FBI says hackers want to stoke doubt about the 2020 election

In a PSA on Monday, the FBI and CISA warned about the potential for widespread disinformation campaigns in the run-up to November.

The FBI and Cybersecurity and Infrastructure Security Agency released a warning on Monday alerting the public about the potential for widespread disinformation campaigns designed to cast doubt about the legitimacy of the coming elections in November.

The announcement says “foreign actors and cyber criminals” are trying to spread false claims of cyberattacks on US voter registration databases or voting systems in an effort to “manipulate public opinion, discredit the electoral process, and undermine confidence in US democratic institutions.”

“In reality, much US voter information can be purchased or acquired through publicly available sources. While cyber actors have in recent years obtained voter registration information, the acquisition of this data did not impact the voting process or the integrity of election results,” the release said.

“In addition, the FBI and CISA have no information suggesting any cyberattack on US election infrastructure has prevented an election from occurring, compromised the accuracy of voter registration information, prevented a registered voter from casting a ballot, or compromised the integrity of any ballots cast.”

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

For experts on election cybersecurity, the announcement was a welcome move to try to bolster an already contentious election season.

Karen Walsh, a cybersecurity compliance expert with Allegro Solutions, said the PSA may have been in response to previous news reports that are being hotly debated in the cybersecurity community.

She noted that nation-state actors are far more likely to spread disinformation leading up to the election than to attack actual voting machines due to the difficulty of the task.

“Cybersecurity professionals can use forensic evidence to trace cybercriminal voting machine attacks, but disinformation, especially with voters’ use of social media, is a lower risk for them with a higher impact payout,” Walsh said.

“The 2019 Voting Village report from DefCon detailed a variety of attack methodologies that could be deployed against voting machines. Of note, however, is that many of the successful attacks required physical access to the machines. Ultimately, the bigger PSA here is that election officials need to take basic precautions: Disconnect machines from the internet, change all default passwords, and ensure physical security.”

Targeting misinformation

Other experts, like Chloé Messdaghi, said the FBI was right to address the misinformation angle of cyberattacks in addition to the legitimate concerns about actual attacks on election infrastructure.

As vice president of strategy for Point3 Security, Messdaghi said she has seen an “unprecedented amount of noise – i.e. non-validated news and innuendo” on social media throughout this election cycle.

“This rumor-mongering goes hand in hand with the other side of the cyber threat: Actual cyber attacks such as ransomware attack attempts against software-delivered services providers who serve local city, county and town governments, designed to discredit legitimate election results and sow discontent,” she said.

“As citizen’s we need to ask ourselves: Could attackers get into my ballot? The cybersecurity sector’s response is ‘we have your back and are working double overtime to protect the integrity of this election.’ Our best advice: Vote. It’s safe, legitimate, and needed more than ever. Kudos to CISA and the FBI for bringing attention to this threat of innuendo that’s designed to discourage participation and erode confidence in results.”

She added that because of the complaints from certain figures about mail-in voting, the FBI had a duty to assure people that the election will be secure, safe, and accurate.

As mentioned in the FBI PSA, it will be key for all voters to verify the information they read and make sure that they do their research before voting.

SEE: Navigating data privacy (free PDF) (TechRepublic)

Saryu Nayyar, CEO of Gurucul, echoed those remarks, saying that foreign and domestic actors are “leveraging social engineering techniques through various platforms to damage trust in the election process.”

“The FBI is offering sound advice, in reviewing suspect claims and checking with trustworthy sources of information,” Nayyar said. “A scary headline posted by an Aunt’s Friend’s Cousin on social media is a good reason to check sources, rather than to panic that the election has been compromised.”

Katie Nickels, intelligence director at Red Canary, said there is no evidence that cyberattacks have led to a direct manipulation of election results.

She added that there have never been any concrete instances of “election hacking” in the traditional sense but 2016 did see unprecedented cyberattacks on specific candidates. But the cyberattacks on the Democratic National Committee and the campaign of former Democratic nominee for president Hillary Clinton were not the same as physical attacks on voting machines.

“Leaking emails or other information is one thing, but manipulating vote counts is another,” she said.

“Ultimately, misinformation remains one of the greatest threats to the US election, whether it’s in the form of propaganda, hack and leak operations, or an erosion of confidence in the US voting system, intended or otherwise.”

One of the biggest issues with disinformation relates to social media and the way unverified information can be propagated widely by dubious sources.

Multiple cybersecurity experts said social media was contributing to the spread of disinformation again as it did in 2016, fueling speculation on both sides of the aisle about the fairness of the coming election. According to former CIA cyberthreat analyst and senior vice president of KnowBe4, Rosa Smothers, disinformation is arguably the most effective, least attributable form of voter manipulation.

“Our adversaries will continue to utilize this for as long as users share, before they stop and verify information. Ultimately, this comes down to people making the effort to be discerning information consumers—and it’s vital we consider teaching these skill sets to elementary and ‘tween’-aged kids as they’re introduced to social media,” Smothers said. “This threat will continue to increase as the social media user base expands but our collective ability—or unwillingness—to identify disinformation does not.”

Social media disinformation continues

Tamer Hassan, CEO of White Ops, said the proliferation of bots on sites like Twitter and Facebook should force everyone to question anything they see online.

“We’ve reached a point where American citizens can no longer assume that interactions they have online are with humans, and not with increasingly sophisticated bots. Today, these bots look and act human, so the real question has become, if you can look like a million humans, what can you do?” Hassan said.

“As we approach the upcoming election, individuals need to consider that election news and comments they see online or the person they are interacting with digitally could be a bot. We as a cybersecurity industry alongside law enforcement and other partners must continue to work together and work harder to ensure real human engagement as our country’s integrity depends on it.”

The kinds of disinformation campaigns being pushed heavily by bots take a variety of forms, including false information about voting logistics like date, place, or fake voting requirements, according to Chris Clements, vice president of solutions architecture at Cerberus Sentinel.

Clements criticized the leaders of social media sites for benefiting monetarily from the proliferation of bots and for the spread of false information that has been proven to galvanize large groups.

“Human nature being what it is, we often struggle to identify misinformation that appears to reaffirm our world view. However, this is exacerbated by perverse incentives present in the business models of some social media firms. Social media firms make money by selling ads. Their revenue increases the more ads they can show their users and the greater the user’s interaction with a given ad,” Clements said.

“By that logic, one of the primary business goals of social media firms is to keep the user interacting with the social media’s platform as often as possible and for as long a duration as possible. Unfortunately, social media companies have learned that one of the most effective ways to do this is to ensure that users are exposed to information that reinforces their worldview as well as sparks outrage along hot-button topics.”

Social media algorithms, he added, are tuned to maximize user engagement by filling user feeds with content that can inadvertently play directly into the hands of adversarial influence campaigns, leading to more division in the nation’s citizenry.

While companies like Facebook and Twitter routinely identify and take down accounts they can tie to foreign influence campaigns, they end up missing many more, he said.

Exabeam chief security strategist Steve Moore said the kind of cyberattack claims referenced in the announcement aren’t legitimate but have run rampant in recent years.

Even though these claims are generally not true, election officials need to be aware that there are cyberattackers who will try to hack election infrastructure and that election cybersecurity would be paramount to avoid any problems.

“The 2016 election, of course, saw Russian nation-state meddling. More recently, in 2019, cybersecurity researchers gathered to test the security of 100 voting machines, and every single device was compromised in some way. Some took minutes, some took hours, but they were all vulnerable, painting a potentially grim picture for this year’s elections,” Moore said.

“In addition, there isn’t a consistent managed environment for election support—it’s built up and torn down for each election. This should also be a major area of focus. While Congressional funds are available for states to use to replace outdated, vulnerable machines, we’re seeing a long term underinvestment from the government. What we have now is too little way too late and should have started post-2016. These funds simply are not enough to cover the vast number of machines that need to be replaced. So, maybe mail-in ballots are a reasonable, safe path forward in the short term.”