Cybersecurity Agency Ranks Election Security and Ransomware as Biggest Threats
CISA Director Christopher Krebs at the 2020 RSA Conference in San Francisco. (Photo: Mathew J. Schwartz/ISMG)
The 2016 U.S. president election served as a wake-up call for American lawmakers and the public of the threat that cyber attackers may pose to the very foundation of a democratic society.
So said Christopher Krebs, director of the U.S. Cybersecurity Infrastructure and Security Agency, which is charged with protecting the country’s critical infrastructure.
Krebs was speaking at RSA Conference 2020 in San Francisco on Tuesday, and he detailed how his young agency is now preparing for the 2020 elections in November, as well as tackling a range of cybersecurity issues that face the U.S., including the increasing scale and severity of ransomware attacks targeting local governments and schools.
Krebs said the 2016 U.S. elections served as a “Sputnik” moment for America, referencing the launch of the Russian satellite in 1957, which alerted lawmakers and the American public to the threat posed by Moscow – namely, that it possessed a working intercontinental ballistic missile able to deliver offensive payloads across oceans. In 2016, the fact that Russian online trolls could spread disinformation via social media made clear a rising threat in the cyber realm, which is that malicious forces could potentially impact the outcome of U.S. elections or public perception of those results.
“It’s not about a single outcome of an individual race; it’s about a broader destabilizing of the public, of Congress and our [electoral] system,” Krebs said. “That’s what was so shocking about 2016. … It was the first time for elected officials and the American public to understand that cyber could destabilize a democracy.”
Speaking Tuesday morning at RSA in an on-stage keynote interview conducted by Heather Dahl, executive director and CEO of the Sovrin Foundation, Krebs detailed how his agency has been working to improve election security in America since its founding on Nov. 16, 2018. But he notably did not address some recent concerns voiced by lawmakers, government watchdogs and local cybersecurity officials, which is that his agency needs to do more to help them before the November elections, and that time is quickly running out (see: States Press for Federal Resources to Fight Cyberthreats).
2020 Elections Loom
Last week, CISA, which is part of the Department of Homeland Security, released its cybersecurity plan for the run-up to the 2020 presidential election, outlining the agency’s role as a facilitator that will assist federal, state and local agencies in protecting critical election infrastructure. The document also calls for more information sharing between different government agencies.
One challenge, however, is that vote-gathering in the U.S. remains a highly decentralized process. The Constitution gives states the authority to set many rules for how and when they conduct federal, state and local elections. As a result, Krebs said that his agency is now attempting to positively influence the efforts of 8,800 different voting districts across the country.
Another challenge concerns state districts’ voter databases, since the data they store is highly centralized and network-accessible, making these repositories vulnerable to hacking and ransomware attacks – not just by nation-state actors but also cybercrime gangs looking for an easy payday, Krebs said.
While achieving 100 percent security is not possible, Krebs said his agency is working with local and state officials to conduct vulnerability management assessments and harden voter registration databases, make them more resilient to attacks, as well as ensuring effective back-up systems are in place in case data gets wiped or crypto-locked.
“You have an offline back up that you test with and practice with and you have a plan,” Krebs said.
Ransomware: Lessons Learned
Although much of CISA’s focus since its launch has been to prepare for the 2020 elections, Krebs said that another major online threat to the U.S. involves the seemingly nonstop increase in ransomware attacks, especially against local and state governments, as well as school districts and healthcare agencies (see: Ryuk Eyed as Culprit in New Orleans Ransomware Outbreak).
But many industries remain in attackers’ crosshairs. CISA, for example, recently issued a public alert that detailed a ransomware attack that targeted a natural gas facility and caused a three-day shutdown. The agency said it was issuing the alert to share best practices and lessons learned for other organization that may face a similar situation (see: Ransomware Attack Hit US Natural Gas Facility).
Recommendation: Prepare, Don’t Pay
One upside of ransomware, so to speak, has been that it’s opened the public’s eyes to the need to practice proper information security hygiene, Krebs said. Unless individuals and organizations put in place basic security practices, including maintaining offline backups, using strong two-factor authentication, and for businesses, patching vulnerable systems and software, and having a well-rehearsed and ready incident-response plan, they remain at risk.
For organizations that do fall victim, however, Krebs said his agency always urges them to never pay ransomware attackers. “One, if you pay, you are validating the business model,” he said. “Second, the keys don’t always work – there’s only a 20 to 50 percent chance that a de-encryption key is going to work. And third, what are you going to do if it doesn’t work? Are you going to sue them?”
Since the start of 2020, CISA has issued multiple warnings about ransomware, in part due to heightened geopolitical tensions following President Donald Trump ordering a drone strike that killed a top Iranian general. In response, Tehran vowed to retaliate, and many believed this would take the form of a nation-state cyberattack, possibly using wiper malware, which turns out to look a lot like ransomware (see: US Conflict With Iran Sparks Cybersecurity Concerns).
While that threat appears to have died down, Krebs noted that if Iran had wanted to attack immediately, it likely already had access to numerous critical systems across the U.S., meaning it would have been too late for any organization that hadn’t already prepared. Even so, CISA remains on heightened alert.
Never Waste a Good Crisis
“Never let a good crisis go to waste” might be an old adage, but Krebs said his agency opted to use the threat posed by Iran as a way to try to bootstrap cybersecurity practices across all U.S. organizations (see: Cybersecurity Coordinator: Don’t ‘Waste a Crisis’).
“When everything died down at the end of the following week [after the drone strike], we didn’t want to take our foot off the gas: We had the nation’s attention; we had leadership’s attention,” Krebs said.
So what was his message? “Iran is a threat and they are capable of a data-destruction attack and this looks a lot like ransomware,” he said. “So let’s go ahead and defend against these ransomware capabilities and if Iran comes back six months from now, we are in a better position.”
Executive Editor Mathew Schwartz contributed to this story.