The mention of election security, especially in a year where the majority of the world is destined to vote, brings to mind images of a voting machine or even some form of subversion of online voting or counting processes. So it was not a huge surprise when the opening keynote of this year’s Black Hat USA conference was titled “Democracy’s Biggest Year: The Fight for Secure Elections Around the World”.
The aftermath of the CrowdStrike outage
But ahead of the conference itself, the cybersecurity ecosystem was rocked by the recent CrowdStrike incident that caused major global disruption – and a panel of government agency leaders from around the globe clearly needed to address this first.
One of the panelists, Hans de Vries, COO of the European Union Agency for Cybersecurity, offered an interesting observation: “It was an interesting lesson for the bad guys”. This perspective may not be immediately obvious, as the incident in question was not malicious.
However, if a nation-state or a cybercriminal wanted a real-world simulation of how a cyberattack could unfold and cause global disruption, the CrowdStrike incident just delivered a full proof-of-concept, complete with insights into recovery times and how society as a whole dealt with the damage left in the incident’s wake.
Protecting the ballot box
Also on the stage was Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, and Felicity Oswald OBE, CEO of the UK’s National Cyber Security Centre, and all three panelists did address the topic of election security.
The consensus seemed to suggest that other than attempts to disrupt elections, such as denial-of-service attacks, the risk to an election result being manipulated due to an attack on the infrastructure technology was nearly non-existent. Processes are in place to ensure each vote, cast on paper or electronically, has numerous failsafe mechanisms built-in to guarantee that it’s counted as intended. This is reassuring news.
The discussion then shifted to the spread of misinformation surrounding the election process. The panel suggested that adversaries aiming to manipulate the result focus more on creating the perception that the election process is broken, rather than on directly hacking it. In other words, they aim to make voters feel that their votes are not secure, spending more effort on sowing fear about the process than on attacking the process itself.
National cybersecurity frameworks under the microscope
Later in the day, another presentation took on the topic of evaluating national cybersecurity frameworks. Presented by Fred Heiding from Harvard, the research examined how different governments approach the protection of their national cybersecurity. The research team evaluated 12 countries using a 67-point rubric, ranking them as innovators, leaders or under-performers based on their cybersecurity posture.
The scorecard approach encompassed several interesting categories, including protecting people, institutions and systems, building partnerships and communicating clear policies. Even the length of each country’s strategy document had a bearing on the score, and these varied widely, from 133 and 130 pages for Germany and the UK, respectively, down to just 24 for South Korea, and 39 pages for the USA.
Some countries, such as Australia and Singapore, stood out as leaders in more areas of the scorecard than others, either leading or meeting the bar across all categories. The UK occupied a middle ground with six leading scores and four that met the bar. The USA, meanwhile, had the opposite, with four leading scores and six that met the bar.
Only two countries received lagging scores in some areas – Germany and Japan. It’s important to note that the scorecards presented only covered seven of the twelve countries. Additionally, this is, of course, an academic research paper that looked at policy rather than its execution – some countries might do a great job of drafting strategies while falling short in implementation, or vice versa.
As a parting thought, it’s important that we hold our governments to account for their cybersecurity policies and their preparedness to protect our society and citizens.