Black Hat: Election Security Issues Aplenty with 'Interference,' 'Lots of Misinformation'

The pandemic ushered in a whole new set of election security concerns.

Edward Gately, Senior News Editor

August 5, 2020

9 Min Read
Election Security
Shutterstock

This week’s virtual Black Hat USA 2020 conference kicked off with a call to arms for cybersecurity professionals to help with election security issues this November.

The opening keynote, titled “Stress-Testing Democracy: Election Integrity During a Global Pandemic,” featured Matt Blaze, McDevitt Chair in computer science and law at Georgetown University.

Jeff Moss, Black Hat founder and director, says a record 117 countries are participating in the virtual event. He said election security is a hot topic with the upcoming general election with “lots of interference, lots of misinformation and lots of new technologies being deployed.”

Blaze said software can be an issue in election security because it’s difficult to secure. You need at least some software to run elections, but “we don’t want to depend on it.”

Blaze-Matt_Georgetown-University.jpg

Matt Blaze

“This is something we’ve grappled with for two decades now,” he said.

Election Security Breakthroughs

There have been two “enormous” breakthroughs this year addressing election security issues, Blaze said. The first is software independence.

“This is essentially a requirement … that you should design your voting system in a way that an undetected change or error in the software can’t cause an undetectable change or error in the election outcome,” he said. “It doesn’t say you can’t use software. It says you shouldn’t depend on software for the outcome in ways that you can’t detect.”

Second, a UC Berkeley statistician came up with a method for achieving this with certain types of voting machines, Blaze said. Those are optical scan paper ballot voting machines. This involves auditing a subset of ballots and comparing the result to the reported outcome.

“If you do this enough, you can have very high confidence … that your reported election results are the same results you get by hand-counting all of the ballots, but without having to hand-count all of the ballots,” he said.

These two ideas were the “gold standard” for addressing election security issues at the start of 2020, Blaze said.

“So there’s been progress,” he said. “We finally know how to do this well. Election security at the beginning of the year was a matter of getting it implemented. And we’ve had some progress on that. The paperless voting machines are slowly being replaced by optical scan paper that’s compatible with risk-limiting auditing techniques. A few states are starting to employ risk-limiting audits and catching on.”

And there have been bills in Congress to fund states to shift to paper ballots, Blaze said.

“There was reason for optimism,” he said. “So if I were giving this talk in February 2020, that would be the end. I’d say we finally know what to do. We have our technological marching orders. And we can declare a certain amount of victory and be optimistic going forward that we will one day secure our elections really well.”

Pandemic Changes Everything

And then the COVID-19 pandemic came along and added a whole new set of election security issues that “got brought very sharply into focus,” Blaze said.

“So there can be a number of disruptions for voting,” he said, noting there are different ways to address them but it can be “increasingly difficult.”

Keep up with resources for supporting partners and customers during the COVID-19 crisis.

Absentee or mail-in voting is available everywhere, but the vast majority of voters still head to the polls on election day, Blaze said. Therefore, local jurisdictions only have the resources and capabilities to handle smaller amounts of mail-in ballots, he said.

Verifying and processing mail-in ballots already is …

… a labor-intensive process. And scanning machines are big and expensive, he said.

“We have security issues as well,” Blaze said. “The scanners themselves have to be audited; risk-limiting audits are still necessary. There’s very high pressure on the chain of custody, and things like denial of service where voters are given incorrect instructions or voter registration rolls with addresses are tampered with.”

Looking ahead, there’s reason to be both optimistic and pessimistic about the upcoming election, he said.

“There’s a lot of uncertainty about how many voters who would normally vote in person will need mail-in ballots,” Blaze said. “And we’re likely not to know until it’s too late to change course. That means we need to prepare for a very wide range of scenarios that may not come to fruition.”

It’s likely that most jurisdictions won’t have the funding or other resources to do this themselves, he said. Black Hat attendees are in a great position to help solve local election security issues, he added.

“And time is really short; the election is less than 100 days away,” he said. “Many of these problems, the logistical aspects of this, are familiar to computing specialists. So our expertise in this community is central to many of the problems that we have here. The optimistic note is, we can do this, but we need to engage now. This community is precisely the one whose help is going to be needed by your local election officials. Call them and find out how you can help. We all have to take responsibility for this.”

MSPs’ World ‘Turned Upside Down’ During Pandemic

Also at Black Hat, OpenText‘s Jamie Zajac talked about how the “world has really been turned upside down” for MSPs during the pandemic. She is vice president of product management at the company.

Zajac-Jamie_OpenText.jpg

OpenText’s Jamie Zajac

“Cybercriminals have no heart,” she said. “They’ll take advantage of any situation they can to make money or push forward their agenda. And so as MSPs, you need to understand what the new threat landscape looks like and how you protect your customers against that.”

OpenText has seen a three-year high in the amount of unique threats that its customers and endpoints are seeing each day, Zajac said.

“Over the past few years, businesses have been increasingly looking to MSPs to secure their infrastructure and their technology strategy in general,” she said. “Small businesses now are effectively required to have an online presence and to have a certain amount of technology. And small business owners don’t always know how to install that and manage it, and have the time for it.”

At the same time, cybercriminals are starting to understand that attacking an MSP is an efficient and effective path to get to small businesses as well, Zajac said. So why attack 100 small businesses when you attack one MSP and potentially get access to their entire customer base? she asked.

“MSPs, just like small businesses themselves, need help,” she said. “They need to look and make sure that they’re set up to counter that 2,000% increase in Zoom threats, or the COVID-19-related threats that are happening and the increase in phishing attacks. And MSPs need to look internally as well. They need to make sure that they’re resilient and set up to respond to that increased level of attack on their business as well.”

OpenText recommends MSPs meet with …

… their customers and discuss the “new world” and how they set up their technology strategy going forward, Zajac said.

“The first part of this is to assess the current infrastructure,” she said. “Are they using the right tools? Are the applications up to date? You really want to do an audit.”

Training is key, Zajac said. MSPs need to ensure that everyone gets application and security awareness training, she said.

“Make sure people understand how to use the applications so they can get the most out of them, and they can also make sure they’re doing so in as secure manner as possible,” she said. “It’s been proven time and time again that as people develop the muscle memory … by doing repeated training and testing every month, you can reduce the number of threats that people are clicking on, and you can improve the security posture of the business.”

A Lazy Hacker’s Guide to Ransomware

Also at Black Hat, Gil Azrielant, Axis Security‘s co-founder and CTO, shared insights into how to make “quick money” with ransomware.

Azrielant-Gil_Axis-Security.jpg

Axis Security’s Gil Azrielant

“The first thing you should know is it’s remarkably simple,” he said. “People and organizations built the software. They did the research, they started the crypto wallet, they developed the exploits, they research the vulnerable software, they found the different entry point and they prayed that they don’t get arrested. The stakes are so high and the work is so tedious.”

These organizations want to scale up their operations that are essentially ransomware as a service, Azrielant said.

“You subscribe to these and then you can either use their own infrastructure or white-label their malware,” he said. “And then you can target whichever people you want to target and go. No development required. You don’t even need to know how code works. Ransomware as a service takes most of the risk, and they share much of the profit with you.”

There’s a lot of money to make, Azrielant said. Organizations pay $110,000 on average, which is up 33% since the fourth quarter of 2019. Cybercriminals extorted nearly $8 billion in 2019.

“And it’s usually paid within a few hours or a few days,” he said. “So the sales cycle is really quick.”

Ransomware is a business, and people who build great ransomware want to earn more and more, Azrielant said. So they’re turning to channel marketing, and “you have the opportunity to become that channel,” he said.

“It’s a pyramid scheme that actually works,” he said. “Most pyramid schemes fail because the product doesn’t work and because people don’t scale exponentially. But computers can. Sometimes it’s enough to compromise one endpoint in a large network of tens of thousands of endpoints to allow it to propagate and really get more of a foothold on an organization, and increase the payout by so much more.”

Cognizant, the world’s largest managed IT services company, wasn’t ready to defend itself against ransomware. It lost $50-$70 million right after the ransom, Azrielant said.

“This is the result of the ransom paid, as well as liability, damage control, and lots and lots of loss of business,” he said. “And put yourselves in their shoes. Would you have paid the ransom to make this problem go away, to make it smaller, to decrypt your files and know that this is all behind you? I know I would.”

Read more about:

MSPs

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like