By Dan Patterson CBS News October 3, 2018, 1:21 PM U.S. infrastructure vulnerable to cyberattacks designed to suppress voter turnout
Campaign 2018: Election Hacking is a weekly series from CBS News & CNET about the cyber-threats and vulnerabilities of the 2018 midterm election.
Your voting booth might — or might not — be safe from hackers. But imagine a cyberattack that keeps you from going to your polling station in the first place.
Security experts warn that critical infrastructure systems in the United States are vulnerable to crippling cyberattacks designed to suppress voter turnout by disrupting systems that cities and towns rely on.
"If ransomware hits, what's the backup plan to allow people to vote? Do we extend it a day? Do we hold off the tally of the votes? Do we take absentee ballots? What do we do?" said Fortalice Solutions CEO and former White House chief information officer Theresa Payton.
Nuclear reactors, water treatment facilities, manufacturing centers, emergency response services and a dozen other systems are "essential services" and the backbone of the American economy, according to the Department of Homeland Security. Cybersecurity experts warn that hacks targeting critical infrastructure like these systems could disrupt an election by preventing voters in key districts from getting to the polls or accessing election information.
"[The vulnerability is] the light you turn on. It's the water you drink. It's the toilets you flush," said Sergio Caltagirone, a former NSA cyber-defense expert and director of threat intelligence at Dragos, a cybersecurity firm. "Industrial control is about people's lives, fundamentally."
One recent attack showed just how debilitating a cyberattack can be.
On the morning of March 22, government computer systems in the city of Atlanta began acting strangely. Screens flickered for a moment before a red notification popped up and rendered city computers useless. Nearly a third of Atlanta's "mission critical" software applications were annihilated, and the city was temporarily unable to perform basic municipal functions like process wastewater, use traffic cameras and process court cases. The ransomware attack impacted approximately 6 million people.
The attackers used a virulent strain of the SamSam ransomware virus. Ransomware is software that hijacks a computer system until the victim forks over a ransom, usually paid in cryptocurrency. The Atlanta hackers demanded bitcoin worth about $51,000, but recovering from the cyberattack cost the city nearly $10 million.
The Atlanta attack wasn't the first time software was used to shut down a major city. It has been done repeatedly in Kiev, the capital of Ukraine. The city is a test bed for major cyberattacks targeting critical infrastructure.
In 2015, 2016, and 2017 Russian hackers attacked the electrical grid in Kiev by running an exploit in Microsoft's Windows operating system. The attackers used variants of ransomware nicknamed "Crash Override" and "NotPetya" to launch what the White House called the "most destructive cyberattack in history."
Russia is particularly adept at infiltrating critical infrastructure systems. In 2016 and again in 2018, Russia hackers penetrated and probed the U.S. electrical grid. According to the United States Computer Emergency Readiness Team, the hackers launched a "multi-stage" campaign targeting commercial facilities. The hackers implanted malware after gaining access to the network using a simple phishing attack. Once inside, they moved laterally across the network, conducted "reconnaissance" missions and learned about how the Industrial Control System functions.
The Atlanta and Ukraine hacks had one thing in common: outdated software exposed hardware — computers — that control critical infrastructure systems.
"We're starting to see different countries — China, Russia, Iran — think about what they can do with that access," said Andrea Little Limbago, former senior technical lead at the Joint Warfare Analysis Center and chief social scientist at Endgame.
Hackers are able to disrupt communication systems by remotely commandeering thousands of computers.
On October 21, 2016, a massive distributed denial of service (DDoS) attack powered by the Mirai botnet targeted the Domain Name System of Dyn routers. Mirai hijacked, then transformed, thousands of routers and internet-connected devices (IoT) into a gigantic network that pummeled the internet's traffic routing system. The cyberattack effectively disabled the internet for several hours.
The Mirai creators, who recently plead guilty to conspiracy to violate the Computer Fraud & Abuse Act, initially targeted servers for the popular online game Minecraft. But the botnet quickly escaped their control. Because DDoS botnets like Mirai are so easy and inexpensive to create, the potential chaos of an election day botnet attack has threat researchers like Limbago particularly concerned.
"Perhaps you're shutting down the internet and stopping access to information," Limbago said. "Part of it could be sewing chaos prior to the election hoping to influence it by cutting off energy [or] stopping votes from coming in or voters getting to the polls [or] adding stress to the government not being able to provide a public utility."
To swing an election, a sophisticated attacker would only target individual districts in tight races, said Payton.
"The emergency systems that are used in a town … if there's any type of jamming of those signals … will you have those channels of communications for emergency systems? And all of those things are incredibly vulnerable to attack," said Payton.
Preventing critical infrastructure cyberattacks will require diplomacy, Payton said.
"This is one of the things that the UN and NATO need to spend time discussing," Payton said. "We need to be talking with our allies" about threat intelligence and emerging technology.
"It's not just one administration versus another administration," she said. "It's truly on a 'who do you trust' kind of level right now. We got to get past that."