SWNEpisode5

From Security Weekly Wiki
Jump to navigationJump to search

Recorded January 21, 2020 at G-Unit Studios in Rhode Island!

Episode Audio

Hosts

  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  • Jason Wood
    Threat hunter at CrowdStrike, penetration tester, sysadmin, and Founder of Paladin Security.
  • Annoucements:

    • Our next webcast is January 15th with Cecilia Marinier, RSAC Program Director, Innovation & Scholars where we will discuss RSAC Sandbox, RSAC Innovation Sandbox, RSAC Launch Pad, RSAC Security Scholar and their "How to” Seminar for Innovators and Entrepreneurs! Register for our upcoming webcasts by visiting securityweekly.com, selecting the webcast drop down from the top menu bar and clicking registration.

    Security News

    Security Weekly News -- Week of 19 -- January -- 2020


    Expert Commentary: Jason Wood, Paladin Security

    FBI to inform election officials about hacking attempts - Ok, not really actual attempts, but warnings of what may happen.

    Yesterday, the Naked Security blog released an article titled “FBI to inform election officials about hacking attempts”, which sounds like a pretty good thing. The article is linked to the FBI’s press release, which is titled “FBI Announces New Policy for Notifying State and Local Election Officials of Cyber Intrusions Affecting Election Infrastructure”. All of this sounds like something that should have already been happening, but hey we will take any progress we can get. What caught me off guard about this was how would the FBI know about attacks that have occurred with any timeliness to help the election security officials?

    It turns out that the policy change by the FBI isn’t exactly what the titles make it sound like. When I read the press released and blog post, it appears that the FBI is talking more about threat intelligence than it is about attacks that are occurring. The FBI’s press release states, “The FBI’s new policy recognizes the necessity of notifying responsible state and local officials of credible cyber threats to election infrastructure.” This indicates that the FBI would be telling state and local governments about plans being made by threat actors, hopefully, information about how the group operates, and perhaps even infrastructure used by these actors. It is possible that the FBI could decide to inform one state of attacks that have already occurred in another so that they can be aware of attacks that could target them.

    How could this help the local election officials? To be honest, it depends on the details shared with them. A high-level notification that Russia may target a county in Arkansas isn’t very useful. Even if it is timely. There’s just nothing to go on that isn’t already in the news and there isn’t anything actionable for the county. If the notification includes information or at least links to tactics that a Russian group likes to use, then the county could start reviewing their security data for those tactics. The same goes for information about infrastructure. They could also look at creating alerts and prevention mechanisms for that information. Of course, the threat actor could change their infrastructure or even tactics, but the election has a pretty set window of attack. If election officials can get enough information to get through the election period, then it is a win.

    The crucial bit in this policy directive will be in the actual implementation and how timely it is. First, the FBI will have to get to the right people at the local election organizations. That shouldn’t be insurmountable though since I’d bet an FBI agent calling an organization typically gets a more prompt response than your friendly neighborhood security group. The next is what information gets shared with the election officials and how timely it is. If the notification comes in two days after an election, it’s probably too late to be terribly useful. If the information is super high level, then it’s not useful no matter how timely it is.

    There will be some tension within the FBI about providing notifications that are timely and detailed enough to be useful. One, they have no idea how the local elections officials will handle this information. Will someone start running network scans of operator infrastructure? Will they do their own press release about the data shared and cause the operator to create new infrastructure? Will FBI sources get burned and they lose access to new information? These are real concerns and will probably cause the FBI to hesitate over what information they share and when they will do so.

    At the end of the day, this sounds like a common-sense idea that should be carried out. While I obviously have questions about how it will be performed, state and local election officials can probably use all the help they can get. Hopefully, it has the primary effect of limiting interference with elections and also has a secondary effect of assuring people that the election wasn’t stolen, influenced, or subverted by another country with their own agenda. If you would like to read more about this policy, the links are in the show notes.

    https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-new-policy-for-notifying-state-and-local-election-officials-of-cyber-intrusions-affecting-election-infrastructure