Security professionals tend to be natural cynics. But as thousands prepare to head to Las Vegas early next month for the annual Black Hat conference, the attitude among them seems downright dark. Data from Black Hat’s fifth attendee survey of more than 300 information security professionals uncovered massive concern over the security of the 2020 U.S. presidential election – and most think the picture is bleak.
The survey finds more than 60 percent of cybersecurity experts say it is likely that hacking of voting machines will affect the next U.S. election. And about the same percentage of professionals (63 percent) believe that Russian cyber initiatives will specifically have a significant impact on the U.S. presidential election in 2020.
Many of those who plan to be in attendance at Black Hat say it is time for election security to take center stage priority.
“In any jurisdiction where digital election technology is not treated like critical infrastructure it is akin to having unregulated ATM machines,” said Greg Young, vice president of cybersecurity at Trend Micro. “We have tremendous amount of resiliency in ATMs now and we need that kind of standard for digital voting.”
Voting security is an issue that is also in the national spotlight since allegations first surfaced about Russian hacking and interference in the 2016 US presidential election. This month the Office of the Director of National Intelligence announced it had created a new lead election security position within the intelligence community. Noting that “election security is an enduring challenge and a top priority for the IC,” the office named tenured intelligence official Shelby Pierson as its new Election Threats Executive.
J.J. Thompson, senior director of managed threat response at Sophos, said time is running out to improve election technology up to the standards necessary to ensure secure voting in 2020.
“Shockingly, many election vendors are in-between recertification periods, which can lead to 1-3 years of delay before the Secretary of State can force them to make improvements to their security posture,” said Thompson. “States need to require election vendors to follow standard protection, detection and monitoring controls to pass recertification and renewal for use in their state. This would include the basics: hardening, host integrity monitoring, audit trails, shipping telemetry to a third party for monitoring and response in addition to non-repudiation.”
Andrew Peterson, co-founder and CEO at Signal Sciences, expects election security to be a hot topic of conversation among Black Hat attendees this year.
“So many CISOs I have spoken to are passionate about securing these systems and lending help to teams as we head into the elections,” he said. “It is an issue that is galvanizing for the community.”
Peterson is also concerned about the manipulation of information on social media and news sites and how it could impact voters leading into the elections. Several sessions about deep fakes – which are convincing but fake audio and video based on artificial intelligence - will be on the Black Hat agenda this year.
“I think companies have stepped up to try and address this, but we don’t have a lot of control on those platforms in the first place,” he said. “Are we going to see new kinds of patterns of abuse on social media? That is a real possibility.”
Black Hat attendees appear to agree with Peterson. Those who responded to the survey believe social media in general is a problem for citizens today. A majority (75 percent) said that using any social network is a bad idea. Facebook was cited as high-risk by 80 percent of respondents, Instagram was also not seen favorably and ranked as high-risk by more than 70 percent of respondents.
In addition to the nation’s elections, security pros are also mindful of cracks in the US critical infrastructure, with 77 percent noting a breach will take place in the next two years. Only 21 percent believe that government and private industry are prepared to respond to an attack on U.S. critical infrastructure