Cyber Influence Operations and the Elections
News reports regarding cybersecurity have become an almost daily occurrence; and they are constant in reporting cyberattacks against both industry and the government, and over the past several months there has been a focus on elections.
. In terms of success, cyberattacks against business and government have resulted in billions of dollars in losses and millions in revenue for the attackers. These attacks have also resulted in the compromise of the personal data for millions. In terms of the impact on elections it is harder to measure. However, it is important to note that there is no evidence that the outcome, or the result of any election has been determined by a direct cyberattack.
The reality is that the attacker’s goal is to not change the result of one particular election; and what is going on in cyberspace is nothing new. The term used to describe these types of activities is Influence Operations, and these operations have existed since the dawn of the bronze age nation states. Since the time of the Greek and Persian Empires, and the Chinese dynasties. At some point these nation states began to think of ways to move their advisories through messaging and political maneuvering, through propaganda. They found it cheaper and less risky than invasion and open warfare. The idea is to influence the population and the decision makers, it is to nudge your adversary in a particular direction. Influence Operations take a long and strategic view. During the decades of the Cold War, Influence Operations were the propaganda campaigns between the Western Democracies and the Socialist States. Today Influence Operations continue, and they are now rooted in the realm of cyberspace. In terms of the US elections there is no evidence that any cyber event changed any vote, or did not account for any vote. For these nation state actors, their focus is not on directly changing votes, their influence goal is to sow dissent and mistrust on the integrity of the election system. Their strategic goal is to weaken, distract, and disorient their adversary. Their tool is misinformation. There are three pillars of cyber security they are confidentiality, integrity, and availability. Briefly stated confidentiality is the security of information, integrity is the assurance that the information and its sources are genuine, and availability is the assurance of access to information. It is the assurance of, or the lack of integrity that is the essence of Influence Operations. For influence to be effective the receiver of the mis-information must assume the information is accurate and from a reliable source. This is often not too hard when the receiver finds information that reinforces their beliefs and understanding of the world; and it is in social media where the ground has proven to be most fertile for these misinformation campaigns. It is the Russian intelligence services that have proven to be most imaginative in their use of social media to ignite the passions on the right and left of the political spectrum. Their Influence Operation campaigns have objectives with measurable results. They begin with investigations and reconnaissance, they move to creating multiple false personas or actors. In addition to actors they create autonomous online actors or bots that can post and spread misinformation rapidly through the targeted social media outlets. They have been known to invest in their success. The US House Intelligence Committee lists that the Russian Internet Research Agency paid for over 3,500 Facebook ads that supposedly reached 11.4 million users. Their goal is to operate at the extremes of each group, it is to polarize and to obliterate the middle ground. The Russians are not acting alone. In parallel and independently are other nation state actors to include the Iranians and the Chinese. For each of these countries ground zero for spreading misinformation to cause political confusion amongst opposition parties and dissenters are their own countries. The point in this is all consumers of social media and internet news need to be intelligent consumers. The integrity of social media and information on the internet cannot be assessed. If you are on the internet you are by definition a consumer of information, that being the case it is easy to fall into the trap of believing and gravitating to only the information sources that you want to be true.
Data breaches, and their costs
Computer breaches are expensive, in terms of small business they can be catastrophic. The actual cost to a business will depend, for larger businesses with more records, the cost can be over $7 million.
Despite the range in costs there are common causes for breaches, and there are also simple solutions. The organizational goal is to reduce the probability of a breach, and at the same look for indications of a breach and prepare.
Data breaches, and their costs.
The cost of a data breach? Like all questions, the answer depends. For one thing it depends on the size of the business, for example for a US small business it is about $47,000 to $79,841. It is important to note that despite the relative low expense, a data breach for a small business is often deadly with 60% going out of business in six months. For a US enterprise business or a large business, it is going to be $620,000, or $3.6million, or $7.9million. These numbers are from the following sources-studies, respectively: Kapersky Labs, CSO Online, and IBM/Ponemen. The range depends on a number of factors most importantly is the number of records compromised, the greater the number of records, the greater the cost. These different reports are essentially surveys, the results are based on the questions asked and answers given; with the questions different for each survey. Often they are trying to measure the same thing, but they arrive with different answers.
In the reporting there are common themes, first the cost of a breach is measured in terms of direct and indirect costs. Direct costs are associated with system down time, loss of work, costs associated with hiring professional services, the loss of cash due to theft and lost opportunity costs. Indirect costs are in staffing, training, notification costs, legal fees, reimbursements, refunds, damages, and loss of customers. The US has the highest indirect costs, however the EU will catch up due to the GDPR. In terms of estimating the cost the IBM/Ponemen report calculates the cost by the number of records compromised, with the US average cost per record at $233. A record is defined as the information that identifies a single person whose information has been lost or stolen in a data breach. Examples are personally identifiable information (PII), healthcare information (HCI), payment card information (PCI), credit card records, etc. The result is, the larger the business, the more records, the greater the cost in terms of compromise and recovery.
The reporting consensus is that there are three general breach types, first is criminal attacks, second inherent system errors, and third human errors. The response and recovery cost will vary by the type of breach, and the security systems and cybersecurity plans in place prior to the breach. What is the most common causes of breach? The first answer is humans. The Verizon study reported that most people 78% will avoid accessing phishing email. However, there are 4% that will click on anything; the more phishing emails an individual has accessed in the past, the more phishing emails they will access in the future. Which means that system compromise will arrive via email, at 90% of the time, it is the most common attack vector. The solution is to focus on training. This too may be an issue for larger businesses with thousands of employees. In smaller companies this may be easier to root out. Other common attacks are Denial of Service (DoS) attacks and Ransomware, however these are not considered breaches resulting in the removal of records. However, the total cost to a business can also be considerable.
What is the best defense? That would be to implement cybersecurity best practices and have a cybersecurity plan. There are standards for cybersecurity planning they include the NIST 800-171, and the SANS, Center for Internet Security (CIS) Controls, in addition there are controls set by industry. One of the most effective measures is to educate system users. In addition, is updating software, and software patch management, this is ensuring outdated software is replaced, and vulnerabilities are removed. Other effective controls are two factor authentication and implementing user roles to segment data. These are all common elements of a cybersecurity planning.
A cybersecurity plan will include monitoring and incident response. One average the time before an intruder or hacker is discovered is now about 191 days. This is an improvement, in previous reporting it was 201 days. The earlier an intruder is discovered the less cost in terms of response and recovery. It is only through monitoring system tools and proper system configurations that early detection is possible. The second element is incident response planning and exercises. Cost effective response and recovery is only when there are processes and procedures in place. Additionally, meeting US State, Federal, and GDPR reporting and notification requirements within their required time frames is only the result of planning and resources.
The means to control the cost of a breach is through adequate and actionable plans. To some extent cyberattacks are inevitable, the defense must be perfect 100% of the time, the attacker needs to be successful once. System monitoring can identify and reduce the attacker’s time in the system; a plan coordinates and executes the effort and speeds up recovery. Often the most difficult element in this process is getting the management commitment to establish the plans.
Incident Response Planning
Twenty-five years ago, on January 17, 1994, the 6.7 magnitude Northridge earthquake struck. The earthquake caused 57 deaths, and over $20 billion in damage.
In the aftermath most insurance companies stopped selling or providing earthquake coverage, as the losses were too great. Fast forward to today, and the world it is vastly different. In 1994 there were PC computers on local area networks; however, these networks were expensive and complicated. Cell phones were prohibitively expensive and were used only for business. The individual cell phone as it is used now, as a consumable item was unimaginable. There was also this thing called DARPA-Net that the government and Universities used, but that was about it; of course, this was the precursor to what is now called the internet.
Today there are now more cell phones than people; and you can refer to the cell phone as a life support device. In terms of networks they indispensable, everything is on a network or in the cloud. An earthquake today or in the future like the Northridge earthquake, would be much more catastrophic. In strictly business terms, the destruction of work place and infrastructure, the loss of access to data would be devastating. Most likely many businesses would not survive. Of course, these effects are not only related to earthquakes, they apply equally to floods, fires, tornadoes, etc. The question for a business owner is what can you do to prepare for these events.
The first step is to recognize that having a plan is important, which is to have an Incident Response plan. Another factor to consider, is to meet cybersecurity planning conformance requirements businesses are required to have an Incident Response Plan. For this planning there is no lack of advice on the internet, and many sites outline incident response planning steps and have examples. Some sources are SANS, and Federal Government agencies that focus on information management systems. Additionally, it is important is to recognize that effective incident response should be focused on an all hazards approach, and not only on networks and the information management system. As a business the inability to access property, inventory, equipment, tools, vehicles, etc. can be as disruptive and as catastrophic as not accessing the information management system.
As discussed, there are many sources of information of incident response planning and operations. However, one fact is inescapable, and it is often ignored in the check list mentality; that is effective indecent response is not a standalone plan or an end state. Effective incident response will be the result of doing many things right before a disaster, so that effects of a disaster can be avoided or will be mitigated. This means having a have a plan, a plan that is focused on alternatives and one that avoids dependencies where possible.
Every source for incident response planning will have an approach, and many follow the same outline. An approach is to use the NIST 800-34, Contingency Planning Guide for Federal Information Systems, this is a Federal standard for developing incident response plans. Though it is focused on Information Systems, the general steps apply to all types of businesses and organizations. The following has been modified taking an all hazards approach.
1. To develop an incident response plan, you first need to determine what is important and how you can protect or mitigate its loss. If you are in construction these are the tools of the trade, it is equipment and materials. If this is a services business it can be the facilities and equipment, it is access to data, etc. The first question to answer is how can you operate without access to these resources? The second question is what are the alternatives?
2. Based on your business model conduct a business impact analysis. This analysis identifies and prioritize what is most important.
3. Identify preventive controls, this is what can you do to reduce the effects, or the risk of a disaster. The best strategy is to avoid risk, second is to reduce the effects or mitigate the effects.
4. Create contingency plan. This is very much related to preventive controls. If access is blocked, or you lose resources the question is then how to operate without it? Having a plan that provides options, and workarounds. It will move you forward in the response phase. Consider that poor alternatives are better than no alternatives.
5. Develop an information system contingency plan, all businesses are dependent on communications, and access to data. If there is a loss of infrastructure, the questions is how do you operate, what are the backups, how do you move forward and communicate. The other issue is the restoration of business data, this the plan to exercise the alternatives?
6. Ensure plan testing, training, and exercises. Everyone is busy, however these plans, and concepts need to be tested to ensure they meet the 80% actionable test. No plan will be perfect, however if the point of departure is unworkable, then recovery will be at best difficult, or non-existent.
7. Ensure plan maintenance. This plan as with all plans needs to be maintained. It is a living document that should be updated and reviewed regularly so that it is actionable.
All businesses are in flux, there are constant changes in operations and in focus. Incident response planning does not need to cumbersome or detailed. It needs to recognize the most critical functions of the business, and it then needs to look at how these functions can operate or move forward under the stress of a disaster. Just as the earthquake seemed strike without warning, so do all disasters. Having a plan, having point of departure toward recovery is the best way to ensure the business is able survive.