In the months leading up to the 2020 presidential election, Chris Krebs had a problem. Actually, he had a few, but the biggest one was getting election officials on the state and local level to take the security threat to the integrity of the election seriously.
As director of the Cybersecurity and Infrastructure Security Agency (CISA) at the time, Krebs was heading up the effort to assess the security and resilience of the nation’s election infrastructure and look for the kind of soft spots that malicious actors--foreign or domestic--might target. The concern wasn’t so much that actors would go after the electronic voting machines, but rather the computers used to tabulate the votes and the networks on which they sit. Attackers from China, Russia, and other countries whose interests don’t necessarily align with the United States have demonstrated the willingness and ability to penetrate government and private sector networks and remain inside for long periods of time. CISA officials and their colleagues at the FBI and other agencies warned state and local officials about the seriousness of the threat, but the message wasn’t getting through for some reason.
Perhaps the spectre of state-sponsored hackers from halfway around the world was too abstract, or maybe there were too many other things to worry about, but the reality of the threats wasn’t landing. So Krebs changed tactics.
“You can talk about Russia and China and Iran all day long and when security teams aren’t seeing these actors walking into their environments waving flags, because they’re patient it’s hard to make the sell,” Krebs said during a keynote at the SANS Institute Cyber Threat Intelligence Summit Thursday.
“What we were seeing do the most damage was ransomware actors conducting functionally catastrophic attacks. We made a hard pivot from talking about China and Russia to talking about ransomware, and we saw a shift as the light went on that it wasn’t just about state actors, it was about disruptive non-state actors. And to me that was one of the biggest advances we made.”
We know now that the voting process went smoothly, relatively speaking, but that was by no means a certainty going into November, nor was it just a happy accident. The process of ensuring the integrity of the 2020 election began three years earlier, at a time when memories of Russia’s interference in the 2016 election process were still quite fresh but the effects were not yet fully understood. As Krebs, who was fired by President Trump after the election, and his team began assessing the task in front of them, they found a multifaceted challenge that was daunting in its scope but not unlike those that enterprise security teams face at times. Securing distributed systems against a wide range of threats with sometimes limited resources is a fact of life for many teams, one made all the more difficult when there is no real baseline to start from.
“To truly prep for an event you can't start a week or two in advance. You need to think about the challenges you will face two to three years from now."
“There was a lack of meaningful practice in election security, no real resilience, across the government. We didn’t have the cohesiveness and muscle memory to get the job done,” Krebs said.
“We realized in 2017 that If we didn’t have a state and local engagement mechanism with the national security community it wouldn’t work. There was a significant lack of investment in election security specifically. There was not a steady stream of funding coming from state and local governments. We had to understand what was the state of security and resilience of election systems. It wasn’t great in 2016, but it has improved.”
One of the key improvements was to use less technology, not more. Paper ballots and voting systems that produce auditable logs became key tools for ensuring the integrity of the voting process, especially in key states such as Georgia and Pennsylvania. As the security planning process continued, teams from other agencies, including U.S. Cyber Command, gathered data from allies in countries such as Ukraine that have been frequent targets of interference from Russia and elsewhere to understand where adversaries might look for targets as the election approached.
“What i wanted to know was target sets so we could advise our partners here where to invest their last dollars. It was voter registration logs, election night reporting systems, and media,” Krebs said.
The lessons that Krebs, CISA, and other agencies learned during the process of assessing and securing election infrastructure have broad applicability for enterprise security teams, as well. Perhaps the most important of those lessons is the value of planning and understanding the threats the organization may face in the future.
“To truly prep for an event you can't start a week or two in advance. You need to think about the challenges you will face two to three years from now. Threat modeling and education is truly a commitment. That was the big difference for us and what led to our success,” Krebs said.
“Try to focus on getting executives and boards to think about how to support you in infosec as you put in the time and investment to think about whether your organization is a relevant target. Are you systemically relevant for an attacker? Are you a jumping off point? Why might someone come after you?”