Campaign 2018: Election Hacking is a weekly series from CBS News & CNET about the cyber-threats and vulnerabilities of the 2018 midterm election.
Cyberattacks targeting the 2018 midterm election aren't just relying on tested tactics like phishing attacks, social media influence campaigns, and ransomware targeting critical infrastructure — they're also harnessing technology in new and ever more threatening ways.
Cybersecurity experts are concerned that emerging technology like artificial intelligence and automation powered by big data and the Internet of Things is helping hackers attack election systems faster than officials can keep up.
"What I'm scared by is that there is this attacker-defender asymmetry," says Mark Risher, Google's Director of Product Management for Security and Privacy. "We need to make sure every door, every window, every little portal is securely closed. But the attackers only need to find one."
Automated cyberattacks against political campaigns are being shaped by artificial intelligence.
"If a human being were walking down the street trying to break into the car, they might try all the doors," Risher said. Where phishing attacks like those that targeted John Podesta and the Hillary Clinton campaign were slow and methodical, AI speeds up and amplifies the number of "car doors" an attacker can try and open.
To defend against automated hacks, Google has deployed its own AI systems that detect bot behavior and limit the rate of login attempts. Google's AI analyzes attack patterns and then implements evasive maneuvers.
"It's almost this proxy war," says the Google security executive. "Computer versus computer."
Password-stuffing with bots
In 2016, Russian hackers infiltrated the Clinton campaign by sending phishing emails to John Podesta that were tailor-made to fool the campaign chairman. Once the attackers had his password, they were able to exfiltrate piles of sensitive campaign data.
Password cracking is still the easiest method of hacking political campaigns and election officials, said Akamai's Andy Ellis. Campaigns lock piles of sensitive data in email and cloud accounts protected by simple passwords. The threat to campaigns now and in the immediate future is from automated bots hacking passwords using a technique called password stuffing.
The problem starts, said Ellis, when people "log in to two different websites where they have the same email address and username. At some point, one of those sites gets compromised," leaving the login credentials exposed. "Then a whole directory gets published on the dark web."
"What they're really doing is attacking anybody who has ever reused a password with the same email address or username across multiple sites."
According to Akamai's data, botnets are responsible for nearly 300,000 malicious login attempts every hour. If you're like most people, said Ellis, you've used the same password on multiple sites. Bots then use the pilfered usernames and passwords to make repeated login attempts into the accounts of campaign staffers and election officials, trying one password combination after another until one works. Once the hackers are inside the campaign account, he said, they can do irreparable damage.
The Internet of Things
"Emerging threats are an evolution of current threats," said Microsoft's cybersecurity field chief technology officer Diana Kelley. "The core threat is criminals who are trying to get access to our data, our systems, our devices."
Devices, she said, produce big data. The more data available to an AI algorithm, the more effective that algorithm will be. And hackers are obsessed with data. There is no better source of data than the network of connected devices known as the Internet of Things, or IoT.
The IoT is composed of everything from smart home appliances to manufacturing control systems to smart cars and municipal transportation networks. Even toys and are at risk. Millions of new IoT devices come online every day and few are properly secured, leaving them extremely vulnerable to cyberattack. Data produced by IoT devices will likely surface on the dark web and be used for automated attacks like password stuffing.
"We're going to have 9 billion new IoT devices with MCU — micro control units — entering the internet every year," says Kelley. "That's a huge number, and each of those systems is going to have to be built securely, deployed securely, and managed securely in order to not expose users, consumers, and companies to risk."
In October 2016, a botnet known as Mirai took down internet communications systems across the U.S. Kelley warned that sophisticated hackers targeting elections are also likely to harness insecure IoT devices to a similar attack on Election Day. If an IoT attack were to hit on Election Day, she warned, the internet would be inaccessible and voters would be unable to communicate or access essential election information. Were an IoT hack to include ransomware, the impact would be even worse.
The solution, she said, might be reasonably simple: Better passwords. But of course, that's easier said than done.
AI will continue to proliferate, and both big tech and big hackers will continue to leverage emerging technology. But political campaigns, device manufacturers, consumers and "large and small companies need to take steps to ensure that they've built security into systems," Kelley said.
- Hackers could use facial recognition AI to sway political campaigns (CBS News)
- Artificial intelligence positioned to be a game-changer (CBS News)
- IoT attacks are getting worse -- and no one's listening (CNET)
- IoT security risks still a core fear (CNET)
- WannaCry ransomware: Hospitals were warned to patch system to protect against cyberattack - but didn't (ZDNet)