2020 election cybersecurity strategies

Chris Sienko: Hello and welcome to this weeks episode of the Cyber Work with Infosec podcast. Each week, I sit down with a different industry thought leader, and we discuss the latest cyber security trends, how those trends are affecting the work of infosec professionals, while offering tips for those trying to break in or move up the ladder in the cyber security industry. 2020 is right around the corner and with it, there is another Presidential election coming up again. With all its attendance security issues. So for 2020 Infosec is attempting to get ahead of potential issues. Use our free election security training resources to educate co-workers and volunteers on the cyber security threats they face during the election season. For more information on how to download your training packet, go to infosecintistute.com/IQ/election-security-training. Or visit the link in the description. Our guest today is Bob Stevens, VP of Americas at Lookout. He is on the front lines of people an organizations working to protect the 2020 election against security tampering and quickly spreading disinformation campaigns along mobile channels. For this election, with potentials for cyber intrusion and malfeasance practically inevitable, It's going to be important to address these issues up front rather than figure them out after the fact. As to what we should've done. Bob and I are gonna discuss some strategies already in place, somethings that we should be doing but aren't, and talk about the ramifications for inaction. Bob Stevens is Vice President of Americas at Lookout. In his role Bob works to provide mobile threat visibility and protection to federal agencies, across military, civilian, and intelligent sectors. Bob has more than 25 years experience building federal businesses, teams, and go-to market strategies. Prior to joining Lookout, Bob lead Semantic Federal, a $275 million dollar operation with over 100 team members. He also lead the development of Juniper Networks Federal Systems, growing it to 120 million in just six years. Bob, thank very much for joining us today.

Bob Stevens: Thank you Chris, happy to be here.

Chris: Great, so in a previous episode, we had a guest who discussed some of the security issues that came with the 2016 elections, as well as concerns that were surrounding the then upcoming midterm election in 2018. Could you summarize some of these from your own personal research? What were some of the biggest security issues that happened then, and how many of those are still possible in 2020?

Bob: I think the one that most people are aware of is the Podesta email hack. In which lots and lots of emails were taken and then used against a particular candidate during the election. And potentially sway the outcome of that. I know that as a result of that, campaigns are taking, trying to take a different approach, when it comes to cyber security for the upcoming election. But, but then, there's probably still a lot to be done. Just as an example, and you know I'll talk a lot about this today because Lookout's focus is on the mobile side.

Chris: Yes. You know there's a lot of action that needs to be taken on the mobile, the mobile front.

Chris: Okay, so I guess let's jump right into that. Mobile's obviously , how have the attack vectors changed, if at all, based on what we're seeing in the run up to 2020 versus previous elections?

Bob: Well I think as I mentioned, the campaigns are definitely aware of what could happen. Because it's based on experience at this point. And they've done a good job of protecting their servers, their websites, you know their traditional endpoint devices. And what I mean by that is, the desktops or laptops that they use. I think the biggest difference for the upcoming campaign is gonna be the fact that, people are using mobile as a means to get their message out to the voters.

Chris: Okay.

Bob: And we only see that growing. We saw it increase in the 2018, you know the midterm election an it's definitely gonna happen for 2020. And I think Obama started this trend, using social media to help him get elected and it's grown from there. The current President of course uses, as everyone knows, uses social media on a regular basis.

Chris: Lot of social media. So can you give me some sort of concrete example of how, cause you said that they're gonna be using mobile to increase their message. Can you give me some like examples or platforms or like how does this change the sort of delivery or even the message of the message I guess?

Bob: Sure, yeah one example's is text messages. A candidate's gonna be in the local area. They want to get the word out to as many voters as they possibly can. So they show up for their campaign rallies. So that's text messages, one. Also the social media. Most people are checking social media on mobile devices today. You know, as I sit on an airplane, in most cases, it's inevitable the person next to me is going through their Twitter feed.

Chris: Right.

Bob: To see what's going on. You know that's where a lot of the news comes from today. So that's just two examples of the way that I think campaigns are gonna use, or are using mobile devices today, to try and get the word out to all the voters.

Chris: Yeah, I know I remember in the midterms, there was a lot of sort of text-based "get-out-the-vote" efforts as well. And I imagine, with a few modifications you could very easily launch a text-based "get-out-the-vote", but give them the wrong date for voting or send out wrong information or things like that.

Bob: Yeah that's what they have to worry about. The mobile device is, well two things, one is, it's less likely to be secured. Because I think that most people believe that they're inherently secure.

Chris: Yes.

Bob: And there's a lot of different attack vectors for a mobile device. There's, like we just talked about, the text messages, there's in-app malware that can be put on a device. If I can somehow get on that person's device I can start to steal all their credentials, I can turn on their cameras, I can steal their emails. There's so many things that I can do with a mobile device. And because it is largely unprotected, it's becoming a larger and larger target for adversaries. And in this case, you know, probably criminals. Because another thing I would do, I'd send them bogus text messages for campaign donations. And try to get them to put the money into my account versus the candidate's account.

Chris: Yeah there's gonna be a much larger sort of, a text surface than just getting my candidate elected. It can also be, you know there's just some much money and so much interaction going on over the course of a Presidential election these days. That yeah, there's lots of room for sort of, secondary criminals to sneak in I suppose.

Bob: Yes absolutely. And I'd be surprised if it hasn't started already. One of the things you have to worry about on a mobile device is of course, phishing.

Chris: Yep.

Bob: Its kind of amazing we're still talking about phishing in this day and age. You'd think we would've solved it years and years ago. And you know for the most part we have, on desktops or laptops, via email tools, email anti-phishing tools. But on mobile devices, there's so many different ways to phish that device. I can send a text message, you click on the link I infect you with malware, I reset everything so that it looks like you haven't been infected at all but now I'm on your device. I can send It in messaging apps like Facebook Messenger or WhatsApp. I can send you a link or URL. I can also send you an email. And it's much harder for the user of that device to figure out that they've been phished, versus your traditional desktop and laptop.

Chris: Yeah. So there's been some talk in the past, and I'm not sure if you can necessarily speak to this, but, you know, that there'd been talk that as soon as the 2020 Presidential election, we could be moving towards an all electronic voting process. And it doesn't seem like we're any closer to that now than we were before. Do you think that will have any sort of bearing on things in the future? Is that something that's still worth moving towards, or is sort of having a paper trail and stuff, is that still gonna be too important to move this to an all electronic you think?

Bob: Well I think the current thinking is, for most of the voting, is that the error gapp systems that they use, and what I mean by that is it's not connected to any network, so it's a lot more difficult to hack. You know, we'll be around for while but, a lot of states have already started allowing mobile voting.

Chris: Yes, yeah.

Bob: Yes, or like West Virginia, West Virginia was the first one. They did it, I think in the 2016, it may have been the, I think it was the midterm elections. They allowed absentee voting and now there's 14 other states that are gonna adopt the same. So I think that that's the precursor of where we're headed. And of course, if you're gonna allow mobile voting, you are opening it up for the adversaries to get in and potentially change the results of the election. You know, years ago you and I may not have talked about absentee ballads playing a role in an election. I think for the most part, they were ignored because they didn't really mean, or they didn't amount to anything.

Chris: Yeah, it was a handful.

Bob: Yeah it was a handful. And that has changed. How many recounts happened during the midterm, as a result of absentee ballads? And the absentee ballads changing the campaign. So, so I think that, I think it's moving in that direction. I don't know exactly, when exactly, when we'll get there, but the signs are pointing to a different voting mechanism.

Chris: Do you think there's any sort of, like if, obviously, you know the will to do it is one thing, but do you think that there is a scenario in which we could make mobile voting safe? Or is it just too inherently unsafe, in your opinion?

Bob: I think we can. You know there's a, I mean you've gotta protect a few things. You know like, the application itself has to be secure. You have to ensure that the integrity of the device is, you know, the device is not compromised. In anyway before you allow anybody to enter their credentials or their votes. You know the banking industry's figured it out.

Chris: Yeah right, exactly. The tech is there, it's just .

Bob: Exactly. It's educating people to understand that they need some sort of, anti-phishing, anti-malware protection from network man-in-the-middle attacks. Things of that nature, on the device.

Chris: Yeah, that's one of those double-edged swords where its like, we might be able to unroll something like that but then its gonna be sort of, prohibitive people if you say, "Well you're only allowed to vote by your "phone if you have anti-malware devices on there "and you have all this sort of software "and things like that." And people say, "Well I don't have that." You know and then, who knows? But, so along with hacking, I wanted to hear more about your research into disinformation campaigns that could be launched. You know, it's one thing to tamper the voting box but you know, something completely different to spread wrong information via social media. Or spread news about how candidate x is losing to discourage voters, who might be coming in after work, you know from even bothering to vote at all. You know things like this are already ramping up with bots and sort of, farms of people commenting on social media. So, do you have a strategy for combating this pernicious sort of disinformation menace?

Bob: I think that we learned a lot, obviously we learned a lot in the last election, in the 2016 election, about how social media was used by some of our adversaries. And I think that companies like Facebook and Twitter have gone to great lengths to ensure that it's not gonna happen again. To the best of their ability. I think DHS Homeland Security's also have gotten involved, and they're helping advise companies on how to ensure that it doesn't happen again. But I'm gonna go back to mobile because like, I'll tell you, it's still the wide open platform. For the adversaries because no one's thinking, "Hey, how should I protect that device? "How should I protect the candidate themselves? "How should I protect the staffers? "How should I protect the voters? "How should I protect the voting app "for the absentee ballad type situation?" I just, I don't think that that's being considered. So, in my opinion, they're leaving a wide open gap for the adversaries to have an impact. We already talked about various ways that they can engineer a change in the result. You know, through the text messages or the messaging apps, and you know et cetera et cetera. So, I think that the campaigns have gotta take a much broader look. And frankly, some of em' already have. I can tell you, some of em' are already using our product. I'm not gonna go into which ones.

Chris: Okay.

Bob: As you can imagine, when somebody buys a security platform, they don't want people to know who or what it is.

Chris: Of course, yeah absolutely.

Bob: They can remain protected so. So, some of em' are already doing it but you know, there's a long ways to go, in my opinion.

Chris: Okay, so obviously, we'll keep the anonymity of the clients but can you tell me a bit more about the product and what it's meant to do in this area?

Bob: Yeah, sure. So our enterprise product is protecting the device from man-in-the-middle attacks. So that's, you know, as you can imagine, your device is trying to connect to every Wi-Fi network out there, you don't want somebody to get in the middle of that connection to potentially steal your credentials or your data. So we're protecting you against that. We have anti-phishing product. And our phishing solution is pretty in depth. We're not just looking at URLs, we're looking at the text messages, we're looking at the messaging apps, we're looking at the browser searches. You know, things of that nature to ensure that the person is not being phished. And then we can stop them from potentially going to a site that's not gonna be beneficial for them. Let's put it that way. We also monitor every application that's on the device. And we're looking for malware that's been, you know, injected into those applications. And then the fourth areas are vulnerabilities, because you know, what the adversaries look for is a vulnerability or in an application, or an operating system, that they can try and write malware or an exploit to take advantage of. So we're monitoring for vulnerabilities as well. So those four areas are the things that we're helping protect the candidates from. And we're just, I'll just say we're kind of a piece of mobile security. You know, there's a couple different, you know I think of course, you need Lookout, but you also need some sort of encryption on the device to help you as well. And then some sort of, device management tool, that helps with enforcement of policies.

Chris: Uh, just in general, for people you know, obviously we all have mobile phones at this point, or you know smart phones or whatever. What would be your sort of, comprehensive like, gist as a basic security pack? What should everyone have on their phones, just to keep them as safe as possible?

Bob: So that the, every consumer, so we're, Lookout's fortunate, we have a consumer application that's in the Google Play Store and the iTunes Store. And it's a freemium model, so you can download it for free. You get security for free because our founders believed in protecting the devices. And then there's of course, some eye candy that you can upgrade to if you deem necessary. Like identity protection and things of that nature so.

Chris: Gotcha. Okay, so we'll start with that. So, I guess going back to the candidates, back in 2015, 2016, there were all these reports about which candidate sites were easiest to hack into and we did some of those articles as well, who had the safest, you know, websites and things like that. And I guess, with all the info around this, why are candidate websites and stuff still the easiest things to hack into? It seems, you know, like we would've learned by now. What advice would you give for candidates? Obviously other that get Lookout, what advice would you give them to harden their security profile, in general?

Bob: Yeah, I'll say a couple of things here. One is, it probably boils down to money.

Chris: Okay.

Bob: I think that they have cyber budgets, but do they necessarily have the expertise, as part of their campaign, to help them lock systems down. So I think that they need to be able to use some of the donations that they get to insure that they're secure. And I don't know that they have the ability to do that today. So that's one thing. And then you mentioned mobile or Lookout, protecting their mobile devices. I'll say that the mobile devices, as I mentioned earlier, wide open in my opinion. If I'm an adversary, what I'm gonna try and do is to get on your mobile device and steal your credentials for access into the network. Because I guarantee that most of the staffers today, and probably the candidates themselves, are accessing all the data that they need to get, via their mobile device, and they're entering in some sort of credentials. So if I can get on that device, that has no protection on it today, then I can get into the network. So that's, that's another area that they need to take a hard look at to ensure that they're protecting it adequately.

Chris: So, on a equally large scale, apart from bots and social media farms, and robocalls and what not. There's issues like Cambridge Analytica, who can sway elections via marketing campaigns. So, you said that DHS and others have sort of, gotten involved with social media. Do you feel like there are enough safeguards that have been put in place to prevent things like this, and if not what safeguards could realistically, be put into place sort of quickly?

Bob: You know I think that, you know I mentioned servers. Servers are you know, protecting a server's pretty well know at this point. Protecting a desktop pretty well known. Laptop, same thing. I think that there's more education that needs, that's required in protecting the entire ecosystem. I just don't know that we do a good enough job of ensuring that people are educated on the potential threats that's exist. When they're using a mobile device, or laptop or anything else. So I think we could do a lot better job of just education, in general.

Chris: Okay, so to that end, could we talk about some social engineering issues. What should voters be watching out for that's out there or look out of the ordinary? You said if a weird text or a weird thing comes up on your phone, what are some red flags that people should be looking out for?

Bob: Yeah, don't take things for granted. If you get things out of the blue, just don't click it, don't click on a link. Try and browse through the website directly. So that you can make sure that it's it's a valid link. You know if your, if you get a strange message from a candidate out there, again, do your homework. Just don't take it for granted. Make sure that it's valid before you take any sort of action whatsoever. I guarantee, if somebody is asking for a donation over a text message, is this something that you would expect from your candidate? Probably not. There are traditional forms of campaign donations, or from the phone or face-to-face.

Chris: Right. Or the usual, sort of text such and such and then it gets added on your phone bill, or something crazy like that. Are there, are there any type of like, education processes that you think can be undertaken to bring the voting populous up to speed about current security dangers, and are there ways of getting the word out about the importance of staying safe online and on your phone, you know that's informative but doesn't feel partisan to one side or the other or what have you?

Bob: Yeah, I actually don't think it is a partisan issue--

Chris: Oh it's not, but I think it's, you know, I think if worded strangely people can say, "Oh you're just trying to get me to blah blah blah." You know, whatever, you know--

Bob: Yes.

Chris: As soon as every you know, certain fake news websites where reported by Facebook, it was a smear campaign of what have you.

Bob: Yeah, I understand what you're saying and I agree. But the, I think that, sometimes I like to just go back to the basics. Public service announcements, trying to educate people on how to protect themselves. I mean, it's in all of our best interests to ensure the integrity of our elections, are kept sound. So, you know, that's, and so, you know, it's both parties or all parties, should be getting, trying to get the word out, in a nonpartisan way to say, "Hey here are the things "that we need to do as citizens of The United States "to protect our election process."

Chris: Yeah, whoever you're voting for, just make sure that you're being safe about it and such.

Bob: Right.

Chris: So what's the balance to be found between social engineering concerns and out and out software fraud? What do you think should be the sort of, main focus for this next cycle?

Bob: Yeah, I don't think that, I think that both are critical concerns. So, I don't think there's balance to be struck there. I think that both have to be equally pursued to ensure that, you know, we have, like I said, our campaigns are kept at the highest level of integrity. So, we've got to protect against social software vulnerabilities, and we also have to protect against the social engineering. The adversaries are doing both. So it's, I don't think there is a balance there. I think it's focus on both.

Chris: All at once. Is there any place in the equation for sort of, ethical hacking to be utilized? Where, you know, we can go in and sort of like look for possible breach points into campaign sites or voting software, anything like that? Do you have any sort of like, preemptive tech ideas or whatever to sort of see where the holes are?

Bob: Yeah, so Lookout was founded on ethical hacking. The co-founders discovered a vulnerability in a Motorola device, via Bluetooth. They tried to disclose it, and weren't greeted with open arms .

Chris: Sure.

Bob: So they decided that nobody really cared about the protection of mobile devices and that's what they're gonna make it their mission to do.

Chris: Right.

Bob: So, I'm a big believer in ethical hacking. You know, a lot of companies out there offer bug bounties for ethical hackers. I think that the government can do the same thing for election systems and processes. Just offer some bounty out there for the ethical hackers to go test the integrity of the systems. To see if they can if they can get in. And I think it would help them out immensely.

Chris: Yeah, and when hear of so many old, like really old voting machines that have, you know, old firmware issues and things like that. It seems like someone needs to raise some money some where to get a lot of these things up-to-date. You hear so many things about, like old, old voting machines, and no one's doing anything to sort of patch them and things like that. I don't know, if you were to be given a magic legislative gavel to put a passel of laws into place, to make voting safer and more accurate, like apart from doing things on a technical level, what laws do think would it be possible to enact? To make this happen?

Bob: Yeah, I'd love to see some mandates, in regard to mobile security. None exist today. I've been on Capitol Hill, speaking when, you know, a lot of legislators about. They're trying to raise the awareness and they all agree that it's something that needs to be focused on but nobody's put together any legislation yet, to try and mandate the protection of the mobile devices. There's a lot of mandates out there for your traditional desktop and your laptop. You gotta have anti-phishing, you gotta have anti-virus, and you have to have DLP for, insider threats. But nothing for a mobile device. So I think something needs to, some sort of mandate needs to exist, so that organizations understand that, hey, this is important and it's something that we need to focus on and protect our candidates, our staffers, and our voters from.

Chris: Okay, so as we wrap up today, we're obviously talking about the things we're most afraid of and the biggest concerns. Are there any sort of signs that you've seen that people are noticing these things, or taking preemptive action that they weren't in 2016? Are seeing any sort of, light at the end of the tunnel, or good news anywhere?

Bob: Yeah, as I mentioned earlier, I think there's a ton of lessons that have been learned. People are, you know, their awareness has grown. I think most candidates have some sort of cyber advisor, in their staff now, to help protect them. I think that based on the evidence, the candidates have purchased Lookout, as an example. Several candidates have purchased Lookout. There's an, there's a raised awareness. Back in 2016, we didn't have any candidates as customers. So now we have quite a few. So, I think there is a, a raised awareness. And I'll also say that the government has gotten involved. Like DHS, as I mentioned earlier, has gotten involved. And they're trying to ensure the integrity of the campaign. So, I think it's getting better, there's still work that needs to be done, as always. But it is definitely moving in the right direction.

Chris: Do you think there are sort of, employment possibilities for people, who have a cyber security background, who can do sort of, run up to the election, sort of, cyber, not recon necessarily but sort of, cyber hardening and people who can volunteer themselves to their local political campaigns, to help with safety issues or their local poll office, or is that already covered?

Bob: No, I don't think it is, I think it's a great idea, it's a great point. They could volunteer, if they want to contribute to a campaign, that's one of the things they could bring is their expertise to the table. Not just going door-to-door to try and get somebody to vote for an individual. It's a great point you bring up, volunteer, volunteer--

Chris: Ethical hackers out there, it's a great experience, it looks great on your resume, make you very civic-minded, and you might learn something.

Bob: Exactly, exactly.

Chris:  Okay, so to sum up, tell me again, a little bit about you organization, how to reach you online and so forth.

Bob: So, you know, it's Lookout, and we focus on the protection of mobile devices. You know, I mentioned the four areas that we cover, so man-in-the-middle, safe browsing, so anti-phishing, vulnerabilities and malware on the devices and, if you're interested in protecting your mobile device, you can certainly reach me at Bob.StevensatLookout.com

Chris: Okay, and the freemium phone app, is that just called Lookout on the app store or?

Bob: It is, if you search for Lookout on either of the stores you'll find Lookout and download it, like I said, for free and if you want to pay, you can get some extra eye candy, so.

Chris: Cool, Bob Stevens, thanks once again for your time and insights.

Bob: Thank you, have a great day.

Chris: Okay, and thank you all for listening and watching. If you enjoyed today's video you can find many more on our YouTube page. Just go to YouTube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcasts catcher of choice. See the current promotional offers available to listeners of the podcasts, go to InfoSecinstitue.com/podcasts. And once again, use our free election training resources, to educate co-workers. For information on how to download your training packet, visit infosecinstitute.com/IQ/election-security-training or click the link in the description. Thanks once again to Bob Stevens and thank you all for watching and listening. We'll speak to you next week.