You have no doubt been reading that the states continue to request better guidance from our Federal government on how to mitigate Russian meddling in the 2018 elections (https://www.nytimes.com/2018/02/19/us/elections-states-hacking.html). Since I am precisely the type of person the Feds would hire to help states in cyber, I decided to skip the middle-man and offer a management plan below.
First, let's do the intelligence brief each state seems to be waiting for: The Russians will target your state using social media, network-based attacks, and social engineering. They have already started, and are more capable than your state election team. They are confident hackers – perhaps even cocky – and they are willing to break glass. They will use tested methods, but will adjust if necessary. And that, dear states, is your brief.
Now, some of you may be cringing, perhaps expecting minute details on attack sources, probe methods, and offensive techniques. But I ask you: What can states do with such detailed threat intelligence at this point in the election cycle? The answer, I believe, is nothing. So, technical briefs on capabilities, timelines, and campaigns are worthless. The fifty states need clear management action plans – and they need them now.
So, let’s develop a plan – one that can be implemented immediately and that is designed to help state CISO and CIO teams do a much better job mitigating the risk of an intense, nation-state sponsored attack from Russia. Recognize also that our decision to publish a plan openly here on social media should have no negative consequences, so long as the states follow the steps carefully. Nothing below tips any advantage to the adversary.
The first step involves assigning a manager to these four tasks: Vulnerability Analysis; Security Awareness; Penetration Testing; and Safeguard Implementation. Each of these tasks can execute in parallel, and all should be supported by a well-regarded, contracted commercial entity, presumably one with experts located in-state. A project management timeline that each state can follow to the election date is shown below
Let’s start with vulnerability analysis. Each state must hire an expert firm to analyze local election infrastructure for vulnerabilities. Since states differ in their set up, it is silly to offer blanket guidance. Each state must instead implement their own specific cyber solutions. National elections derive strength through diversity. Each state is thus advised to quietly tailor local cyber protections to their local situation.
Some of you might cringe at this guidance as well – perhaps citing hopes for some national umbrella to protect our elections. I can tell you from experience that nothing would suit our adversary more than a Federally-managed, centrally-controlled perimeter. I can also tell you that nothing would complicate their attack plans more than fifty tailored cyber solutions with local variations and subtle differences.
Now, let's discuss the security awareness task. Each state must hire an expert training firm to provide comprehensive, state-wide cyber security education and awareness training. This must include focus on social engineering training, because the Russians are best-in-the-world at targeting weakness in customer support infrastructure. Trust me: they are good, and they are coming.
The people being trained must include everyone involved in a state election. This means all developers, administrators, local election workers, state officials, and even local volunteers. Everyone should be alerted to the types of attacks they should expect, and everyone should be shown how to report suspicious information they might pick up before or during the election. This is an important step.
Third, the penetration testing: It seems flat-out crazy to me that every state is not currently subjecting their election infrastructure to a constant barrage of expert penetration testing. There are hundreds of firms that can do this, and every state can find a couple of good ones locally. This is an essential task, with almost no downside, and every state CISO and CIO is advised to begin the planning.
As a complement to penetration testing, states should consider implementing a bug bounty program for their election systems. Good vendors exist that can help a state establish such a program in a few weeks. Granted, such work could only be performed against Internet-facing infrastructure, but many existing on-line resources support live elections, so bug bounty testing of these assets will reduce election risk.
Finally, the safeguard implementation: Each state should create a war room to be run by the CISO, where every finding from the vulnerability analysis, security training, and penetration testing is assigned to someone in-state who can implement the necessary security fix. Each CISO should put up a big chart on the wall, sort of like on those television police shows (a flat screen is even better).
I can already hear CISO and CIO teams saying that they do not have the staff to support such a process. But I disagree. There is a myriad of third-party vendors and consulting teams who would step in and implement an awesome war room today, not to mention local universities in-state with professors, researchers, and students who would consider it a privilege to help. Stop complaining, get creative, and build your war room today.
You will notice that I did not touch on the usual specifics like encryption, or improved IPS, or advanced analytics, or networking monitoring, or even stronger authentication. These point solutions have their place, but let the vulnerability analysis dictate where weaknesses need fixes. Blanket technology recommendations are just ridiculous, given the diversity of baseline infrastructure in each state.
I will be asking my team at TAG Cyber to forward this article to the CISO and CIO team contacts in each state. But you can help: If you have suitable contacts in any of the states, then please forward this article over. We are running out of time, and it is imperative that each state start now. And I would remind you: The advice offered here is what they should expect from DHS. There is no need to wait.
Forward this article now.