7 May 2018

America vs. the Hackers: a Cyber-Security Bootcamp

Hannah Kuchler 

With US midterms approaching, election officials are learning how to combat fake news, malware and troll farms It is a war game with a twist. Instead of army officers, election officials are in charge. Instead of battling against an enemy armed with missiles, defences are choreographed against hackers hidden behind foreign computers. With the US midterm elections fast approaching, more than 160 election officials from across the country have just months to learn how to defend democracy. These public servants have centuries of experience between them, managing polling stations and vote counts across 38 states. They are experts in dealing with foul weather, irate voters and fights between rival candidates. But none ever expected to be on the front line in a battle against Russian hackers. Today’s responsibilities include patching up vulnerabilities in voting machines, preventing tampering with electronic records and stalling the spread of disinformation through social media.


To learn how to do this, the officials are attending a two-day cyber-security bootcamp in Cambridge, Massachusetts, where they will participate in a mock election, assuming roles including the secretary of state (the state-level official in charge of elections), IT administrators, communications directors, campaign chiefs and activists. I am taking part too, charged with playing a nosy reporter, and am allowed to watch the chaos unfold, on the condition that I do not name the officials or their states.

In this mock election (the third of its kind, with some officials attending more than once), the main threat comes from a group called “Kompromat” — a Russian political term for compromising material, often used for blackmail. This is an unsubtle reference to the Russian hackers who surprised the US by launching attacks on its electoral system in real life in 2016.

The US government believes they tried to hack election systems in at least 21 states. Russians also leaked emails they stole from the Democratic National Committee, while the Internet Research Agency, a Kremlin-linked troll farm, spread disinformation on social media.

The US has a long history of election fraud, dating back to New York City’s Tammany Hall in the 19th century, when Democratic Party supporters employed people to cast multiple ballots and intimidate opposition voters, and brought in illegal voters from other cities to boost registration rolls. But floods of extra voters are easier to spot than surreptitious changes to today’s electronic counts or, perhaps more notoriously, fake news.

Heather Adkins, director of information security and privacy at Google, who is at the bootcamp to advise the officials, says that now the Russians have shown what can be done, other nation states and even cyber criminals are likely to be tempted. “Usually what happens in cyber security is a kind of watershed moment, a unicorn event. And then all the bad guys realise: ‘I can do that,’ ” she says.

This event is the brainchild of Eric Rosenbach, former chief of staff for Ash Carter, defence secretary under Barack Obama. Rosenbach started the Defending Digital Democracy Project at the Belfer Center for Science and International Affairs at Harvard University in 2017 with the mission of improving US defences against election hacking. His easy manner disguises his credentials: he oversaw cyber security for the defence department, with a $30bn budget and 15,000 personnel.

Rosenbach has teamed up with political campaign managers who have experienced hacking first-hand: Robby Mook, Hillary Clinton’s 2016 campaign manager, and Matt Rhoades, who was in charge when the Chinese hacked the Romney campaign in 2012. Rosenbach has also brought in tech companies, with Facebook and Google giving money and the know-how of their top security experts. All of them are desperate to ensure the 2016 election does not prove to be a dress rehearsal for more disastrous attacks this November and beyond.

The bootcamp is run as an elaborate choose-your-own-election-hacking adventure. Each of the officials’ decisions on which technologies to buy and which policies to implement will affect how they may be attacked. Meanwhile, the military-minded organisers have instructed me to add extra stress by interrogating the election officials on camera. The stakes are high but so are spirits: everyone is eager to improve their preparations.

Maureen, a small, red-headed IT administrator, is assigned to play the secretary of state in charge of the 30 officials in the imaginary state of Porter. When it comes to her real day job, Maureen knows she could earn more money in the private sector but she says election security “is one of the most valuable things I can do for my state, and really for my country”.

Still, she’s aware the battle against election hackers may never end. “I really don’t want my name in the news. Or our secretary of state’s name in the news. Or our state in the news . . . I’m in it for the long term. The midterms don’t really provide that much relief for me so much as: ‘Got through that one,’ ” she says, miming wiping her brow.

Maureen starts the exercise calmly with some mock budgeting. She is familiar with the technologies the officials want — two-factor authentication on their systems (an extra layer of protection to make it harder for hackers who have stolen passwords) and Captcha (which is used to determine whether a user is human for online voter registration). Her IT team quickly acquires services such as penetration testing, where so-called “white hat” hackers highlight the flaws in defences by trying to enter the network from the outside.

The digital clock projected on a large screen starts ticking. Two minutes into the assigned hour, a headline pops up: “Hackers target election systems in 21 states.” This is a real headline from The New York Times in September 2017, when the federal government told the states that hackers had tried to enter their systems before the 2016 election.

“Are you one of the states that have been hacked?” I ask the person playing the state’s communication director. His answer is not comforting: “We haven’t received any information from the Department for Homeland Security or the intelligence agencies on that. We made sure we are protected. There is nothing we are aware of,” he says.

Meanwhile, a fictitious former employee tweets that the state is unprepared to deliver legitimate elections, and the man playing the American Civil Liberties Union rushes to the TV camera to complain that he has not been able to raise his concerns with officials.

Moderators are simultaneously bombarding the teams with technical updates. Kompromat is believed to have used “spear-phishing” — targeted fake emails with malicious attachments or links — to hack their systems. A virus has exploited a vulnerability in printers to penetrate government devices.

An employee at the Department of Motor Vehicles has a gambling habit — this is known in the security industry as an “inside threat”. He has been blackmailed for his access to voter registration records and logged at least 300 fake voters in two months.

The news flashes that another group called Fuzzy Cub (a nod to the real-life hackers known as Fancy Bear) intends to activate dormant malware in voting machines on election day. The voting machines are relics of a more innocent era: when running elections on computers seemed convenient, not catastrophic. Now, officials and security experts are devotees of paper back-ups.

In the spring of 2016, Rosenbach was at the Pentagon. Intelligence began to cross his desk saying the Russians were trying to influence and undermine trust in the US election. “It really shook me up,” he tells the officials as he opens the camp. “I was left with the feeling that I didn’t do enough. We as an administration didn’t do enough. And that we were really still vulnerable. My nightmare was that all the other bad guys and the Russians would see that we hadn’t done much to defend our country. The next adversary to attack us could be Kim Jong Un, or the Iranians, if the nuclear deal fell through.”

Shortly after, Rosenbach started the Defending Digital Democracy Project with the aim of creating a playbook for cyber security — something that officials and campaign managers wished they’d had in 2016. Soon, he hopes to launch a Defending Digital Democracy corps of volunteers to travel to states and advise on security.

Rosenbach’s opening remarks hint at one of the biggest obstacles to election security: politics. Some avoid discussing the subject because they fear it implies the Russians won the election for Trump. “This doesn’t have anything to do with politics, this is not about the current president, whether or not he was legitimately elected. This is nothing to do with that and I wanted to state that explicitly,” he says. “This project is something practical to protect the most precious part of American democracy.”

The officials have had some help from government. The appropriations bill, passed in March, allotted $380m for states to improve election technology and security. By chance, the officials find out how much their state has to spend — an average of $7.6m — during the camp. The last time they had such a windfall was after the chaos caused by the infamous hanging chads in the 2000 Bush vs Gore presidential election.

Today’s threats are even more complex. Before the mock election, Michael Sulmeyer, an upbeat Harvard professor who runs a research programme on cyber conflict, lists democracy’s adversaries: Russia, China, Iran, North Korea. Then there are the “black hat” hackers, who are contract mercenaries, and cyber criminals armed with ransomware, the malicious software that seeks payment to decrypt computers, and terrorists.

Elections traditionally relied on rival parties ensuring that their opponents behaved fairly, but this does not work when the real adversaries could be hiding behind computers overseas. Many security tools have now become redundant because they rely on audit trails, which don’t exist with anonymous voting. That is why paper is so popular: if all else fails, you can count the vote again.

Adkins helped found the security team at Google 16 years ago. Modern elections rely on a variety of technologies, including voter-registration rolls, voting machines and systems that keep media organisations updated. “I promise you, given a day with any of this infrastructure I could compromise you,” she says.

Last year, “white hat” hackers at Def Con, a hacking convention in Las Vegas, broke into the first voting machines in 90 minutes, using a vulnerability that had been known about — and fixable — since 2003. By the end of the conference, they had hacked all 25 pieces of voting equipment.

Trust is the biggest issue. The US election system has different rules, systems and technologies in different states. This makes it hard to protect — but it also should make it hard to change the result of a national election. An adversary would need a deep understanding of which swing counties to target and how — as well as persistence in finding the holes in every system.

Far more likely — but no less worrying — is that hackers try to sow doubt about whether to trust the results. “I’m not actually so concerned that the Russians or the Iranians or the North Koreans penetrate so many voting systems that they literally change the outcome of an election,” Rosenbach tells me. “But there’s a big difference between that and attacking three or four local precincts and making it very clear that the vote there is not reliable. Then doing information operations to the rest of the country to say: ‘This is just a little bit of what has really happened, your entire vote is unreliable, just like democracy.’ ”

Alex Stamos, chief security officer at Facebook, has spent the past year hunting Russian disinformation. The Internet Research Agency has plagued Facebook with fake accounts, stirred up trouble around divisive political issues and encouraged rival Facebook groups to hold opposing protests on the same day. The nature of the US election system makes it less likely an attack would swing an election, but more likely it would try and cause “chaos and distrust”, he says.

“If every election was like Bush vs Gore and goes to the Supreme Court, that would be a very bad thing for our country,” he continues. The priority is to make sure “outside adversaries are not able to create a population of Americans that for the rest of their lives will believe the election was stolen from them”.

Lori Augino has long brown hair and a ready smile. She started her career in elections aged 20, as a temporary staffer, working her way up to be director of elections for Washington State. She is participating in her second mock election organised by the Defending Digital Democracy Project. “You know, I certainly was not thinking about Russian hackers back in 1995. But we have always had issues of continuity of operations,” she says. “Doesn’t matter who the attacker is, if you don’t have access to your systems on election day: what’s your plan B? What’s your plan C? What’s your plan D?”

Augino is one of the army of officials charged with an extraordinary task: keeping democracy running. They are used to being invisible — one joked that people think they only work two days a year. But now, on top of their normal jobs, they have to play a more public role as the last line of defence against threats on their home turf.

Judd Choate is the state election director for Colorado and former president of the National Association of State Election Directors. He tells me election officials have experienced an “extraordinary expansion of understanding” of cyber security since 2016. “It’s the difference between being a first grader and being a graduate student,” he says.

Stamos is meeting with officials at the event to try to establish clear lines of communication with Facebook should anything go wrong, such as a fake page giving out the wrong instructions on where to vote. He is heartened by their commitment. “There’s a lot of dedicated public servants who never thought they would be on the front lines of defending democracy. That is not why somebody became an IT administrator for a secretary of state or local government,” he says.

Rosenbach is impressed with the military-style contingency planning but he is trying to brace them for something more. “They are just not equipped to be fighting the pointy end of the spear of the Russian [intelligence agency] GRU,” he says.

Defending Digital Democracy is also trying to prepare campaign managers. The on-the-fly nature of political campaigns can make them especially vulnerable. Mook, Hillary Clinton’s manager, says they had no playbook to manage response, understand legal obligations and follow best practices for communicating publicly. “I didn’t even have a framework to understand the problem,” he tells me. “So you’ve been breached — what does that mean? What is cyber security? What should I be looking for? What should I be asking for?”

Mook is sympathetic to campaign managers who think they just have too much to do. But he says everyone has to take responsibility for protecting elections: campaigns, government and tech companies. Congress has been grilling Facebook, Google and Twitter on Russian disinformation in 2016, with Mark Zuckerberg, Facebook’s chief executive, recently answering questions for 10 hours after Cambridge Analytica used Facebook data to build psychological profiles.

“The first thing is the tech industry has to take responsibility. They have to acknowledge that we have a real problem here and they are part of the solution,” Mook says. “And our federal government needs to partner in an active way and be supportive of that industry to keep the bad guys out.”

Like Rosenbach, Mook is motivated by a vow to never be unprepared again. “What would be a real tragedy in my mind is that we wouldn’t apply all of that learning forward and do things better and differently. A year ago it didn’t look like anything was going to change — and, you know: ‘Fool me once, shame on you. Fool me twice, shame on me,’ ” he says.

No comments: