On Hacking During the U.S. Presidential Campaign
Technology has been front and center of this year’s presidential campaign, and not in a good way. We argued endlessly about Hillary Clinton’s implementation of email while she was Secretary of State, we learned about the hack of the Democratic National Committee and other Democratic campaign
organizations, and we were treated to the spectacle of a presidential nominee requesting a foreign government to release more stolen documents. Whether or not that request was sarcastic, it pretty much ensured that subsequent discussion would be devoid of technical detail in favor of campaign optics. I hope to rectify that situation somewhat.
I won’t address the issues with Clinton’s email server here for reasons of brevity, but also because the technical detail necessary to analyze the situation is not public. More information is available to evaluate the security considerations resulting from other hacks that have come to light.
The Three Circles of Computer Hackers — As a technology professional, I’ve been frustrated by the news focus on scandal versus actual security issues. Clinton’s email server is endlessly debated and will likely be a topic of discussion long after the election if she wins. Meanwhile, few people are even aware that the State Department’s email was definitely hacked, which certainly included far more email messages than were on her private server.
The Office of Personnel Management, the Internal Revenue Service, and potentially dozens of other government networks were also compromised, but these have been at best two-day stories in the mainstream press, followed by debate only in techie circles. When a hack has staying power in the mainstream media, such as the one suffered at the DNC, it’s because it feeds partisan debate, and the technical issues are ignored.
Before we get into the details of the hacks, it’s worthwhile to discuss who these hackers are. I classify them into one of three groups: script kiddies, lone hackers and criminal networks, and state actors.
- Script Kiddies: Most of the time, when you hear about a powerful hacker in the press, that person is actually a “script kiddie.” Once a security flaw is discovered, and a corresponding hacking tool is developed, said tool has commercial value in the more disreputable corners of the Internet. “Script kiddie” was coined to describe the hypothetical 12-year-old who, with little knowledge of actual hacking, downloads such a tool and unleashes it from their home computer.
This is not a new phenomenon — I had a friend in high school who was visited by the FBI in 1985 and politely asked not to touch any computers for a few years. What is new is that these people can easily congregate on the dark web, enabling a security vulnerability to go from recently-discovered to worldwide-attack-vector in hours.
Script kiddies use existing tools and known vulnerabilities; their target is the user who ignores security updates. (Don’t be that person.) As such, script kiddies are easily defended against. However, they’re also useful as political fodder when it’s in the interest of an agency to report they were attacked over 70,000 times. It’s not the quantity we should worry about, it’s the quality.
- Lone Hackers and Criminal Networks: The real concern to most people are the hackers who discover new vulnerabilities and the criminal networks that exploit those vulnerabilities.
It’s important to note that “hacking” itself is not a bad thing: it’s just a kind of computer forensics and programming. “Black hat” hackers are the bad guys; “white hat” hackers are hired by businesses and governments to protect you. Black hat hackers often crop up in places where highly skilled technical people tend to be underemployed. Thanks to the Internet, it’s trivial for these people to organize or be recruited by criminal organizations; when you hear about a hospital paying a $17,000 ransom to get its files back, that’s whom they’re paying.
Hackers are portrayed in movies as near-magicians, able to access just about any digital file on the planet. In reality, their abilities are much more limited but still pretty scary. The best defense against them, as with the script kiddies, is keeping up-to-date with security updates — you’re relying on the computer industry to learn about potential vulnerabilities before the bad guys do. The Internet and many computer resources were built during a much more trusting era, and have evolved into an astonishingly complex system. As a result, the whack-a-mole process of “find a vulnerability and patch it” is what we’ll have to live with for decades to come.
The Achilles heel of the black hat hackers and the criminal organizations that employ them is that they need to monetize their hacks: information, once discovered, has to be sold or exploited. This need provides an opportunity for law enforcement both to discover the hack and to trace its source. The best friend of these hackers is secrecy: corporations that cover up data breaches for fear of public embarrassment, technology companies that keep their source code secret (and unavailable for review by outside experts), and government agencies that don’t publicize attacks for fear of exposing their vulnerabilities.
State Actors: Here is where we really need to draw a distinction in hacking organizations. There are state-run hacking groups and everyone else. The technology that state-sponsored hackers have access to is secret, but we can guess several things. First, they have budgets larger than any available to all but the biggest criminal networks. Second, they have access to classified hardware and software that likely outstrips what’s available on the mass market. Third, when they find a vulnerability, they can sit on it for years, harvesting exposed information without publicity. And fourth, they can work with friendly companies and old-fashioned spies to build backdoors and other vulnerabilities into the technology
that’s sold to the public and to other governments.
It’s that last reason that helps make the scariest techies on Earth not “Chinese hackers” or “Russian hackers,” but “American hackers.” It’s nearly certain that the most sophisticated and powerful cyberwarfare capabilities are those deployed by American agencies. Some of these technologies are defensive — as with anthrax, sometimes you need to possess a weapon in order to understand how to defend against it — but since a cyberweapon is covert in the way that a guided missile very much isn’t, it’s anyone’s guess just what the U.S. government is doing with its cyberwarfare capabilities.
We do know that other governments are doing their best to catch up. The Chinese and Russian governments have dominated the headlines when it comes to recent attacks on American entities, but any country with a significant military capacity has a cyberwar component running alongside it. As the dominant nation when it comes to building new consumer-level computer hardware and software, it’s likely we have an equivalent lead in covert military uses of similar technology.
The distinctions between these hacker types become important when you start asking the question of whether you personally are being targeted.
Script kiddies and individual hackers use scattershot methods to attack vast numbers of devices on the Internet; ergo, to stay safe, we should all employ basic security tools and practices (even if they’re just built into our hardware, software, and services).
You’re in more danger if you’re targeted by a capable black-hat hacker or criminal network; they might hit you with attacks designed to penetrate your organization’s defenses. Unless you’re a high-level employee in a major company or someone with access to confidential systems, it’s unlikely that you’d be targeted personally. However, individuals have been targeted for angering the wrong people, and hackers can be hired by a personal enemy. Most people are generally safe from personal attack, but there are exceptions.
If you’re the target of a state-run hacking organization, all bets are off: it’s impossible to know what tools state-sponsored hackers might use to penetrate your systems, but the story behind Apple’s recent iOS and Mac updates can give you an idea of what’s possible (see “iOS 9.3.5 Blocks Remote Jailbreak,” 25 August 2016). Governments may be interested in your activities for legitimate or political reasons; if so, constant vigilance on top of excellent security practices would be necessary.
Our Democracy Has Been Hacked — This brings us to the Russian attack on Democratic campaign organizations. That statement has already been politicized, as some people have tried to obfuscate who masterminded the attack.
Here’s the evidence pointing to the Russian government: the Romanian hacker who claimed credit for the hack doesn’t seem to be a native Romanian speaker; the series of events following the attack follows the pattern of Russian disinformation campaigns; and the signatures of the hack identified the perpetrators as two organizations known to work with and for the Russian government.
There are two ways in which this hack affects the election:
First, the last time foreign security agencies were interested, or actively involved, in influencing U.S. elections was when we were in an openly confrontational situation. Such activity is historically documented on both sides of the Cold War, but certain lines haven’t been publicly known to be crossed since. Yes, other countries have tried to support American domestic political movements in the hopes of generating a friendlier government (to them). But as far as we know, they’ve rarely tried to support or torpedo specific candidates; the last time the Russians tried (unsuccessfully), they were called “Soviets” and we were locked in the Cold War.
Second, it means that literally thousands of political entities are now potentially being targeted by foreign agencies with significant capabilities. Your reaction to hearing of an attack on a national Democratic organization may have been horror or schadenfreude depending on your voting plans, but consider who really runs politics in America: a number of nationwide organizations, a hundred statewide entities (and a hundred more during a presidential campaign), and literally thousands of county and city groups involved in local politics.
Most of these people are volunteers who likely have average technical skills. What these volunteers don’t have is access to computer security resources and training, unless they’re provided by the national political organizations. And to the extent that security advice has been provided, we can presume that it was done with an eye toward preventing hacks by political opponents, rather than sophisticated state agencies.
I’m not trying to describe a conspiracy to subvert all elections, but the dangerously close ones are vulnerable. If Clinton’s lead over Trump is substantial, it’s unlikely that foreign influence would be enough to tip the election. But if it were to get closer, things could change. Most of us remember an election 16 years ago that was decided by 537 votes in Florida. In a close election (or even just in close states), outside tampering with the political process could be a deciding factor. I live in Philadelphia; if the local Democratic organization’s computers were crashed here on Election Day, Clinton could have a substantial lead in Pennsylvania and still lose to Trump on a failed get-out-the-vote effort.
The Election Hack — Unfortunately, the attack on Democratic organizations isn’t even the most recent in the news. Voter registration systems in Illinois and Arizona were targeted and penetrated to varying extents. It’s important to note that it’s unknown (or at least, not public) who is behind these hacks; we can’t assume the Russians are also targeting our election systems. But somebody is.
The motive behind these hacks is also unclear. No registration data was changed in either case; in Illinois, 90,000 voter registration files were downloaded, so it could have been a matter of simple identity theft. Malware was installed on the Arizona server, but officials haven’t reported what it was attempting to do. It’s entirely possible that the intent of these hacks was purely criminal, not political.
That shouldn’t make us relax, however. These hacks show that our election systems are vulnerable, and future hacks may try to sway elections. Not to put too fine a point on it, but our political system is not designed to defend against such threats. Elections are run by the fifty states, and implemented by thousands of city and county election boards. You might think that most Americans have an interest in, say, the integrity of elections in Georgia, which has 2 senators and 16 electoral votes; the state of Georgia, though, thinks you should mind your own business.
Beyond that, we’re vulnerable because we have heavily politicized the debate over election integrity. Republicans routinely claim that voter fraud is rampant (despite evidence to the contrary), and Trump claims that fraud would be the only explanation were he to lose Pennsylvania. Democrats argue that this concern amounts to crocodile tears to provide political cover for disenfranchising groups who happen to vote Democratic.
I have my own opinions about which side is correct, but one thing is certain: the debate is so politicized that it was impossible to choose links that everyone would agree came from credible sources. I cited the Brennan Center because it’s the first result in Google (after signing out and anonymizing my browser); for all I know, a significant percentage of my readers might have been told that the Brennan Center is unreliable by news sources they trust.
It’s easy to be disappointed when your candidate isn’t doing well in the polls or has lost a given state. It’s a lot harder to give credence to claims of fraud and hacking attacks on elections when opening that can of worms might overturn a win by a candidate you support. For that reason, I expect post-election arguments about possible hacks to be driven entirely by partisan reaction, and to have nearly nothing to do with factual information. Even finding facts will be made more difficult amid the noise made by partisan bickering.
How the Thoughtful Voter Should React — Full disclosure: I’m a partisan Democrat. Like many of my political persuasion, I chortled mightily when I read about the impact of a failed computer system on the Romney campaign in 2012. But that was a self-inflicted wound. I would feel differently if that damage had been caused by outside agents, even if they were Democratic actors on “my side” attacking the system. I can’t support winning an election by corrupting it. I would feel even more strongly that way if the hacking were done by a foreign
As a democracy, we need a reasonable expectation that our elections are, for the most part, the will of the populace.
And as with most threats to democracy, the best defense is a more informed voter. If you’re an American, you’re most likely a partisan or have partisan leanings; you’re more likely to respond positively to news that helps your candidate or harms their opponent, even when it involves foreign tampering. Resist that impulse. It’s appropriate only within the realm of partisan politics; it’s inappropriate and dangerous when we’re talking about attacks that transcend the political realm.
Part of this can be laid at the feet of the media that drives much of our political discussion. The national security threat of a known hack of State Department networks is orders of magnitude larger than that of a hack on the Secretary of State’s email server. A political debate driven by national security policy would give far more weight to the former. A political debate driven by scandal favors the latter.
This problem is driven by the fact that news organizations respond to the appetites of their audiences; the quality of political media is often no better than the quality of those appetites. It’s one thing for us to consume editorial and opinion pieces that agree with our political views; when we decide to filter reporting of national events with the same prejudices, we make it impossible to hold a rational debate with people who disagree with us.
My personal strategy is to deliberately expand my media diet with plenty of international sources, especially the BBC. Perhaps these sources have political bias when covering their own countries, but they’re unlikely to fall prey to American political influences. I avoid partisan news outlets on both sides not because I disagree with them, but because I find them non-credible sources, both for what they select as newsworthy and their actual coverage. I sometimes listen to Rachel Maddow, but that’s part of my entertainment diet in addition to my regular news diet, not in lieu of it.
Likewise, resist attempts by the media and political organizations to normalize hacked documents by citing them as unbiased sources. The National Republican Congressional Committee cited hacked documents from the DNC in a campaign ad in Florida; political newspaper The Hill ran with a story about DNC manipulation of primary races in Pennsylvania. (The Hill at least points out that the intentions of the leaker are “interesting” but then drops the topic for the rest of the story.) Both actions presume that using the documents in
question is legitimate; both also inherently assert that the documents are true and accurate. The former is up for debate; the latter is entirely uncertain. Hacks are done for a reason, public releases are done for a reason, and electronic documents can be modified easily; all of these should contribute to a healthy dose of skepticism when you’re evaluating such news. (This is not to suggest that the leaked DNC documents were falsified; the resignations of three DNC
officials thereafter implies they were basically sound. However, if I were going to design a disinformation campaign, I’d start with true documents and then follow up with false ones.)
If you’re involved in politics, it’s time to up your information security game; if you’re not involved but have technological chops, now is an excellent opportunity to make your skills known to community organizations who might need you. It’s too late this election cycle to walk into a campaign and volunteer to see their most valuable data, but anyone who gets involved in 2016 becomes a known resource in 2018 and later.
This is a nonpartisan prescription: we know that Democrat organizations have been targeted, but there’s no reason to think that Republican groups have better security. I can think of a dozen reasons why foreign governments would be just as interested in Republican data, so until further information is available, I’m assuming that it’s more accurate to say the Republicans “are not known to be hacked” than “were not hacked.”
As Jefferson (supposedly) said, vigilance is the price of liberty. He didn’t have computer networks in mind, but this is one of those times when it’s even more important than usual.
This is excellent on all fronts.
As a network admin as well as a political junkie, I share your frustration about reporting on hacking, and also about drawing narrative conclusions about those events without reference to technical fact or industry best practice.
Thanks again. This is must-read.
I've read the paper on voter fraud and find it very interesting. If one accepts the argument that most allegations turn out to be just clerical/human errors then one has to wonder about the integrity of the system as it goes digital/online. It takes a lot of people/labor to impersonate dead voters in person! However, not so much to impersonate them digitally over a network. And sure, if its spotted, we can say "clerical error" but it will be difficult to know for sure. I think that voting data security in the electronic age is of utmost importance.
"news organizations respond to the appetites of their audiences" Yup. The news media is entertainment. Just like all other entertainment, the object is to make money. People should not believe everything they find in the news anymore than they should believe everything they find on the internet. Sorry for being so cynical. I've been around a while.
Call me less cynical, then. A nineteenth-century newspaper was no less full of made-up stories and facts to be careful up than the current web. But taken as a whole, news media plays an important democratic role that other media don't. They share some aspects with pure entertainment, but they're not the same thing.
I wonder why in the US we don't make it illegal for any part of the federal government to withhold information on security flaws. Make it mandatory for government agencies to disclose to hardware manufacturers and software companies whenever they discover a security flaw.
This would benefit US companies by helping make their products safer. It would benefit the US taxpayer by removing government agencies' incentive to procure tools and information on security flaws. Most importantly though it would benefit US citizens.
And before anybody suggests it would weaken the US intelligence community, rest assured whatever the US agencies know and withhold is likely also known by at least some agency or organization in another country. Do you really want your government conspiring against its own citizens (i.e. you) because of the vague prospect they might one day have one tool that puts them one step ahead? I surely don't.
I think US-CERT already plays a major role in this kind of information sharing that doesn't reach the general public. Beyond that, you've got two arguments (at least) against mandatory public disclosure: 1) you don't want to publicize vulnerabilities if there's no way to protect against them yet; 2) you don't want to give companies a major reason to hide these flaws from the government, including agencies whose role is to protect the public. There has to be some privacy so companies have time to find and fix vulnerabilities.
Hence disclose to the manufacturer first, not the public. Just like the white hatters. You tell the manufacturer about the problem and give them time to fix it. Then you go public. In the event that the flaw indeed cannot be fixed at all, you want everybody to know so the specific system can be avoided/replaced.
In which case, how much time is reasonable? What about flaws that can't be fixed, or at least, not economically so?
I'm not opposed to the sentiment, I just have trouble imagining a Congress that could word such a law such that it wouldn't cause more harm than good.
Security through obscurity has never worked.
If there is something that absolutely cannot be fixed, at least the public should be informed about it so such systems can be avoided.
If Congress can pass such a law is an entirely different matter. If the present Congress is indeed unable to do so, we will soon have the chance to fix that. And if we don't that will be on us.
It already routinely disregards any law or part of the Constitution it desires, so it would just disregard that also.
Your reference dismissing voter fraud relied on funding from such defenders of freedom as George Soros, et al. Not US-friendly to be sure, but the ends justify the means, I guess.
At this point, paper ballots look more and more appealing. And no, I'm not a Trump supporter.
I'm just a veteran who sees the Democratic establishment as satisfied with the current level of American casualties as something we can "absorb" as a nation (Obama's characterization)...God knows what our external enemies can do to our infrastructure, given our reliance on IT in that arena. It may make electoral hacking pale in comparison.
I agree with you 100% (and not just because I'm a retired ROMAD).
Forty years or so ago, I read a science fiction novel where electronic voting was standard AND mandated. All ballot items began with the phrase, "In the interests of good government,..." and those who's vote was considered to NOT be in the interest of good government disappeared. This is one SciFi "prediction" we DON'T want to pass.
BTW, Apple should have used "Warthog" as the code name for the iPhone 7/7+ chip.
What's a ROMAD?
As a foreigner, I've never understood the appeal of voting machines in the US, which are such an obvious point of attack for electoral fraud, ransomware etc etc. Compounded because their code can't be audited because of "proprietary concerns" of the company that makes them. What could possibly go wrong?
In my experience, they aren't used anywhere else. Anybody know differently?
I recall from conference presentations that the companies involved were looking to sell overseas, but I don't remember when this was or if it was successful. Presumably, after the Help America Vote Act passed, there was enough domestic government money floating around that that became the most fertile place to market.