The Russian connectionRussia already moving to the next cyber incursion in U.S.

Published 11 October 2017

“From a technological point of view, this [hacking U.S. voting machines] is something that is clearly doable,” said Sherri Ramsay, the former director of the federal Central Security Service Threat Operations Center, which handles cyber threats for the military and the National Security Agency. “For us to turn a blind eye to this, I think that would be very irresponsible on our part.” Cybersecurity experts are increasingly concerned that Russia and others are already moving to the next incursion. “What really concerns me is having suffered these probing attacks last year, we may be in for an even more sophisticated, more potentially effective assault next time around—and oh, by the way, others were watching,” said Ambassador Doug Lute, a retired Army lieutenant general who served as the permanent representative to NATO from 2013 to 2017.

Russian hacking of elections no longer in dispute // Source: theconversation.com

The DEFCON report, released yesterday at an Atlantic Council event, does not say that Russia was able to breach voting machines in the 2016 U.S. election. Rather, the FBI and DHS found that Russian government hackers tried to breach the voting systems and voter registration databases in twenty-pone states. These attempts were likely probing missions in preparation for a broad cyber-assault on U.S. voting in 2018 and 2020.

“From a technological point of view, this [hacking U.S. voting machines] is something that is clearly doable,” said Sherri Ramsay, the former director of the federal Central Security Service Threat Operations Center, which handles cyber threats for the military and the National Security Agency. “For us to turn a blind eye to this, I think that would be very irresponsible on our part,” she told Politico.

The manufacturers of voting machine argue that their supply chain is secure or that the components used in the machines are American-made, and that, in any event, that the decentralized nature of U.S. election would make a widespread hack impossible. The manufacturers also say that since many machines are not connected to the internet, hackers’ ability to get into the machines is limited.

Politiconotes, though, that at the DEFCON event in Las Vegas, hackers – some of them very young – demonstrated how they could take over voting machines remotely, expose and manipulate personal information in voter files, and more.

It gets worse. Edward-Isaac Dovere writes in Politico that DEFCON25 was an event lasting a few days. Some of the hackers took the voting machines with them so they could take the machines apart after the show. Dismantling the machines revealed even more serious vulnerabilities: The components in the machines were not all American-made, the manufacturers claims to the contrary notwithstanding. The machines contained parts and programs that could easily be embedded with malware and sleeper commands – parts, moreover, that came from all over the world, including from suppliers and shippers without clear or certified security policies.

“That easily opens the possibility that a country with large resources and a long-term view—like Russia—could get access,” Dovere writes.

Ramsay noted that the United States is exposed well beyond voting machines, with the same “supply chain” issue creating risks to the electrical grid, the banking system, and more. She pointed to the fact that Russian government hackers shut down the Ukrainian power grid twice in the last two years – to send a signal to a bothersome neighbor, but also as a practice run for a larger attack on the U.S. power grid.

DHS’s notification to twenty-one states that their voting systems were targets of Russian government hackers makes the DEFCON report findings especially compelling.

“We can now definitively say that the Russians could hack our entire elections, remotely, all at once,” said Jake Braun, a former DHS official who is now the CEO of Cambridge Global Advisors.

Experts note that some of the measures required to tackle hacking of voting machines would be complicated — for example, changing the entire manufacturing process for the machines, discarding voting machines that have ever been connected to the internet, and retiring voting machines which lack an audit process.

Some measures are as simple as changing a password.

Voting machines manufacturers have so far resisted suggestions from cybersecurity experts, and some lawmakers investigating Russia’s digital interference in the 2016 election, that the manufacturers offer up their code outside for inspection.

President Donald Trump has dismissed the facts about Russian hacking or hacking attempts as “a hoax” and “fake news.” He has also rejected the unanimous conclusion of the entire U.S. intelligence community — fourteen intelligence agencies in all – about Russia’s broad, systematic, and effective cyber-meddling campaign during the run-up to the 2016 election, a campaign ordered by President Vladimir Putin himself. These conclusions are based on incontrovertible evidence gleaned from technical means, human sources, and digital forensics. Trump, though, said he believes Putin’s denial of Russian hacking over the conclusions of the U.S. intelligence agencies.

Cybersecurity experts are increasingly concerned that Russia and others are already moving to the next incursion.

“What really concerns me is having suffered these probing attacks last year, we may be in for an even more sophisticated, more potentially effective assault next time around—and oh, by the way, others were watching,” Ambassador Doug Lute, a retired Army lieutenant general who served as the permanent representative to NATO from 2013 to 2017, told Politico.

Lute, who wrote the introduction to the DEFCON report, said that from watching Putin in action, he is anxious about what looks likely to come based on what he has already seen. He said alarms should be ringing about voting in the 2018 midterms.

“It felt eerily familiar to Russian military tactics,” Lute said. “And it felt very uncomfortable in terms of how little time we have.”