“It’s halftime, America:" watching election security with CISA
The CyberWire votes: new US citizens from our CyberWire family take the opportunity to cast their first votes on Tuesday. The CyberWire
the cyberwire logoNov 4, 2020

“It’s halftime, America:" watching election security with CISA

“It looks like any other Election Day, even any other Tuesday.” That was the take of senior officials at CISA as they spoke to the media in a series of briefings on Election Day.

Yesterday saw the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) executing a long-prepared national effort, coordinated from its virtual situation room, to secure the vote. CISA has for some time expressed the view that public engagement through the media and directly online make an important contribution to cybersecurity. Through Election Day CISA held a series of six online media briefings, the first at 9:30 AM Eastern time, the last at 11:30 PM Eastern time, providing updates on election security.

The good news, repeated throughout the day, is that no major cybersecurity threats surfaced during the voting. Iran and Russia have done a little bit of American cage rattling, but nothing too serious, and in CISA's view even the disinformation they pushed during the election's endgame wasn't particularly convincing. And CISA emphasized that it will take time to count, report, and certify the vote. Don't confuse early media reports with official results.

Expectations, and lessons in resilience from 2016 and 2018.

During the first call at 9:00 AM Eastern Standard Time, senior CISA officials emphasized that the US has learned a great deal about election security since 2016, and CISA believes that it, and its partners, put what's been learned to good use, at the Federal, state, and local levels. At the first briefing and throughout the day, CISA sought to manage expectations with a reasonable appreciation of the ways in which ordinary accidents, failures, and errors can be misinterpreted as attacks. Bad things do happen, whether by accident or hacking, the officials said. “Elections are messy; technology fails, and we’re already seeing some resilience in the process.” CISA anticipated technical problems in some of the thousands of polling places across the US, but these are expected to be part of the usual noise, and not the result of cyberattacks.

But to be clear, CISA emphasized that bad things do happen, whether by accident or design. Senior officials emphasized that early reporting of results has nothing to do with official results. Once the election is concluded, every state and CISA will go through a lessons-learned process. “I don’t want to lose sight of the fact that this ain’t over yet,” one senior CISA official said. The agency expects to be on a heightened level of alert into early January, until the vote is officially counted and certified.

Three, four, and five D's.

Most of the problems encountered on Election Day were resolved readily quickly through business continuity, resilience measures. Informally, CISA officials returned throughout the day to "D's" as a way of informally organizing understanding of election problems. The list expanded over the course of the day from an initial three categories to five:

  • Demand. Legitimate interest and inquiry produces more Internet traffic, which stresses the websites people rely upon for information. High demand, by itself, doesn't constitute an attack.
  • Defacement. Vandalism in which websites are altered or defaced. This did not materialize as a major issue yesterday, but it's a common form of cyberattack (particularly favored by Iran) which could obscure or alter reports of results. There was no large-scale or systematic defacement reported.
  • Denial-of-service. This is the malicious analogue of Demand: a deliberately induced excessive demand condition. This too did not appear to be a problem yesterday.
  • Disinformation. Negative, which is to say false, propaganda deployed in the course of influence operations. Again, there were no unusual levels of foreign election disinformation reported. There were some reports of robo-calls advising voters not to go to the polls, but these were not widespread, and the FBI has the incidents under criminal investigation.
  • Disruption. Glitches, failures, errors, and misunderstandings. These occurred in several counties, but not at unusually high rates. In CISA's view, local election officials had practiced resilience measures that enabled them to overcome such problems relatively quickly. Examples included reversion to paper ballots as backups when voting machines malfunctioned, and, in one case, simply hand delivering results when an Internet connection went down.

None of the D's, CISA said, affect the integrity of the vote, and they encouraged the public not to overreact. CISA officials said they were gratified to see that people in general weren't in fact overreacting to glitches.

Foreign adversaries were generally quiet.

There’s no evidence that any threat actor has succeeded in altering voter information, a point CISA officials made several times. Much voter information is readily and freely accessible without the need for any nefarious data theft. CISA was concerned to explain that this didn’t mean voter or voting data had been changed or corrupted.

The threat landscape has been cumbered by Iranian groups and, to a lesser extent, Russian actors. But their activities have been neither especially intense nor notably effective. Iran has recently been the more active of the two, and the most probable cyberattacks were expected to come from the familiar Iranian playbook: website defacement, distributed denial-of-service, and wiper attacks. CISA's election center observed none of these yesterday. Tehran’s recent disinformation efforts—threatening emails and some online video—were recognized and attributed “within 27 hours.” “We accelerated our engagement with our state partners to share information about Iranian TTPs," a senior CISA official said. "We shared that sort of information with our partners and they’ve taken appropriate steps.”

Russian efforts have been similarly ineffective, and have so far been notably less intense that what was seen to emerge from Iran. Much of the Russian "perception hacking" currently takes the form of publication in state-controlled outlets. Outlets like RT, Sputnik, are mouthpieces of the state. Treat them accordingly. “We are encouraging the American people to treat foreign sources of information with a hefty, hefty, dose of skepticism.”

An impression had been circulating among the news media that the Russians in particular had "kept their powder dry" during the 2018 midterm elections the better to operate against the 2020 vote. To questions about why the familiar foreign adversaries seemed relatively quiet, CISA said that it didn't know the reason, but that they do think that it may have been a case of successful deterrence by denial. Improved security and (especially) resiliency have helped a great deal.

But, senior officials emphasized, “We’re not out of this, yet. Votes are still being cast.” The attack surface extends well into the next month or two. “Based on what we’re seeing, it’s certainly below what we’ve previously seen, but that leads to the next question, are there other things going on that we should be looking for?” Since foreign cyber activity is largely taking the form of disinformation, and since the goal of such disinformation appears to be the erosion of confidence in the elections, CISA expects to remain on high alert until all votes are counted and certified in January. CISA strongly recommends using its rumor control site, which is being updated as necessary. The section on post-election information has now, of course, moved to the fore.

Conclusion.

CISA's consensus is that yesterday was a quiet day, from the point of view of cyber operations. “It’s been boring, and that’s good," a senior CISA official concluded. "But now I’ll be boring and say ‘we’re not out of the woods yet.’” Between tonight and the final certification of the vote, there will be an opportunity to target certain networks, and “to undermine confidence in the process through sensational claims.” CISA intends to continue its "enhanced operational posture" as long as needed. "We’ll know it when we see it. This is not a tomorrow thing, or an end of the week thing." But CISA is prepared to draw one lesson from this election cycle: resilience matters.