grandeduc - Fotolia

Election cyberattack proves people are still the biggest flaw

A new NSA leak allegedly shows Russian agents engaged in election cyberattacks against local U.S. governments and proves people are still the hardest cybersecurity risk to mitigate.

A bombshell report claims an NSA leak proves Russia engaged in election cyberattacks targeting local governments in the lead-up to the 2016 U.S. presidential election.

According to a top-secret National Security Agency (NSA) document, U.S. intelligence asserted that the Russian General Staff Main Intelligence Directorate conducted pre-election cyberattacks; although, the Kremlin denied Russian involvement in the attacks. Russian President Vladimir Putin also recently claimed the Russian government had nothing to do with U.S. election cyberattacks, though Putin did admit it was possible that hackers with "patriotic leanings ... may try to add their contribution to the fight against those who speak badly about Russia."

According to the leaked document, U.S. intelligence found evidence of pre-election cyberattacks starting in August 2016 and targeting employees of an unnamed U.S. election software company with spear-phishing emails. The credentials stolen in those attacks were allegedly used in a second spear-phishing campaign in late October "targeting U.S. local government organizations" with Microsoft Word documents containing malware.

Paul Calatayud, CTO of FireMon in Overland Park, Kan., said from a technical perspective, there were ways the spear-phishing attacks described in the NSA leak could have been stopped.

"The attack is based on the targeted employees clicking and opening MS Word documents that have VBScript running. A good practice would be to disable and not trust VBScripting within Word, which can be done based on policies. This would have prevented the malware from executing once employees clicked on the documents to open," Calatayud told SearchSecurity. "Second step is the use of PowerShell. By default, this service is allowed to be executed on most systems. Strong security practices recommend that PowerShell be limited to only be performed from trusted sources by enabling certificate-based authentication. Even better, disable PowerShell altogether."

The human flaw in the election cyberattacks

According to the report by The Intercept, the leaked NSA document contained no conclusions about the aims of the pre-election cyberattacks and the extent to which they were successful. However, experts said it was clear that the malicious actors behind the attacks were targeting two common weak points in IT systems: people and insufficient budgets.

John Bambenek, threat research manager at Fidelis Cybersecurity, based in Bethesda, Md., said, "Ultimately, the point of failure was people," but there were plenty of reasons why the people targeted in the pre-election cyberattacks were unprepared.

"The security failures that tend to take place in local governments are basically the same failures that crop up in small to medium-sized businesses. These agencies aren't in the business of cybersecurity; they're focused on other things. They don't, and probably will never, have sufficient funds to buy the technology and hire the personnel they need to secure themselves," Bambenek told SearchSecurity. "To make matters more challenging, they don't have the money to pay for training, and they are competing with the private sector, which will always pay more for talent. They are outmanned and outgunned against criminal behavior. To expect your local election official to be able to go toe-to-toe with well-funded and highly motivated foreign threat actors is never going to be realistic."

John Jolly, CEO at Syncurity, an Arlington, Va., cybersecurity company, agreed the security failures occurring in local governments "are not unique."

"The failure was to not adequately educate employees who are obvious targets about the dangers, prevalence and increasing sophistication of phishing attacks," Jolly told SearchSecurity. "Secondly, and just as important, [there was] a fundamental failure to understand just how valuable access to the target's enterprise could be in the context of a larger attack. It really comes down to understanding that you have crown jewels that are very important to protect."

Hank Thomas, partner and COO of Strategic Cyber Ventures, a cybersecurity company based in Washington, D.C., said local governments across the U.S. "are notorious for having terrible basic cyber hygiene."

"Trained security talent is hard to find, credentials are often shared amongst improperly staffed teams and patching is not performed on a regular basis. Advanced adaptive authentication tactics need to be employed immediately, and red teaming of systems needs to be performed regularly," Thomas told SearchSecurity. "Most local governments are not resourced properly to obtain basic cybersecurity products and services, let alone run counterintelligence programs to fend off Russian agents targeting the gaping vulnerabilities in our democratic system found at the state and local level."

Preventing similar election cyberattacks

Robert Sobers, inbound marketing director at Varonis, based in New York, said state and local governments struggle to pay market rates for top information security talent. He suggested focusing on limiting data access "to those who need it the most, keeping sensitive data locked down and [monitoring] data access so that when something suspicious happens, you can catch it before it turns into global headlines."

"Government contractors -- and all organizations, for that matter -- need to protect access to their data, keeping it limited to those who need it, so that in the event of a cyberattack or compromised account, the damage is limited and the threat is contained," Sobers told SearchSecurity. "It's more important than ever to monitor who's doing what on your file systems. When an account is compromised or data is accessed in an unusual way, IT security needs to be notified and have automated processes in place in order to mitigate the risk of further breaches."

We need to for large-scale attacks with sophisticated malware, which could potentially influence elections at the federal and state levels.
Bob Andersonmanaging director at Navigant

Bambenek said although there was no evidence of vote tampering in the reported election cyberattacks, every vote should come with "a paper trail, so that if something looks suspicious in the vote-tallying mechanisms, we can go to paper to verify the results."

"Luckily, due to polling and other modeling, it is very hard to 'stuff the ballot box' in realistic ways. But if there is a paper trail, the results can be verified," Bambenek said. "Random audits of voting machines should be conducted to make sure the vote tallies match up. The best we can do is ensure that fraud is detectable."

Bob Anderson, managing director at Navigant Consulting Inc., based in Chicago, and former executive assistant director of the FBI, said because "investment in information security systems, IT systems and electronic infrastructure" is limited in local governments due to budget constraints, "by far one of the best risk-reduction methods is education of the workforce through information security training that is current, robust and ongoing."

"I think moving forward for modern-day elections, we need to realize that the United States is a potential target for political influence campaigns that would reach into cybersecurity systems that in the past would be secure," Anderson told SearchSecurity. "We need to for large-scale attacks with sophisticated malware, which could potentially influence elections at the federal and state levels. We have to have immediate reaction and critical incident response plans in place to handle these threats moving forward."

Next Steps

Learn why enterprises predict cloud budget growth will outpace overall IT spending.

Find out how education can combat spear-phishing attacks.

Get info on why experts don't consider U.S. election cyberattacks an act of cyberwarfare.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing