Whatever your preference of candidates might have been, one thing was clear from the 2016 U.S. presidential election: the Russian government targeted American political organizations of both parties with an aggressive wave of cyber intrusions. Bothprivate sector analystsand theU.S. Intelligence Communityagree on this point.
Furthermore, FBI Director James Comey recently told a congressional committee that theyll be back in 2020they may be back in 2018. The head of the NSA, Admiral Mike Rogers, concurred, saying that he fully expect[s] they will maintain this level of activity.
Faced with a potential onslaught from persistent and technically advanced adversaries, political organizations should use end-to-end encrypted email and file-sharing applications that are easy to use. These applications must have three characteristics:
First, they must encrypt every message and file end-to-end. This means that even if an adversary successfully breaches an organizations server, as in the case of the Democratic National Committee (DNC), doing so will not reveal any information.
Second, these applications should not allow privileged super-users. By exploiting the vulnerability of super-user accounts in the DNC network, hackers were able to steal and leak thousands of internal communications.
Third, these applications must not use passwords, which are themselves major security vulnerabilities. People often create passwords that are easy to guess, and they divulge them too readily.
How end-to-end encryption protects user data even if a server is hacked
When messages areencrypted end-to-end, the information stored on the server is secure even if the server is hacked. Each message should beautomaticallyencrypted with auniquekey before it leaves the users deviceand onlydecrypted when it reaches its recipient.
If attackers breach the walls protecting the server such as traditional password portals and firewalls all they will find is encrypted, useless gibberish. This was not the case at the DNC,nor is it standard practicefor most major communications providers, which store their customers information on their servers unencrypted.
The DNC Breach and The Risk of Super Users
In lead up to the 2016 elections, two independent and advanced cyber actors targeted the DNCs computer servers. The first one to strike, known asAdvanced Persistent Threat (APT) 29orCOZY BEAR, was an unidentified Russian grouppossibly affiliatedwith the countrys internal security service.
The second one, known asFANCY BEARorAPT 28in cybersecurity circles, was probably a component of Russias military. The former groupsent a stringofspear phishingemails to people working at American government and nonprofit organizations in the summer of 2015, likely including someone with legitimate access to the DNC network.
The latter one waged a massive campaign in parallel; from October 2015 to May 2016, itsent almost 9,000spear phishing emails with malicious links to nearly 4,000 similar targets. As the two attackers didnot appear to be working together, one or more people at the DNC clicked on embedded links from each group, giving the Russiansaccessto the network.
One of the attackers eventually gained control of aprivileged administrator account, and was able to steal tens of thousands of sensitive emails. Instead of giving administrators super-user privileges to access vast amounts of information, new encrypted email applications use the concept of Approval Groups. With this paradigm, only a predetermined combination of trusted individuals can retrieve the decryption keys for messages on the server.Instead of giving administrators super user privileges to view vast amounts of information one of the reasons the DNC attackers were able to steal so much material a model that allows only a predetermined combination of trusted individuals to recreate the decryption keys of other users should be used.
This restriction, which gives cryptographic shards of keys to certain individuals, prevents a single hijacked administrator from wreaking havoc on an organizations information technology systems. It would also require attackers to gain control of the individual devices of approval group members, which is far more difficult.
Furthermore, messages that areencrypted end-to-endare secure even if the server they are sitting on is hacked. If attackers breach the walls protecting the server such as traditional password portals and firewalls all they will find is encrypted, useless gibberish. This is because with end-to-end encryption, you are the sole owner of the keys needed to decrypt the information.
This was not the case at the DNC,nor is it standard practicefor most major communications providers, which store their customers information on their servers unencrypted.
Finally, in the DNC hack, FANCY BEAR/APT 28 tookadvanced counter-forensic measuressuch as corrupting and deleting internal server logs to obscure its presence. Logs of all communications should be encrypted to prevent exactly this from happening.
Whether Democrat, Republican, or Independent, everyone should understand that systems that leave sensitive data unencrypted while at rest, as well as those that allow for super users, are vulnerable to advanced cyber intrusions like the one the DNC suffered.
Why passwords make systems vulnerable
While they were attacking the DNCs servers, members of FANCY BEAR/APT 28 were also busy at work attempting to breach other systems, namely the personal email accounts of Democratic Party officials and staff members.
Perhaps the most attractive target was then-candidate Hillary ClintonHillary Rodham ClintonOvernight Cybersecurity: Comey testifies on Clinton probe, surveillance | Officials grilled over financial aid breach | Massive phishing attack hits Gmail users Budowsky: A fascist-friendly POTUS When will Hillary Clinton grow up and take responsibility? MOREs campaign manager John Podesta. Like many busy and important people, he did not have time to remember a slew of different passwords for every web site he used. He occasionally asked his aides toremind himof his passwords via email and probablyre-used themamong multiple different applications.
Passwords can be a security liability as well as a hassle for users, which is why politicians, candidates and their political aids should use strong cryptographic keys instead. These keys, which are dozens of digits long, can be automatically created and stored on users computers and phones. The keys are so complex that it would take all the supercomputers on earth billions of years to guess.
Unfortunately, Podestas Gmail account used passwords to decrypt his emails instead of cryptographic keys stored locally.Receiving anemail alert probably from the Russians warning him that an unauthorized user was trying to access his Gmail account, he or one of his staff members reached out to the campaigns information technology support team. After getting someconfusing advice, either Podesta or one of his assistantsclicked on an embedded malicious linkto a fake password reset portal. He fell for the ruse and entered his credentials, giving them to the attackers.
The FANCY BEAR/APT 28 actors were then able to access and download nearlyten years worth of private communications. The Russians later used the stolen materials to create another October Surprise for the campaign by againproviding the information to WikiLeaks.
It is unfortunate that, in retrospect, using end-to-end encryption with strong cryptographic keys could have prevented all of this. By keeping encryption keys only on a users device, there is no need for passwords to access ones communications. Not having to remember and type them in all the time makes it impossible toaccidentally give them to hackerstoo.
Get ready for 2018 by securing your systems today
Although the 2016 election is in the books, the cybersecurity lessons we can learn from it are critical for future cycles. We know that at least one foreign country will take active measures, like hacking political organizations and campaigns, to support itspreferred candidate. Regardless of whom you support, every American should be able to agree that sensitive internal communications like campaign emails must remain private and secure. With an end-to-end encrypted messaging protocol, political organizations of every stripe can do just that.
Walter Haydock works forPreVeil, a Boston based cybersecurity companywhere he interfaces with political campaigns, think tanks, and other government-facing clients.Previously, he served as a staff member for the House of Representatives as well as an officer in the Marine Corps. The views expressed in this article do not necessarily reflect the official policy or position of the United States government.
The views expressed by contributors are their own and are not the views of The Hill.
- encryption - How secure is AES-256? - Cryptography Stack ... - June 2nd, 2019
- The World's Email Encryption Software Relies on One Guy, Who ... - May 5th, 2019
- Encryption breakthrough could keep prying eyes away from your ... - May 5th, 2019
- What Is Data Encryption? Definition, Best Practices & More ... - May 1st, 2019
- IronClad Encryption Partners with Data443 Risk Mitigation ... - April 30th, 2019
- What Is Encryption? An Overview of Modern Encryption ... - April 30th, 2019
- Symmetric vs. Asymmetric Encryption What are differences? - April 29th, 2019
- Difference Between Hashing and Encryption - ssl2buy.com - April 29th, 2019
- What is Advanced Encryption Standard (AES)? - Definition ... - April 29th, 2019
- How to Encrypt Your Wireless Network - Lifewire - April 29th, 2019
- After Paris, Encryption Will Be a Key Issue in the 2016 ... - April 22nd, 2019
- Email encryption - Wikipedia - April 8th, 2019
- What is Encryption, and Why Are People Afraid of It? - April 8th, 2019
- Data encryption | cryptology | Britannica.com - April 8th, 2019
- How to Enable Full-Disk Encryption on Windows 10 - April 1st, 2019
- After Paris, Encryption Will Be a Key Issue in the 2016 Race - March 27th, 2019
- Does Encryption Really Help ISIS? Heres What You Need to ... - March 27th, 2019
- AES and RSA Encryption Explained - March 27th, 2019
- Encryption: What it is and why its important - Norton - March 23rd, 2019
- Email encryption in transit - Gmail Help - March 21st, 2019
- Authenticated encryption - Wikipedia - March 19th, 2019
- Email Encryption Options for MDaemon Email Server - March 14th, 2019
- How to Encrypt Files on Windows - Tutorial - Toms Guide - March 6th, 2019
- Encryption, Key Management - bank information security - March 5th, 2019
- Which Types of Encryption are Most Secure? - February 7th, 2019
- JSON Object Signing and Encryption (JOSE) - February 4th, 2019
- What Is Encryption, and How Does It Work? - January 26th, 2019
- The Pitfalls of Facebook Merging Messenger, Instagram, and ... - January 26th, 2019
- Encryption: Avoiding the Pitfalls That Can Lead to Breaches - January 14th, 2019
- Encryption | Information Technology Services - December 31st, 2018
- Encryption - Investopedia - December 16th, 2018
- How to Protect Data at Rest with Amazon EC2 Instance Store ... - December 9th, 2018
- Next Generation Encryption - blogs.cisco.com - December 4th, 2018
- 3 Different Data Encryption Methods - DataShield blog - November 22nd, 2018
- Security and encryption | Documentation | Turtl - November 18th, 2018
- Encryption | General Data Protection Regulation (GDPR) - November 16th, 2018
- Using Encryption and Authentication Correctly (for PHP ... - November 13th, 2018
- Encryption | SANS Security Awareness - November 9th, 2018
- Types of Encryption | Office of Information Technology - November 5th, 2018
- Use Your own Encryption Keys with S3s Server-Side ... - October 29th, 2018
- What is Tokenization vs Encryption - Benefits & Uses Cases ... - October 12th, 2018
- Device Encryption | it.ucsf.edu - October 12th, 2018
- 5 Common Encryption Algorithms and the Unbreakables of the Future - September 15th, 2018
- Top 5 best encryption software tools of 2018 | TechRadar - August 26th, 2018
- New EBS Encryption for Additional Data Protection | AWS ... - August 22nd, 2018
- Best Encryption Software 2018 - Encrypt Files on Windows PCs - August 20th, 2018
- Download BestCrypt Volume Encryption 3.78.05 / 4.01.09 Beta - July 26th, 2018
- End-to-end encryption - Wikipedia - July 24th, 2018
- Download Symantec Encryption Desktop 10.4.0 Build 1100 - July 15th, 2018
- HTTPS - Wikipedia - July 10th, 2018
- AES encryption - June 20th, 2018
- Encrypt email messages - Outlook - June 20th, 2018
- Download Sophos Free Encryption 18.104.22.168 - softpedia.com - June 19th, 2018
- Does Skype use encryption? | Skype Support - June 16th, 2018
- Encryption- Computer & Information Security - Information ... - May 25th, 2018
- Enable BitLocker on USB Flash Drives to Protect Data - May 25th, 2018
- Transparent Data Encryption (TDE) - msdn.microsoft.com - April 12th, 2018
- Encryption Software Market - Global Forecast to 2022 - March 24th, 2018
- What AES Encryption Is And How It's Used To Secure File Transfers - March 24th, 2018
- Encryption vs. Cryptography - What is the Difference? - March 24th, 2018
- Energy-efficient encryption for the internet of things | MIT News - February 16th, 2018
- The Best Encryption Software - TopTenReviews - February 16th, 2018
- File-Based Encryption | Android Open Source Project - February 7th, 2018
- Beyond Encryption | Secure Enterprise email using existing ... - February 1st, 2018
- Azure Search enterprise security: Data encryption and user ... - January 26th, 2018
- Skype finally getting end-to-end encryption | Ars Technica - January 13th, 2018
- FBI chief says phone encryption is a 'major public safety issue' - January 13th, 2018
- Encryption and Export Administration Regulations (EAR) - December 27th, 2017
- Key (cryptography) - Wikipedia - December 21st, 2017
- security - Fundamental difference between Hashing and ... - December 15th, 2017
- What Is Encryption? | Surveillance Self-Defense - December 4th, 2017
- Comodo Disk Encryption Download - softpedia.com - December 1st, 2017
- Encryption - Simple English Wikipedia, the free encyclopedia - November 24th, 2017
- BitLocker Drive Encryption Overview - technet.microsoft.com - November 23rd, 2017
- The Encrypting File System - technet.microsoft.com - November 18th, 2017
- FBI cant break the encryption on Texas shooters smartphone - November 13th, 2017
- DOJ: Strong encryption that we dont have access to is ... - November 13th, 2017
- DOJ Fires Up New War With Apple Over Encryption - November 12th, 2017
- Security Awareness - Encryption | Office of Information ... - October 15th, 2017
- Data Encryption and Decryption (Windows) - October 14th, 2017