presidential election would be insidious on an unprecedented level, and would open a whole new front in information warfare that could fundamentally change the value of data in national security.
What the US government needs to do is prioritize the use of the limited resources available to first and foremost protect and increase the resilience of those critical infrastructures and services that our society and nation depend upon—power, telecommunications, and financial services—and, at the same time, make clear to any adversary that there will be serious consequences for cyber attacks that disrupt both national critical infrastructures or attempt to manipulate domestic electoral politics. As Jason Healey rightly stated, “the administration needs to be ironclad on the evidence [of the DNC hack] to convince the American people that this is about policy, not politics. This has got to be about defending a constitutional process, not a party.” Moreover, as Passcode’s contributor Bob Hansmann suggested, what “both the Democratic and Republican parties—as well as the Hillary Clinton and Donald Trump campaigns—should [do is] hire chief information security officers (CISO)” to better protect their sensitive information from unauthorized disclosure and “share intelligence on breach attempts and other malicious activity.” That’s not a cure-all by any means. But putting someone in charge of safeguarding their vast collections of sensitive data—whether on political strategies, the candidates themselves, or voters—would vastly improve their defenses against cyber criminals and the prying eyes of foreign intelligence operatives.
Voters, donors, and the media need to keep up the pressure on politicians and candidates to work harder to prevent cyber attacks. After all, whoever the next President, Senators, and Representatives are, they will face immense challenges in updating policies, strategies, and laws to protect our country’s most valuable, sensitive information, systems, and infrastructure—including the computer networks and systems that operate our nuclear power plants, electrical grids, dams, and our democracy itself. – Francesca Spidalieri, Senior Fellow for Cyber Leadership