I was really surprised to see Congress and a few people in the White House talk about preparing for the midterm elections in November. That is about three months away on any calendar, Russian or US. This tells us quite a bit about how people view hackers who have been trying to influence US voters, get into voting machines, and make life miserable for election officials. They shouldn't be worried.
If there is hacking to be done, it is well underway and most of the systems and people who are targets have already been hacked. About all anyone can do is try to find out where they have been hacked and what they can do about it now. The hackers who have gotten in have been in these systems for a a few months, and probably a good deal longer - some at least back to 2016. They just haven't been discovered yet.
It is much harder to find these people than the Intelligence reports would indicate unless you have really good hackers inside the networks that are attacking. Most election officials not only don't, but don't have the access to classified information that would allow them to know what others have done to help out. The best they can expect is someone saying "We have information that would indicate you are a target of hackers and may have been breached." Most people can reason that out for themselves by reading newspapers, but a few of them don't keep up with current attacks the way they should. Most do not have good security and don't want help getting more. Only about 40% of any of them asked for help when it was offered. This is the "we have this under control" syndrome common in state governments and lots of Federal agencies.
The only way to find out is to test security from the outside and do it with the level of expertise that hacks from Russia. Nobody likes this, but it has to be done. If we really consider this to be a national security issue, then we should treat it like one. Penetration testing and assessments are the only way to do that. There are big issues with states' rights and security cognizance in all of this, and that takes time to work out. Nothing can be done for the midterms, but a lot can be done before 2020.
It took me over a year to arrange an assessment of networks across a whole military complex and all of the supporting contractors that connected to that complex, but it was worth doing. We found a lot more than we wanted to know. What the owners of those systems found out was they did not have it under control. They were good about fixing things that were wrong, but the realization had to be there first. A lot could be done before 2020, but the thinking about the need has to be more realistic than the midterm elections.
No comments:
Post a Comment