A computer virus mutation that crippled computer systems around the world last week shows just how vulnerable America’s government and election infrastructure still is to Russian hacking, cybersecurity experts say.
The virus originated in Ukraine, but it spread across the world, even affecting hospitals in Pennsylvania, which were forced to cancel operations, and the Dutch global shipping company Maersk. Ukrainian officials laid the blame on Moscow. Some cybersecurity experts said the virus, derived from an arsenal of U.S. National Security Agency (NSA) hacking tools that leaked in April, was actually a nation-state cyberattack masked as the work of independent hackers.
Yet President Donald Trump doesn’t appear to be inclined to raise the issue of Russian hacking campaigns and efforts to influence the U.S. election when he meets President Vladimir Putin on Friday. That’s concerning, especially since the U.S. government still isn’t fully protected, experts say.
“The fact that these things increasingly appear to be state-sponsored is giving anyone in government the absolute heebie-jeebies because it is terrifying,” says Simon Crosby, chief technology officer and co-founder of security software company Bromium, which is developing security for Microsoft’s Windows 10.
“We are massively vulnerable to this, and every government ought to be freaking out about it because it’s the equivalent of nukes being in the hands of terrorists,” Crosby says.
One of the weak links in America’s cybersecurity chain mail is election systems managed on a state-by-state basis and their contractors, he said.
Last month, a Homeland Security Department official testified before Congress that 21 state election systems were targeted by Russian cyberattacks in the run-up to the 2016 election. A Bloomberg report, citing sources with direct knowledge of the government’s investigations of the attacks, put the number at 39.
Further details emerged in a top-secret NSA document leaked to The Intercept that revealed Russia’s hacking efforts targeted companies contracted to provide election software for voter registration and rolls of registered voters.
“These companies are pathetic. Their software should be available in open source, and it should be massively audited by the world’s security pros,” Crosby says.
Not only that, but “you know those bright, shiny new U.S. Navy destroyers that you see pictures of?” Crosby asks. “They run on Windows XP,” he says, citing the Windows operating system the company stopped supporting with updates in 2014.
Cosby advocates for security solutions like his: a computer operating system that opens each application in a ring-fenced virtual environment, blocking viruses that target vulnerabilities in any one piece of software from spreading to other parts of the system.
But not everyone is going to update to the latest software. Many government departments are still running on massively outdated software and systems. Last year, there was a 40 percent increase in government data breaches, with 72 across American government systems.
In May, Trump issued an executive order on cybersecurity that directs his Cabinet to carry out a review of each department’s cybersecurity defenses within 90 days.
But that order doesn’t cover government contractors, the states, their electoral systems or state contractors. “The only way to get at that is a contractual matter and a diligence matter,” says attorney Scott Vernick, who represents Fortune 500 companies in lawsuits that focus on technology, privacy and data security. Trump’s executive order makes no mention of contractors.
Companies that fulfill contracts with the government are supposed to adhere to standards in the National Institute of Standards and Technology’s Cybersecurity Framework. But it’s voluntary, and they don’t necessarily do so. And neither did government departments until Trump’s recent executive order directed them to.
There are a number of things that these “companies should be doing to fight off these attacks,” Vernick says. They include training their staff not to open suspicious emails, always updating to the latest version of each piece of software and creating backups of all their data. Yet not all of them do that.
This is all part of a broader problem, Vernick says. “The federal government, with all of its time, money and effort, is a having a hard enough time” securing its own systems, let alone those of its contractors. And when things get down to the state level, he adds, there are “less sophisticated people, with less training, money and less robust procurement policies.”
It’s not clear yet whether the Trump administration’s executive order on cybersecurity will have an impact and do anything to secure state election systems. So far, 44 states have rejected the administration’s election integrity commission’s requests for voter data as it probes voter fraud.
Many cybersecurity experts and foreign policy and intelligence officials predict that Russia will try to interfere in the midterm elections in 2018 and the presidential election in 2020.
What is needed across the government and its contractors is “the equivalent of the year 2000 bug preparations,” Crosby insists, referring to global preparations for the Y2K bug in 1999.
“We know now that malware in the hands of a nation-state will shut a country down. Let’s stop bullshitting ourselves,” he says. “We need to have massive, massive national initiatives.”