30 July 2018

Is America ready for Russian cyberattack on our election?

BY MICHAEL BAHAR 

Of all the attention the recent Helsinki summit generated, one aspect has garnered scant coverage, but it has the ability to shake America and other democracies to their core. This problem is data manipulation. Defending himself in an interview with Chris Wallace, Russian President Vladimir Putin, said: “What was the problem? It concerned the hacking of a Democratic candidate’s email. Did this attack involve manipulation with facts? This is very important. I want the Americans to hear this. Did anyone manipulate with the facts or plant fake information? No.”

But they could have. In September 2015, former national intelligence director James Clapper appeared before the House Intelligence Committee and warned that the next “push of the envelope” in cybersecurity might be attacks that change or manipulate electronic information in order to compromise its accuracy or reliability. These attacks are not designed to steal data but rather to disrupt, embarrass, undermine, or bring companies and entire systems down.

I was staff director and general counsel for the House Intelligence Committee during the 2016 election. In that job, I had access to material for the Gang of Eight. This is information so classified that only eight members of Congress (and their staff director or national security adviser) could view it. Among the things I worried about most during that election was not the theft and release of legitimate emails, which was bad enough, but the theft and release of doctored or manipulated or faked emails.

Looking ahead to our election in November, should hackers manipulate the facts and plant fake information, is America prepared? Can we rely on candidates to responsibly forswear the use of leaked materials out of greater loyalty to the country than to themselves, even though manipulated information will eventually prove a double-edged sword?

What about companies? Are they prepared? A nation state or criminal could break into a ban system and create a whole email trail evidencing insider training or scandalous conduct among top executives. The hacker could then leak those emails and, before the truth could be sorted out, the damage would be done in terms of regulatory and criminal investigations, costly litigation, reputations damaged, and lives ruined.

Even an individual with a financial motive could launch a data manipulation attack, by, say, shorting a stock before conducting the attack. This type of attack is not hypothetical. At this point, it is more a matter of intent than capability. Hackers already gain access to systems and send fake emails to lure recipients into clicking on malicious links in order to gain deeper access or to jump to new victims. If they can fake a phishing email, they can fake anything else.

There are also indications that nations are testing data manipulation techniques in preparation for larger scale attacks. In September 2017, the American government released a maritime advisory alerting the shipping industry to multiple instances of GPS interference experienced in June 2017 by more than 20 vessels operating in the Black Sea. News of this incident had spread earlier, with many ships in waters near the Russian port of Novorossiysk complaining that their GPS systems showed their location to be at Gelendzhik Airport, more than 32 kilometers inland.

In the face of this gathering storm, there are things that can be done. On the low technology side, organizations, including state elections, can use greater redundancy or hard copy backups or, in the shipping context, a good old fashioned sextant. On the high technology side, organizations and governments can consider employing blockchain technology, which is generally immutable, or investing in alternative positioning and navigation networks to reduce reliance on GPS.

Ultimately, as national intelligence director Dan Coats has said, the system is blinking red, with our military and private sector networks under relentless attack. The next turn of the screw will be data manipulation attacks, and only those governments and companies that are prepared will withstand the coming squeeze. Most important, only citizens who commit to facts and to codes of acceptable conduct during elections will earn the right to retain their democracy and institutions.

No comments: