Lee Clark is a cyber intelligence analyst currently working on cyber defense strategy in the Middle East. He holds an MA in intelligence and international security from the University of Kentucky’s Patterson School. He can be found on Twitter at @InktNerd. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.
Title: An Assessment of the Current State of U.S. Cyber Civil Defense
Date Originally Written: September 11, 2019.
Date Originally Published: November 22, 2019.
Author and / or Article Point of View: The author is an early-career cybersecurity analyst with experience advising private and public sector organizations on cyber threats and building cyber threat intelligence programs.
Summary: Local civic organizations in the U.S. are experiencing a wave of costly and disruptive low-sophistication cyberattacks on a large scale, indicating widespread vulnerabilities in networks. In light of past and ongoing threats to U.S. cyber systems, especially election systems, this weak cybersecurity posture represents a serious national security concern.
Text: The state of cyber defenses among public sector entities in the United States is less than ideal. This is especially true among smaller civic entities such as city utility companies, local government offices (including local election authorities), and court systems. There is currently an ongoing wave of cyberattacks against government systems in cities across the U.S. In 2019, more than 40 local government organizations experienced successful ransomware attacks[1]. These widespread attacks indicate an attractive attack surface and vulnerable profile to potential cyber aggressors, which has broad implications for the security of U.S. cyber systems, including election systems.
Ransomware is a vector of cyberattack in which malicious actors compromise a victim’s computer and encrypt all available files, while offering the victim an encryption key to decrypt files in exchange for a ransom payment, typically in the form of a cryptocurrency such as Bitcoin. If victims refuse to pay or cannot pay, the files are left encrypted and the infected computer(s) are rendered useless. In some cases, files can be decrypted by specialists without paying the ransom. In other cases, even if victims pay, there is in reality no decryption key and files are permanently locked.
Ransomware is among the most common and least sophisticated forms of cyberattack in the field today. Attacks of this type have grown exponentially in recent years, and one study found that in 2019, 18% of all cyber-related insurance claims internationally were linked to ransomware incidents, second only to business email compromises[2]. In some cases, insurance companies were found encouraging clients to pay ransoms because it saved money and promoted the criminal practice, enhancing the market for cyber insurance services[3].
Ransomware attacks are relatively easy to execute on the part of attackers, and often target computers can be infected by tricking a victim into clicking on a malicious link through a phishing email disguised as a legitimate business communication. For example, in 2018, city computer networks in Allentown, Pennsylvania were offline for weeks after ransomware infected the system through an employee’s email after the employee failed to install security updates and clicked on a phishing email. The attack cost the city around USD 1 million to resolve and ongoing security improvements are costing approximately USD 420,000 per year[4].
Local city systems make for attractive targets for cyber attackers for several reasons:
1) Such organizations often carry cyber insurance, indicating an ability to pay and a higher likelihood of attackers being paid quickly without difficulty.
2) Local government offices have a reputation for being soft targets, often with lax and/or outdated security software and practices.
3) Infecting systems requires very little investment of resources on the attacker’s part, such as time, technical skill, focus, and labor, since phishing emails are often sufficient to gain access to targeted networks.
4) Executing successful attacks against such organizations often results in widespread media attention and tangible damages, including monetary cost to the organization, disruption to services, and public backlash, all of which enhance the attacker’s reputation in criminal communities.
Because of the ongoing prevalence of ransomware attacks, U.S. officials recently voiced public concern about the plausibility of ransomware attacks against election systems during the 2020 elections[5]. A chief concern is that if attackers have enough systems access to lock the files, the attackers very likely also have the ability to alter and/or steal files from an infected system. This concern is compounded by recent revelations by the Senate Select Committee on Intelligence that Russian-linked threat actors targeted election systems in all 50 states in 2016, most successfully in Illinois and Arizona[6].
It should be noted that U.S. federal agencies and private consulting firms have engaged in a large-scale effort to increase security measures of election systems since 2016 in preparation for the 2020 election, including hiring specialists and acquiring new voting machines[7]. The specifics, technical details, and effectiveness of these efforts are difficult to properly measure from open source materials, but have drawn criticism for their limited scope[8].
In the U.S., election security is among the most complex and difficult challenges facing the cybersecurity field. Elections involve countless competing and interacting stakeholders, intricate federal and local regulations, numerous technologies of varying complexity, as well as legal and ethical norms and expectations. These nuances combine to present a unique challenge to U.S. national security concerns, especially from a cyber-viewpoint. It is a matter of public record that U.S. election systems are subject to ongoing cyber threats from various actors. Some known threats operate with advanced tactics, techniques, procedures, and resources supported by technologically-sophisticated nation states.
The recent wave of ransomware attacks on local governments compounds election security concerns because the U.S. election system relies heavily on local government organizations like county clerk and poll offices. Currently, local systems are demonstrably vulnerable to common and low-effort attacks, and will remain so without significant national-level efforts. If local defenses are not developed enough to resist a ransomware attack delivered in a phishing email, it is difficult to imagine a county clerk’s office in Ohio or Kentucky having sufficient cyber defenses to repel a sophisticated attack by a Russian or Chinese-backed advanced persistent threat group.
After the beginning of the nuclear arms race in the second half of the 20th century, the U.S. government developed a national civil defense program by which to prepare local jurisdictions for nuclear attacks. This effort was prominent in the public mind and expensive to execute. Lessons from this national civil defense program may be of value to adequately prepare U.S. civic cyber systems to effectively resist both low and high-sophistication cyber intrusions.
Unlike nuclear civil defense, which has been criticized for achieving questionable results in terms of effective defense, cyber civil defense effectiveness could be benchmarked and measured in tangible ways. While no computer system can be entirely secure, strong indicators of an effective cybersecurity posture include up-to-date software, regular automatic security updates, periodic security audits and vulnerability scans, established standard operating procedures and best practices (including employee cyber awareness training), and a well-trained and adequately-staffed cybersecurity team in-house.
Endnotes:
[1] Fernandez, M., Sanger, D. E., & Martinez, M. T. (2019, August 22). Ransomware Attacks Are Testing Resolve of Cities Across America. Retrieved from https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html
[2] Cimpanu, C. (2019, September 2). BEC overtakes ransomware and data breaches in cyber-insurance claims. Retrieved from https://www.zdnet.com/article/bec-overtakes-ransomware-and-data-breaches-in-cyber-insurance-claims/
[3] Dudley, R. (2019, August 27). The Extortion Economy: How Insurance Companies Are Fueling a Rise in Ransomware Attacks. Retrieved from https://www.propublica.org/article/the-extortion-economy-how-insurance-companies-are-fueling-a-rise-in-ransomware-attacks
[4] Fernandez, M., Sanger, D. E., & Martinez, M. T. (2019, August 22). Ransomware Attacks Are Testing Resolve of Cities Across America. Retrieved from https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html
[5] Bing, C. (2019, August 27). Exclusive: U.S. officials fear ransomware attack against 2020 election. Retrieved from https://www.reuters.com/article/us-usa-cyber-election-exclusive/exclusive-us-officials-fear-ransomware-attack-against-2020-election-idUSKCN1VG222
[6] Sanger, D. E., & Edmondson, C. (2019, July 25). Russia Targeted Election Systems in All 50 States, Report Finds. Retrieved from https://www.nytimes.com/2019/07/25/us/politics/russian-hacking-elections.html
[7] Pearson, R. (2019, August 5). 3 years after Russian hackers tapped Illinois voter database, officials spending millions to safeguard 2020 election. Retrieved from https://www.chicagotribune.com/politics/ct-illinois-election-security-russian-hackers-20190805-qtoku33szjdrhknwc7pxbu6pvq-story.html
[8] Anderson, S. R., Lostri, E., Jurecic, Q., & Taylor, M. (2019, July 28). Bipartisan Agreement on Election Security-And a Partisan Fight Anyway. Retrieved from https://www.lawfareblog.com/bipartisan-agreement-election-security-and-partisan-fight-anyway