Rajiv Gupta is CEO of Skyhigh Networks, a California-based cloud security and enablement company. The companies and agencies listed in this article are not clients of Skyhigh Networks.
As if the US presidential election needed any more drama, evidence is mounting that Russian officials recently hacked the Democratic National Committee ahead of this week’s convention in Philadelphia. While the threat of espionage between nations has loomed for years, the timing and substance of the DNC leak suggests Russian intention to influence a US presidential election.
The hack sets a new precedent and draws into question the US government’s ability to deter state-sponsored cyberattacks on even the most sensitive government and political operations. In the absence of diplomatic enforcement, the DNC breach is another reminder that government agencies and non-profit organizations need to proactively prepare for hacking attempts from professional, sophisticated adversaries.
Over the years, political campaigns have become vulnerable to cyber attacks. Campaigns gather research on rival candidates, which results in valuable stockpiles of intelligence on political leaders. The gray area around international cybercrime has given foreign governments the audacity to carry out their own Watergate-style thefts. Barack Obama and John McCain’s campaigns both suffered data breaches from Chinese hackers in 2008.
What stands out in the latest breach is the length and extent of the compromise: So far, we know that attackers accessed all email and chat traffic for nearly a year. Remaining undetected within a confidential system for so long requires a high level of sophistication and discipline. When the hack came to light with the breach of Donald Trump’s files, experts knew the attackers had much more information. Now the DNC is accusing Russia of attempting to use the stolen information to influence the US election – a far graver charge than the standard intelligence gathering.
It’s clear that the threat of an attack on the DNC was inevitable. So, why wasn’t the campaign prepared for a cyber attack? The odds are stacked against a relatively small organization like the DNC. Groups like the organization tied to the DNC breach are highly organized, determined, and well-funded. The target on the backs of government and political organizations coupled with limited security budgets poses an uphill battle to agency security teams.
The natural solution would seem to involve targeting the attacks at their source – foreign government authorities. Unfortunately, for domestic organizations, the US’s own cyber espionage likely limits its efficacy in negotiations to curb attacks. Officials did report success in reducing Chinese state-sponsored attacks on the US private sector, but this is an area where the US government has little to gain from offensive action. Furthermore, attribution is always a grey area for enforcing punishment for cyber attacks, even in the presence of substantial evidence.
As a result, the frequency of attacks on government targets is only increasing. Obama’s latest comprehensive cybersecurity plan requires the government to release an annual audit report. This spring’s report documented a 10% increase in cybersecurity incidents at US government agencies for a total of 77,183 (page 14). Even the most locked down government agencies struggled with state-sponsored hacking. In June, the US Federal Reserve released information on more than 50 data breaches from the past four years. Malicious code, the same category of the infiltration into the DNC’s systems, represented the most common type of incident. The Federal government as a whole suffered 7,466 successful malicious code attacks in the past year (page 17).
Without hardline diplomatic support on the cyber attack problem, government agencies and political organizations need to assume they are targets. One account called the attack on a political infrastructure a compromise of “our civic infrastructure.” Europe has taken an important first step in protecting valuable national assets: A new EU directive will establish required cyber security standards for organizations that provide essential services.
The current status quo has left national political secrets vulnerable to foreign exploitation. One limitation of government cybersecurity has been excessive conservatism around security technology. In an era of constantly evolving threats, keeping ahead of hackers requires adopting the latest emerging technologies. Political organizations operate on the cutting edge of data analytics and marketing technology. Why shouldn’t the same innovation carry over to cybersecurity?
Fortunately, current US technology leadership has recognized the crisis and taken unprecedented steps in modernizing US technology infrastructure. The first step has been to recognize the risk of outdated systems in use. The US Federal Chief Information Officer Tony Scott reports $3 billion of government IT equipment and services will become obsolete in the next three years. Scott is a huge proponent of replacing legacy technology with more modern and secure cloud software; federal cloud use has increased 15.8 percent in the past year. In a telling gesture, Obama appointed security executives from Microsoft and Uber to his panel for enhancing national cybersecurity. The Department of Defense conducted the first-ever “Hack the Pentagon” bug bounty program in which “white hat”, or ethical hackers, get paid to report vulnerabilities in the agency’s systems. The program found over 100 vulnerabilities and earned praise from Defense Secretary Ashton Carter.
Even a year ago, steps like moving data to the cloud and opening up the DoD’s network to friendly hackers might have seemed inconceivable. Major breaches and sustained attacks have forced evolution on how government agencies secure their systems. The DNC reportedly received alerts of compromise months before they sought comprehensive help. The alleged violation of our electoral system might not immediately change US policy on cyber espionage, but it will certainly change the way organizations approach and respond to the immediate threat.