Results of the Election Cybersecurity Scorecard, published by the Center for Strategic & International Studies (CSIS), found that states average a C- in election security. In a live webcast from the CSIS headquarters today, panelists discussed the results of the scorecard and what it means for election security. The panel looked at the progress made since the 2016 election and the gaps that remain.
In evaluating election security, CSIS identified four categories: campaigns, voter registration and election management systems, voting systems and election night reporting. The scorecard ranked threats by four degrees ranging from moderate to extreme.
According to the scorecard, the greatest threats exist in the ongoing attacks that target campaigns. “In 2018, cyber attacks by Russian hackers have allegedly targeted multiple Congressional campaigns, including Senator Claire McCaskill,” the CSIS wrote. Of all four categories, campaigns had the highest risk, with a "severe" rating.
In part, the inconsistency of security is a contributing factor to the severe risk level. “Cybersecurity practices for political campaigns remain inconsistent, although efforts by Department of Homeland Security (DHS) and the FBI to provide cybersecurity training and support to campaigns have had some effect. Extremely tight budgets, mostly-volunteer staffs, poor cybersecurity awareness, and the use of distributed, ad-hoc systems by campaigns have made improving campaign security difficult in spite of significant publicity around attacks on campaigns and campaign officials, particularly for local and state elections,” the scorecard said.
In the remaining three categories, the risk is serious, though the CSIS found that security in voter registration and election management systems and voting systems is improving. However, the security of election night reporting was rated as "weak."
Overall, the CSIS found that while elections in the US are vulnerable to cyber-threats, “we are not investing in strong security.” Despite the lack of investment and the continued attempts to exploit vulnerabilities in campaigns and voting systems, progress is being made.
CSIS found that 44 states participated in a DHS exercise to practice incident response plans and information sharing. In addition, all 50 states are now members of Multi-State Information Sharing & Analysis Center (MS-ISAC), and 548 state and local election organizations are members of Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).
“The real risk here is around system vulnerabilities. The first step in protecting these critical systems is admitting that they are all vulnerable and looking for one tool or piece of software is not the answer," said Jon Check, senior director, cyber protection solutions, Raytheon. "While reports show that it would be extremely difficult for an adversary to change the outcome of a national election by hacking into voting machines and changing enough votes, past hacks have proven our election integrity is far from secure.
"But it’s not all doom and gloom. The more data we mine and conversations we start around election security, the more we can help solve the awareness issue. We need to build back confidence in the security of our systems, which will involve industry and government partnerships to harden voting systems and build up better network resiliency. It will take a combination of these partnerships, good cyber-hygiene and proven tools to ensure secured elections and restore our citizens faith in our electoral process.”
Over 600,000 breached corporate log-ins belonging to staff at the UK’s leading construction, architecture and property firms are available for sale on the dark web, according to RepKnight.
The cyber intelligence firm used its BreachAlert dark web monitoring tool to locate the credentials. Over 450,000 were from construction firms, 110,00 were from architecture practices and just over 47,000 were linked to property developer businesses.
A spokesperson confirmed to Infosecurity that most of these likely found their way onto the dark web via breaches of third-party sites employees had signed up to using their corporate email.
As RepKnight warned, these log-ins could be used by hackers to access a trove of sensitive corporate IP including tenders, proposals, plans and client data.
There’s also a risk that attackers could locate stores of customer data, representing a risk to GDPR compliance.
One strategy highlighted by RepKnight was for attackers to use the log-ins to covertly access the corporate email accounts of targeted individuals, selected perhaps after some LinkedIn-based research because of the role they have with the company.
They could then set-up redirects to accounts under their control. The vendor claimed to have recently discovered a client who had over 5000 emails re-directed to a malicious third-party in just a five-day period.
“With the growth in digital information sharing across the construction project lifecycle, the possibility of a data breach occurring at some stage becomes ever more real,” argued RepKnight cybersecurity analyst, Patrick Martin.
“Because of this, these firms must ensure that they have ‘high visibility’ of their data at all times and have safety measures in place to protect it — especially because most of their sensitive data often lives outside the firewall. Monitoring for cyber-attacks or data breaches inside their corporate network is no longer enough, as it is possible that a breach can happen anywhere across the entire supply chain of your business.”
The findings call to mind separate research from the firm in January this year which revealed over one million corporate email addresses belonging to 500 of the UK’s top law firms, 80% of which had an associated password.
Alongside multi-factor authentication, use of password managers and strong authentication security policies, firms can consider dark web intelligence services to scan for compromised credentials.
The value of fines issued by the Information Commissioner’s Office (ICO) has increased 24% in the year to September 30 versus the previous year, according to new data.
Law firm RPC calculated that the total cost of financial penalties issued by the UK’s data protection watchdog stood at £4.98m, up from £4m in the previous 12 months.
The average fine doubled, to £146,000, in another timely reminder for firms to ensure they pay attention to GDPR compliance.
The law firm believes the new EU-wide privacy law, introduced in May this year, will result in higher fines for large firms. However, SMEs should be spared, in the short-to-medium-term at least, and firms will not be picked deliberately by the ICO to make an example of.
RPC partner, Richard Breavington, described the hike in fines as a “wake-up call” to businesses.
“Given that there seems to be no slowdown in the number of cyber-attacks today businesses need to see how they can mitigate the risks to their customer when there is an attack,” he added.
“For example, businesses should ensure that they take out cyber insurance policies so that they can bring in experts to contain the impact of an attack and limit the exfiltration of data.”
Sarah Armstrong-Smith, head of continuity and resilience at Fujitsu UK & Ireland, argued that the ICO fine is just one aspect of data breach costs to consider.
“We must also consider the cost that a recovery, compensation claim, reputational damage or potential loss of customers can have,” she added.
“Changes in data protection legislation aim to give individuals more ownership and control over what’s happening to their personal data. The focus needs to be on the interests and rights of data subjects — employees, customers and all stakeholders: everyone you come into contact with. Their interests need to be the principal focus if companies are to avoid hefty fines.”
The stand-off between the world’s two superpowers continued this week as the US banned exports to a Chinese tech manufacturer on national security grounds.
As of October 30, Fujian Jinhua Integrated Circuit Company will be added to the Entity List because it poses a “significant risk of becoming involved in activities that are contrary to the national security interests of the United States.”
The Fujian-based DRAM maker is nearing completion of a vast $5.7bn wafer-manufacturing plant, which will help drive the Made in China 2025 strategy of self-reliance. Chips are one key area where the country's leaders believe it is too reliant on US parts at the moment.
However, Fujian Jinhua is currently locked in a legal dispute with main rival, US chip maker Micron Technology over IP theft.
The Commerce Department appeared to side with Micron in its statement, claiming that the “likely U.S.-origin technology” to be produced at the new Fujian plant would threaten “the long term economic viability of U.S. suppliers of these essential components of U.S. military systems.”
“When a foreign company engages in activity contrary to our national security interests, we will take strong action to protect our national security,” said commerce secretary, Wilbur Ross. “Placing Jinhua on the Entity List will limit its ability to threaten the supply chain for essential components in our military systems.”
In many ways the issue represents a microcosm of the overall US-China dispute, in that the former is belatedly reacting to years of state-sponsored IP theft by the latter.
However, cutting off the supply chain is unlikely to change the long-term trend — if anything it will accelerate Xi Jinping’s push for China’s total self-reliance in technology.
The move calls to mind the ban on exports slapped on ZTE after it broke sanctions on sales to Iran and then lied about it. Although temporarily lifted, that imposition could have forced the telecoms firm out of business, it was claimed at the time.