409.330.9373 Info@OhainWEB.com
Elections and Cybersecurity

Elections and Cybersecurity

In my last column I talked about propaganda and election influencing in the USA by foreign governments, as well as the US doing it to others. My basic take was, so what; if others want to meddle, they always will. Just be sure to lock the barn door before the horse (data) escapes. We need to stop complaining and be prepared for when they try.

99% of votes in the USA are either cast or counted by computers.

We have invested in computerized elections because they reduce miscounts, help voters with disabilities, improve access to voting for rural voters, and speed up delivery of results. That’s goodness.

Unfortunately, we have NOT invested in strong security for our computerized elections. The average state election cybersecurity grade in a recent report was only a C-. The average grade for states with toss-up Senate races in 2018 is an F!

 Without question, our computerized election system is vulnerable to cyber threats!

 Let’s take a look at four areas of our computerized elections:

  1. Campaigns, overall risk: severe

Cyber-attacks on campaigns have been used for selective release of private documents in which adversaries release potentially compromising data on candidates and campaigns. These attacks have undermined the credibility of candidates, exacerbated social, economic, and political divisions among the US Electorate, and fueled fears of corruption and abuse by government officials.

So far in 2018, cyber-attacks by Russians have allegedly targeted multiple Congressional campaigns, including Senator Claire McCaskill of Missouri, as reported in TheDailyBeast.com.

Cybersecurity practices for political campaigns remain inconsistent, although efforts by Homeland Security and the FBI to provide cybersecurity training have had some effect. Extremely tight budgets, mostly-volunteer staffs, poor cybersecurity awareness, and the issue of distributed, ad-hoc systems by campaigns have made improving campaign security difficult in spite of significant publicity around attacks on campaigns and campaign officials, particularly for local and state elections.

  1. Voter registration and election management systems, overall risk: serious

Attacks on voter registration systems and e-poll books could be used to steal data on American voters, or affect Americans’ ability to exercise their right to vote if their voter registration is manipulated. Blocking certain voters from the polls could even alter the results of an election.

Voter registration systems in at least 21 states were targeted by Russian hackers in the 2016 election, although there is no evidence that voter rolls were actually changed.

Voter registration systems remain vulnerable to cyber-attacks, but progress is being made on basic cybersecurity standards and training, and Homeland Security is coordinating information sharing and incident response exercises with state election officials.

  1. VOTING SYSTEMS, overall risk: serious

Cyber-attacks on voting systems could be used to disrupt the voting process, or even to directly manipulate votes, perhaps the most widely-feared form of election manipulation.

There has been no evidence of foreign tampering with US voting systems in 2018, but known vulnerabilities have been demonstrated in many of the most widely used voting systems in the USA.

Vulnerabilities in voting machines and vote counting systems have received a lot of attention since 2016, but most voting systems are not connected to the Internet, and getting physical access to such a large number of machines would be challenging, particularly for a foreign adversary. Furthermore, most states have plans to replace aging voting systems and implement a paper audit trail for all votes.

  1. ELECTION NIGHT REPORTING, overall risk: serious

While attacks on election night reporting systems cannot affect the actual outcome of the election, if reported vote tallies are manipulated it could call the real results into question even if they are ultimately verified.

No evidence has emerged of foreign tampering with election night reporting systems, but exploitable vulnerabilities in official election websites, traditional and social media platforms could be exploited by foreign actors.

Secure election night reporting has received comparatively little attention and resources relative to voter registration and voting systems, and known vulnerabilities in official election night reporting websites, traditional and social media platforms remain unaddressed.

Without question, our computerized election system is vulnerable to cyber threats, and foreign adversaries want to exploit our vulnerabilities. 

Areas with the greatest risks are 1) Influence operations, 2) cyber espionage against campaigns/ candidates, and 3) attacks on voting systems. Influence and espionage are much bigger threats than sabotage.

What countries pose the greatest overall cyber threats to US Elections? Russia (81%), China (10%) Iran (2%).

The good news:

Progress is being made. Today, Basic Best Practices for cybersecurity are currently in place for information sharing (50 states), access control (46 states), and regular vulnerability analysis and intrusion detection (43 states). 9 states are using voting machines more than 10 years old; 33 states perform post-election audits, and (to me at least) most important – 36 states have a paper-trail audit for all voters.

By 2020, 46 states will either have or be in the process of implementing a Voter Verified Paper Audit Trail. (Look up VVPAT with an Internet Search Engine.)

More is needed.

A paper audit trail is a key first step in establishing resilience if computerized election systems are compromised.

Current funds are helping to implement basic security practices, but the full cost of robust security systems is much higher. Many states and counties have developed plans to upgrade or replace vulnerable systems but lack funding to implement them.

Attacks on campaigns and election night reporting systems cannot directly disrupt of change the outcome of an election, but they can undermine the credibility of American democracy, and comparatively little money or effort is being put into securing these systems.

Campaigns and election officials should leverage every available opportunity to partner with the government and with cyber security professional s and pro bono initiatives to continuously improve security on our election systems.

Hopefully we made it through the 2018 elections without any major glitches turning up. Let’s hope we’ll be much more ready two years from now.

[Most of the information contained here was distilled from papers published by the Technology Program of the Center for Strategic & International Studies in Washington DC.]

David Derosier consults with small business on planning and marketing issues, and provides web design and hosting services through OhainWEB.com, an accredited business with the Better Business Bureau that is rated A+ by BBB. He can be reached at JDAVID@Strategy-Planning.info.

Will the Russians again meddle in the upcoming American elections?

Will the Russians again meddle in the upcoming American elections?

Propaganda and election influencing by USA.

Did you know that the United States created Radio Free Europe as an overt propaganda effort during the Cold War, partially funded by CIA? Did you know that Radio Free Europe continues to this day with headquarters in Prague, a corporate office in Washington, D.C., and 17 local bureaus in countries throughout their broadcast region, broadcasting in 25 languages to 23 countries including Armenia, Russia, Iran, Afghanistan, and Pakistan. (www.RFERL.org).

The U.S. has meddled in presidential elections in other countries as many as 81 times between 1946 and 2000, according to a database amassed by political scientist Dov Levin of Carnegie Mellon University (www.dovhlevin.com/).

From Radio Free Europe to influencing elections, USA has a well-documented history of meddling in other countries’ affairs.

KremlinThink the Russians are going to try and interfere again?

I’m sure they will.

And why shouldn’t they? Especially when we do the same thing all the time.

So, if YOU think the Russians are going to try and interfere again, is that a problem?

What is the problem?

In an earlier article I wrote that problems cannot be solved…until they are broken down into issues to define the problem.

In this case, the problem is not that the Russians want to meddle in American elections; the problem is that apparently we do not have adequate counter-measures to stop them.

There is no question that we have equal or better offensive capabilities than our adversaries. We need to put more effort into having better defensive capabilities – cyber defenses in the Digital Environment. And, we should stop complaining about others, like Russia, doing what we’re doing. Just be quiet and don’t let it happen.

The Digital Environment

The Digital Environment is exploding exponentially in terms of its breadth and capabilities, and will continue to do so (I touched upon this in my article on “Changing Technology “).

Our lives are becoming increasingly dependent on the health and security of the Digital Environment.

Automation, machine learning, artificial intelligence, the Internet-of-Things (IoT), and many other advances bring tremendous opportunities…and also tremendous challenges to the Digital Environment.

Today the push is to protect privacy in the Digital Environment. That’s all well and good. However, we need to do a lot more in optimizing the security of the Digital Environment for Americans, not just privacy.

When governments collaborate with criminal hackers, such as mentioned above, it allows the governments to distance themselves from the direct perpetrators. This makes it more and more difficult to pinpoint the blame…and to point the finger at them.

We need to lock the barn door before the horse leaves, not point fingers afterwards.

On other topics…

  • REMEMBER – KNOWLEDGE IS POWER. GET OUT AND VOTE…for or against the Bond Issue and for candidates.
  • Congratulations to my friend and former mayor, Essie Bellfield, for being recognized once again for her contributions to Orange. Salem UMC is naming an education building after Ms. Bellfield, a longtime member of the congregation.
  • My next article will address strategies being discussed and put into place at the national level in the Digital Environment to add more security for Americans and our allies.

 

David Derosier consults with small business on planning and marketing issues, and provides web design and hosting services through OhainWEB.com, an accredited business with the Better Business Bureau that is rated A+ by BBB. He can be reached at JDAVID@Strategy-Planning.info.

What if Facebook did not have passwords?

What if Facebook did not have passwords?

 

Dave DerosierPasswords are there to protect you, right. But it can be a pain remembering all those different passwords for every single website you log into. So what if Facebook decided to make it easier and not require a password to get into your account? Would that be good?

Absolutely not!

The use of passwords is called Authentication. They allow the user to authenticate or verify that it’s ok to let them have access to whatever is on file. Imagine if anyone who wanted to could just access your Facebook account with your username and no password.

You may say, “Well, everything in there is public information anyway.” That’s true. But full access to your account means new information can be added, and existing information can be changed or deleted.

Suppose you are up for a big promotion at your company and another candidate goes into your Facebook account and posts bad things about your history, false information. When your employer hears about it, you don’t get the promotion. What about that?

Suppose you are happily married and an intruder goes into your Facebook account and posts pictures of someone who looks like you being intimate with someone who is not your spouse. What would you think about that?

Are you starting to see the consequences of not having a password? Even though life may be a little easier not having to remember it? Technology has changed our lives, but there is a price to pay for that changing technology – it needs to be respected, and there need to be controls, such as authentication.

Facebook authentication is called a Discretionary Access Control – meaning you, as the owner of the information, have the discretion as to who knows the password and can gain access. You also have the discretionary ability to change the password whenever you want, and (perhaps) to make it easy or difficult for someone to guess it.

Access GrantedAuthentication is just one type of “access control” intended to prevent unauthorized use of technology. Physical access control starts with good old fashioned door locks and keys; and extends, with technology changes, to computer based methods such as key cards, retina scans, embedded microchips, and many others.

What about the comments and photos and videos that others can post to your timeline on Facebook? You have the ability to add some access controls there too. For example, you may decide who can post on your timeline or who can see what others post on your timeline.

Without a password to get into your Facebook account, anyone can look up your user name, make those changes and you would never know.

So what’s the purpose of telling you all this? The message that I want every reader to remember was already stated above but is well worth repeating:

Technology has changed our lives, but there is a price to pay for that changing technology – it needs to be respected, and there need to be controls.

David Derosier consults with small business on planning and marketing issues, and provides web design and hosting services through OhainWEB.com, an accredited business with the Better Business Bureau that is rated A+ by BBB. He can be reached at JDAVID@Strategy-Planning.info.

Changing Technology

Changing Technology

Dave DerosierMore than half a century ago, the co-founder of Fairchild Semiconductor and Intel observed that technology was doubling every year. His criterion was the number of transistors that could be placed on an integrated circuit. That criterion may have changed, but the concept of what became known as Moore’s Law has not changed. Technology is constantly and rapidly changing.

So what? What do we do about it? How do we keep up with the changes? Do we need to keep up with the changes?

In the 1960s the US Dept of Defense funded the development of ARPANET, a precursor of today’s Internet. In the 1970s wide area networking became common amongst large companies and mini-computers began creeping into small and medium size business.  In the 1980s, PCs replaced mini-computers.

In the 1990s, I was developing websites using a new language called HTML and accessing the Internet over dial-up lines. Very slow by today’s standards. During this same time, cell phones started to proliferate.

Now in the 21st century, the Internet is ubiquitous, so are websites. Everywhere and everyone (almost) are connected with high speed connections and “apps” (short for applications). Search Engines – Google, Bing, Yahoo, etc. Social Media – Facebook, Twitter, and countless others. Today the Internet drives a tremendous amount of our economy, of our lives.

After browsing Amazon for some power tools, you probably find advertisements for those same tools when you go to your home page on Facebook. Did you know your personal browsing habits are recorded? Search engines, Amazon, etc. sell your history to others as another way to boost their profits.

Cellular communications have joined the Internet.

Virtual AssistantVirtual Assistants (like Alexa) can access the internet for you using voice commands and replying back using voice. We are seeing the Internet of Things (IOT) as the next upcoming generation. With IOT, Alexa can turn your A/C down, lock your front door at home while you’re at work, and a host of other tasks. Just remember, the devices on the IOT are connected together; as they become smarter they are able to share data…on their own!

Isn’t technology great?

As we hand over our control to technology, we need to consider the cost of such delegation especially in terms of privacy and security. Can you really trust a virtual assistant to be loyal only to you?

How can a virtual assistant respond so quickly to your voice? Because it is always listening and it is always connected to the Internet. Who else is listening, either in real time or to the recorded conversations?

When you post personal data on a friend’s page on Social Media, who else can see it? You marked it as “private”; therefore the maker of the app would never allow it to be seen by anyone else, right?

Technology can ease some burdens, maybe even make life easier, but the cost is an ever increasing vulnerability to those who have their own agenda in mind, not ours. Some are just greedy and want to make more money with that information. Some can be malicious.

Everything you do online is recorded, be careful what you share.

David Derosier consults with small business on planning and marketing issues, and provides web design and hosting services through OhainWEB.com, an accredited business with the Better Business Bureau that is rated A+ by BBB. He can be reached at JDAVID@Strategy-Planning.info.

Extension of the Patriot Act by Congress And Government use of Meta-Data

Extension of the Patriot Act by Congress And Government use of Meta-Data

Last week Congress failed to extend the controversial Patriot Act, based in large part on attempts to stop the use of Meta Data by government security agencies. Another Senate vote was set for Sunday night, after being blocked by Senator Rand Paul

My fear is that Congress, and a lot of the American people, are becoming paranoid about technology and losing sight of the real issue. Advances in technology should not be feared; they need to be used for our benefit. How to contain the abuse of technology is where our focus should be.

I remember when I was growing up, we had a telephone table at the bottom of the stairs by the front door in my house. It had room for the black phone (no dial) and a phone book.

My first memories were of a phone on a party line. That meant we shared the same wires with someone else but the phone rang in our house at the same time as it did in the other party’s house. That’s why they called it a “party line.” If the incoming call was for us it had a different ring than the other party (like double-ring for us vs. triple-ring for them). I could pick up the phone (receiver) if it had a triple-ring and hear the other people talking. We literally shared the same line. Not real private, but it was good technology for the time.

To place a call, all you had to do was lift the received off the phone – and there was the operator. Give her (always female) the number you wanted and she could connect you via a switchboard and give the other person their special ring so they would pick up. Officially it was the Switchboard Operator, but it got shortened to just The Operator.

Later we switched to a private line and didn’t have other parties sharing the same line with us. Technology was progressing. Then we progressed to having a dial on the phone and only needed the operator for long distance. Next step, “direct dialing” with Area Codes; to tell the phone system (“Ma Bell”) it was long distance, we had to dial “1” first, then the area code.

Believe it or not, that was a half-century ago!

Today you just pick up your smart phone and dial a call from anywhere by pushing a single button and it goes through…usually. Ever wonder how it works?

If I’m in Orange with a Lake Charles cellphone, when I make a call my phone talks in digital to a tower and asks for an open line. The tower goes back to my Home Location (Lake Charles) and asks if it’s ok to let me use a line (i.e. will I pay for the call). If Lake Charles says OK, Orange adds me to the Local Area log so if I make more calls they know I’m OK to bill. Then they give me a line and the call goes through. This can happen in a split second, so I never even notice a delay.

When talking from Orange with someone in Houston on my Louisiana-based phone, I am using what is called a “traffic channel”. Before that, when my phone was talking with the tower to set up the phone, it was done over a “control channel.” At least at some levels, that’s a bit like talking with the operator and then getting connected on an open line.

The operator and her switchboard kept a record of the connection activity – so they could bill my family. Today the phone systems keep records of this connection activity too – so they can bill me for it. The concept is not a lot different, but the technology to do it has changed dramatically. This digital connection activity from the control channel is called “Meta Data”.

When you hear stories about the National Security Agency (NSA) and other government organizations storing information for use in analyzing terrorist phone activity, it’s the “Meta Data.” It’s just machine-to-machine communications to set up the call, not the stuff that’s carried on the “Traffic Channels”, no voice, nothing human, just connect data. It’s what the phone company uses for billing.

So what really is “Meta Data”? It’s information about other data. In a digital photograph, it identifies the camera settings and the camera that took the picture, it might even include a GPS location where the picture was taken. In the header of a webpage, the Meta Data includes the type of coding used, the title for the page, and perhaps some keywords.

In the 1950s the operator kept a log so Ma Bell could send a bill. Today the phone company stores records of Meta Data so they can send bill to the customer. What has changed is that it now all digital and can be manipulated and analyzed by software applications.

Digital means it’s stored on a computer. Digital means it can be sorted. Digital means it can be analyzed – by software applications called Data Mining.

Phone companies keep Meta Data to bill customers. They analyze it for marketing purposes. Perhaps it is used to improve service to their customers. Perhaps they also sell it commercially to others for marketing purposes. It’s a bunch of statistics.

Use statistics to improve service? By analyzing the Meta Data, you can get a better picture of when your phone lines are busiest, what departments are making the most outgoing calls and who’s getting the most incoming calls. What customers are calling you? Proper analysis can help improve revenue and expenses in a business. It’s good for business.

It is also absolutely essential for National Security in tracking information on terrorists and terrorism. People are concerned about the trade-offs of security versus privacy. What they fail to acknowledge is that we as a people have already abdicated our own rights to privacy by publishing information to the world on social media and e-mails. Is there anyone today who thinks that what they write in an email is really private information? How about what is published on Facebook, or Twitter, or other social media?

I do not believe that we need to constrain technology; we need to constrain those who use technology so that they do not abuse it. We do NOT need to take away valuable tools that our government uses and needs to combat terrorism and terrorists. We do need to make sure it is not abused.

We need to protect our country and our way of life. We need to keep the information private and let NSA and other anti-terrorist have the Meta Data and do their job – just give them boundaries on what they can do with it…and police them.

We cannot allow technology progress to reduce our security, we need to use it to increase our security – and prevent abuse. If you have strong feelings about this, write to our Congressman, Dr. Brian Babbin, at his office right here in Orange at 420 Green Avenue. Let him know what you think. That’s how our system of government works. Let our leaders know and make them accountable.

J David Derosier is a retired technology professional and worked for several years in a business that developed technology to prevent the use of cellular devices in restricted areas, without jamming. Prior to that he worked with Fortune-500 companies in Information Security (InfoSec) with a global focus on National Security. Today he consults with small business on planning and marketing issues, and provides web design and hosting services. He can be reached at JDAVID@Strategy-Planning.info.

[Want to see website Meta Data? With Internet Explorer, click on View>Source and look for the word “meta”. With Firefox click on Menu>Developer>Page Source.]

David Derosier consults with small business on planning and marketing issues, and provides web design and hosting services through OhainWEB.com, an accredited business with the Better Business Bureau that is rated A+ by BBB. He can be reached at JDAVID@Strategy-Planning.info.