Upcoming Election Threats: The Spookiest Time of the Year
Bubble bubble, toil and trouble...
Halloween, threats and elections, oh my!
So, full disclosure, Halloween is one of my favorite holidays. I enjoy the dressing up (the kids, not me) and I am a big fan of candy (chocolate, specifically). My kids are grown now so my excuse to go buy large quantities of candy from Costco is gone. I still do it, I just don’t have an excuse anymore.
Halloween is meant to be a spooky time, but when you couple it with a major election and all the cyber revelations being dropped like Casey Kasem’s top 40 singles, it moves from spooky to downright terrifying.
Case in point - this little ditty that just recently popped into the top 40:
Essentially, the Government Accountability Office (GAO) found that nearly every new Department of Defense weapon system was vulnerable to some kind of compromise or attack. Some were simple, such as open-source software that still had their default passwords or passwords that were easily guessable within minutes.
We keep seeing this, time and time again, and it sometimes boggles the mind when you think about how some simple things could be applied to avoid these types of catastrophes. First, if there is a default password, change it! Seems pretty straight forward. I know passwords suck and I have high hopes that we will get rid of them in my lifetime, but until then, practice some basic account hygiene. Change the passwords.
Also, since passwords by themselves are problematic, 2FA, 2FA and 2FA (two-factor authentication). If the answer to the question, “What happens if someone guesses the password?” is “I am owned” - then yeah, 2FA. It’s a simple, yet very effective way to not get owned; at least, not easily.
This brings me to my next Halloween spooktacular issue. Election security.
I still don’t think we have a good handle on how to protect an election. That includes the election apparatus itself (voting machines), systems used by voting officials, their contractors and elected officials. Let’s just say it: 2016 was a abysmal failure of epic proportions. Like gargantuan. I like the word gargantuan and I rarely get to use it in a sentence.
“Sometimes the winning move is not to play.”
Or at least to regroup to fight another day.
I personally think it’s so bad that the only real choice for protection of the voting apparatus is to go back to paper ballots. Heresy, I know (especially for this self-professed tech geek), but desperate times call for desperate measures. And don’t talk to me about “hanging chads.” This is a false equivalency, similar to saying, “Well, my calculator is broken and I could do the math on paper, but I’d rather just live with the incorrect calculations.” Please. This is a minor sticking point when compared to an overall system vulnerability.
Even if we don’t go completely back to the Stone Age, we might still want to put in a paper trail (you know, receipt?) so that we can reconcile to ensure the numbers add up. I’m no accountant, but I think most would understand this analogy.
For additional context, here are some blogs we’ve posted over the past several months that talk about all the research and exposure around election security:
- Spoofed Domains Target U.S. Senate and Political Organizations
- Breaking Down the DNC & DCCC Cyber Attack
Ok, now that I’ve scared everyone (myself included), here’s the thing. We can do this. We have the smart, dedicated people we need. Just look at all the discussions in Vegas this past summer:
- Election website security a mess for states and candidates alike
- DEFCON Video Shows a Voting Machine Used in 18 States Is Hacked in 2 Minutes
I think so… maybe…you betcha. But I think (nay, hope) we wouldn’t need to go back forever. This is not an insurmountable task. But the risk is high enough to do a reset. Let’s get our security ducks in a row and then re-engage. Look, democracy is messy. I get that, but we as citizens? This is what we do. As they say, it’s our civic duty. And while i don’t think we need to pull the ripcord just yet, we do need to be vigilant and take the security of this solemn process seriously.
This is too important not to get right.