NSA Leak supports collusion
Post Reply
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
07-06-2017, 05:30 AM
NSA Leak supports collusion
When I read the Intercept article about the leaked NSA report on the election hacking, what struck me is that the whole project by Russia to hack the election is so complex and has to be so intricately planned, that I cannot see why they would do it unless they had a specific result in mind.

The article says that the real difficulty, once you get into the computer systems, is to target the right parts of the country so you know you are going to get the result you want. What this says to me is that they would have also had to analyze previous election results, polling reports and then decided where they were going to focus their attacks. But all this would be pointless unless they had a clear objective, for some time, because this must have taken ages to carry out and put in place.

It looks to me like Trump was in on this with the Russians a long time ago and was involved in the planning of it over maybe even before the primaries. I think he's toast, to be frank.

Here's the article from the Intercept:

An Alluring Target

Getting attention and a budget commitment to election security requires solving a political riddle. “The problem we have is that voting security doesn’t matter until something happens, and then after something happens, there’s a group of people who don’t want the security, because whatever happened, happened in their favor,” said Bruce Schneier, a cybersecurity expert at Harvard’s Berkman Center who has written frequently about the security vulnerabilities of U.S. election systems. “That makes it a very hard security problem, unlike your bank account.”

Schneier said the attack, as described by the NSA, is standard hacking procedure. “Credential-stealing, spear-phishing — this is how it’s done,” he said. “Once you get a beachhead, then you try to figure out how to go elsewhere.”

All of this means that it is critical to understand just how integral VR Systems is to our election system, and what exactly the implications of this breach are for the integrity of the result.

VR Systems doesn’t sell the actual touchscreen machines used to cast a vote, but rather the software and devices that verify and catalogue who’s permitted to vote when they show up on Election Day or for early voting. Companies like VR are “very important” because “a functioning registration system is central to American elections,” explained Lawrence Norden, deputy director of the Brennan Center for Justice at the NYU School of Law. Vendors like VR are also particularly sensitive, according to Norden, because local election offices “are often unlikely to have many or even any IT staff,” meaning “a vendor like this will also provide most of the IT assistance, including the work related to programming and cyber security”—not the kind of people you want unwittingly compromised by a hostile nation state.

According to its website, VR Systems has contracts in eight states: California, Florida, Illinois, Indiana, New York, North Carolina, Virginia, and West Virginia.

Pamela Smith, president of election integrity watchdog Verified Voting, agreed that even if VR Systems doesn’t facilitate the actual casting of votes, it could make an alluring target for anyone hoping to disrupt the vote.

“If someone has access to a state voter database, they can take malicious action by modifying or removing information,” she said. “This could affect whether someone has the ability to cast a regular ballot, or be required to cast a ‘provisional’ ballot — which would mean it has to be checked for their eligibility before it is included in the vote, and it may mean the voter has to jump through certain hoops such as proving their information to the election official before their eligibility is affirmed.”

Mark Graff, a digital security consultant and former chief cybersecurity officer at Lawrence Livermore National Lab, described such a hypothetical tactic as “effectively a denial of service attack” against would-be voters. But a more worrying prospect, according to Graff, is that hackers would target a company like VR Systems to get closer to the actual tabulation of the vote. An attempt to directly break into or alter the actual voting machines would be more conspicuous and considerably riskier than compromising an adjacent, less visible part of the voting system, like voter registration databases, in the hope that one is networked to the other. Sure enough, VR Systems advertises the fact that its EViD computer polling station equipment line is connected to the internet, and that on Election Day “a voter’s voting history is transmitted immediately to the county database” on a continuous basis. A computer attack can thus spread quickly and invisibly through networked components of a system like germs through a handshake.

According to Alex Halderman, director of the University of Michigan Center for Computer Security and Society and an electronic voting expert, one of the main concerns in the scenario described by the NSA document is the likelihood that the officials setting up the electronic poll books are the same people doing the pre-programming of the voting machines. The actual voting machines aren’t going to be networked to something like VR Systems’ EViD, but they do receive manual updates and configuration from people at the local or state level who could be responsible for both. If those were the people targeted by the GRU malware, the implications are troubling.

“Usually at the county level there’s going to be some company that does the pre-election programming of the voting machines,” Halderman told The Intercept. “I would worry about whether an attacker who could compromise the poll book vendor might be able to use software updates that the vendor distributes to also infect the election management system that programs the voting machines themselves,” he added. “Once you do that, you can cause the voting machine to create fraudulent counts.”

According to Schneier, a major prize in breaching VR Systems would be the ability to gather enough information to effectively execute spoof attacks against election officials themselves. Coming with the imprimatur of the election board’s main contractor, a fake email looks that much more authentic.

Such a breach could also serve as its own base from which to launch disruptions. One U.S. intelligence official conceded that the Russian operation outlined by the NSA — targeting voter registration software — could potentially have disrupted voting in the locations where VR Systems’ products were being used. And a compromised election poll book system can do more than cause chaos on Election Day, said Halderman. “You could even do that preferentially in areas for voters that are likely to vote for a certain candidate and thereby have a partisan effect.”

Using this method to target a U.S. presidential election, the Russian approach faces a challenge in the decentralized federal election system, where processes differ not merely state to state but often county to county. And meanwhile, the Electoral College makes it difficult to predict where efforts should be concentrated.

“Hacking an election is hard, not because of technology — that’s surprisingly easy — but it’s hard to know what’s going to be effective,” said Schneier. “If you look at the last few elections, 2000 was decided in Florida, 2004 in Ohio, the most recent election in a couple counties in Michigan and Pennsylvania, so deciding exactly where to hack is really hard to know.”

But the system’s decentralization is also a vulnerability. There is no strong central government oversight of the election process or the acquisition of voting hardware or software. Likewise, voter registration, maintenance of voter rolls, and vote counting lack any effective national oversight. There is no single authority with the responsibility for safeguarding elections. Christian Hilland, a spokesperson for the FEC, told The Intercept that “the Federal Election Commission does not have jurisdiction over voting matters as well as software and hardware in connection with casting votes. You may want to check with the Election Assistance Commission.”

Checking with the EAC is also less than confidence inspiring. The commission was created in 2002 as the congressional reaction to the vote-counting debacle of 2000. The EAC notes online that it “is charged with serving as a national clearinghouse of information on election administration. EAC also accredits testing laboratories and certifies voting systems,” but it is a backwater commission with no real authority. Click on the link about certifying voting systems and it leads you to a dead page.

If there were a central U.S. election authority, it might have launched an investigation into what happened in Durham, North Carolina, on Election Day. The registration system malfunctioned at a number of polling locations, causing chaos and long lines, which triggered election officials to switch to paper ballots and extend voting later into the evening.

Durham’s voter rolls were run by VR Systems — the same firm that was compromised by the Russian hack, according to the NSA document.

Local officials said that a hack was not the cause of the disruption. “The N.C. State Board of Elections did not experience any suspicious activity during the 2016 election outside of what this agency experiences at other times. Any potential risks or vulnerabilities are being monitored, and this agency works with the Department of Homeland Security and the N.C. Department of Information Technology to help mitigate any potential risks,” said Patrick Gannon, a spokesperson for the North Carolina board of elections.

George McCue, deputy director of the Durham County board of elections, also said that VR Systems’ software was not the issue. “There was some investigation there, essentially no evidence came out of it indicating there was any problem with the product,” he said. “It appears to be user errors at different points in the process, between the setup of the computers and the poll workers using them.”

All of this taken together ratchets up the stakes of the ongoing investigations into collusion between the Trump campaign and Russian operatives, which promises to soak up more national attention this week as fired FBI Director James Comey appears before Congress to testify. If collusion can ultimately be demonstrated — a big if at this point — then the assistance on Russia’s part went beyond allegedly hacking email to serve a propaganda campaign, and bled into an attack on U.S. election infrastructure itself.

Whatever the investigation into the Trump campaign concludes, however, it pales in comparison to the threat posed to the legitimacy of U.S. elections if the infrastructure itself can’t be secured. The NSA conclusion “demonstrates that countries are looking at specific tactics for election manipulation, and we need to be vigilant in defense,” said Schneier. “Elections do two things: one choose the winner, and two, they convince the loser. To the extent the elections are vulnerable to hacking, we risk the legitimacy of the voting process, even if there is no actual hacking at the time.”

Throughout history, the transfer of power has been the moment of greatest weakness for societies, leading to untold bloodshed. The peaceful transfer of power is one of the greatest innovations of democracy.

“It’s not just that [an election] has to be fair, it has to be demonstrably fair, so that the loser says, ‘Yep, I lost fair and square.’ If you can’t do that, you’re screwed,” said Schneier. “They’ll tear themselves apart if they’re convinced it’s not accurate.”
Find all posts by this user
Like Post Quote this message in a reply
[+] 1 user Likes Deltabravo's post
Post Reply
Forum Jump: