2020 election cybersecurity strategies | Cyber Work Podcast

November 19, 2019 posted by

(funky music) – Hello and welcome to this weeks episode of the Cyber Work with Infosec podcast. Each week, I sit down
with a different industry thought leader, and we discuss the latest cyber security trends, how those trends are affecting the work of infosec professionals,
while offering tips for those trying to break in or move up the ladder in the cyber security industry. 2020 is right around
the corner and with it, there is another Presidential
election coming up again. With all its attendance security issues. So for 2020 Infosec is attempting to get ahead of potential issues. Use our free election
security training resources to educate co-workers and volunteers on the cyber security threats they face during the election season. For more information on how to download your training packet, go to
infosecintistute.com/IQ/election-security-training. Or visit the link in the description. Our guest today is Bob Stevens,
VP of Americas at Lookout. He is on the front lines
of people an organizations working to protect the 2020 election against security tampering
and quickly spreading disinformation campaigns
along mobile channels. For this election, with
potentials for cyber intrusion and malfeasance practically inevitable, It’s going to be important
to address these issues up front rather than figure
them out after the fact. As to what we should’ve done. Bob and I are gonna
discuss some strategies already in place, somethings
that we should be doing but aren’t, and talk about the
ramifications for inaction. Bob Stevens is Vice President
of Americas at Lookout. In his role Bob works to
provide mobile threat visibility and protection to federal
agencies, across military, civilian, and intelligent sectors. Bob has more than 25 years experience building federal businesses, teams, and go-to market strategies. Prior to joining Lookout,
Bob lead Semantic Federal, a $275 million dollar operation
with over 100 team members. He also lead the development of Juniper Networks Federal Systems,
growing it to 120 million in just six years. Bob, thank very much for joining us today. – Thank you Chris, happy to be here. – Great, so in a previous
episode, we had a guest who discussed some of the
security issues that came with the 2016 elections, as
well as concerns that were surrounding the then upcoming
midterm election in 2018. Could you summarize some of these from your own personal research? What were some of the biggest
security issues that happened then, and how many of those
are still possible in 2020? – I think the one that
most people are aware of is the Podesta email hack. In which lots and lots
of emails were taken and then used against a particular candidate during the election. And potentially sway the outcome of that. I know that as a result of
that, campaigns are taking, trying to take a different
approach, when it comes to cyber security for the upcoming election. But, but then, there’s probably still a lot to be done. Just as an example, and you know I’ll talk a lot about this today
because Lookout’s focus is on the mobile side. – Yes. – You know there’s a
lot of action that needs to be taken on the mobile, the mobile front. – Okay, so I guess let’s
jump right into that. Mobile’s obviously (mumbles), how have the attack vectors changed, if at all, based on what we’re
seeing in the run up to 2020 versus previous elections? – Well I think as I
mentioned, the campaigns are definitely aware of what could happen. Because it’s based on
experience at this point. And they’ve done a good job
of protecting their servers, their websites, you know their
traditional endpoint devices. And what I mean by that is, the desktops or laptops that they use. I think the biggest difference
for the upcoming campaign is gonna be the fact that,
people are using mobile as a means to get their
message out to the voters. – Okay. – And we only see that growing. We saw it increase in the 2018, you know the midterm
election an it’s definitely gonna happen for 2020. And I think Obama started
this trend, using social media to help him get elected
and it’s grown from there. The current President of
course uses, as everyone knows, uses social media on a regular basis. – Lot of social media. So can you give me some sort
of concrete example of how, cause you said that they’re
gonna be using mobile to increase their message. Can you give me some like
examples or platforms or like how does this
change the sort of delivery or even the message of
the message I guess? – Sure, yeah one example’s
is text messages. A candidate’s gonna be in the local area. They want to get the word out to as many voters as they possibly can. So they show up for
their campaign rallies. So that’s text messages, one. Also the social media. Most people are checking social media on mobile devices today. You know, as I sit on an airplane, in most cases, it’s inevitable
the person next to me is going through their Twitter feed. – Right. – To see what’s going on. You know that’s where a lot
of the news comes from today. So that’s just two
examples of the way that I think campaigns are
gonna use, or are using mobile devices today, to
try and get the word out to all the voters. – Yeah, I know I remember in the midterms, there was a lot of sort of text-based “get-out-the-vote” efforts as well. And I imagine, with a few
modifications you could very easily launch a
text-based “get-out-the-vote”, but give them the wrong date for voting or send out wrong information
or things like that. – Yeah that’s what they
have to worry about. The mobile device is, well two things, one is, it’s less likely to be secured. Because I think that
most people believe that they’re inherently secure. – Yes. – And there’s a lot of
different attack vectors for a mobile device. There’s, like we just talked
about, the text messages, there’s in-app malware that can be put on a device. If I can somehow get
on that person’s device I can start to steal
all their credentials, I can turn on their cameras,
I can steal their emails. There’s so many things that I
can do with a mobile device. And because it is largely
unprotected, it’s becoming a larger and larger target for adversaries. And in this case, you
know, probably criminals. Because another thing I
would do, I’d send them bogus text messages for campaign donations. And try to get them to put
the money into my account versus the candidate’s account. – Yeah there’s gonna be
a much larger sort of, a text surface than just
getting my candidate elected. It can also be, you know
there’s just some much money and so much interaction going on over the course of a Presidential
election these days. That yeah, there’s lots
of room for sort of, secondary criminals to sneak in I suppose. – Yes absolutely. And I’d be surprised if
it hasn’t started already. One of the things you have to worry about on a mobile device is of course, phishing. – Yep. – Its kind of amazing we’re
still talking about phishing in this day and age. You’d think we would’ve
solved it years and years ago. And you know for the most part we have, on desktops or laptops, via email tools, email anti-phishing tools. But on mobile devices,
there’s so many different ways to phish that device. I can send a text message,
you click on the link I infect you with malware,
I reset everything so that it looks like you
haven’t been infected at all but now I’m on your device. I can send It in messaging apps like Facebook Messenger or WhatsApp. I can send you a link or URL. I can also send you an email. And it’s much harder for
the user of that device to figure out that they’ve been phished, versus your traditional
desktop and laptop. – Yeah. So there’s been some talk in the past, and I’m not sure if you can
necessarily speak to this, but, you know, that there’d been talk that as soon as the 2020 Presidential election, we
could be moving towards an all electronic voting process. And it doesn’t seem like
we’re any closer to that now than we were before. Do you think that will have any sort of bearing on
things in the future? Is that something that’s
still worth moving towards, or is sort of having a
paper trail and stuff, is that still gonna be
too important to move this to an all electronic (mumbles) you think? – Well I think the current thinking is, for most of the voting, is
that the error gapp systems that they use, and what I
mean by that is it’s not connected to any network, so it’s a lot more difficult to hack. You know, we’ll be around for while but, a lot of states have already
started allowing mobile voting. – Yes, yeah. – Yes, or like West Virginia, West Virginia was the first one. They did it, I think in the
2016, it may have been the, I think it was the midterm elections. They allowed absentee
voting and now there’s 14 other states that are
gonna adopt the same. So I think that that’s the
precursor of where we’re headed. And of course, if you’re
gonna allow mobile voting, you are opening it up for the adversaries to get in and potentially change the
results of the election. You know, years ago you
and I may not have talked about absentee ballads
playing a role in an election. I think for the most
part, they were ignored because they didn’t really mean, or they didn’t amount to anything. – Yeah, it was a handful. – Yeah it was a handful. And that has changed. How many recounts happened
during the midterm, as a result of absentee ballads? And the absentee ballads
changing the campaign. So, so I think that, I think it’s moving in that direction. I don’t know exactly, when
exactly, when we’ll get there, but the signs are pointing to a different voting mechanism. – Do you think there’s any sort of, like if, obviously, you know the will to do it is one thing, but do you think that there is a scenario in which we could make mobile voting safe? Or is it just too inherently
unsafe, in your opinion? – I think we can. You know there’s a, I mean you’ve gotta protect a few things. You know like, the application itself has to be secure. You have to ensure that the
integrity of the device is, you know, the device is not compromised. In anyway before you allow
anybody to enter their credentials or their votes. You know the banking
industry’s figured it out. – Yeah right, exactly. The tech is there, it’s just (laughs). – Exactly. It’s educating people to
understand that they need some sort of, anti-phishing, anti-malware protection from network
man-in-the-middle attacks. Things of that nature, on the device. – Yeah, that’s one of
those double-edged swords where its like, we might be
able to unroll something like that but then its gonna be
sort of, prohibitive people if you say, “Well you’re
only allowed to vote by your “phone if you have
anti-malware devices on there “and you have all this sort of software “and things like that.” And people say, “Well I don’t have that.” You know and then, (laughing) who knows? But, so along with hacking,
I wanted to hear more about your research into
disinformation campaigns that could be launched. You know, it’s one thing
to tamper the voting box but you know, something
completely different to spread wrong information
via social media. Or spread news about how
candidate x is losing to discourage voters, who might be coming in after work, you know from
even bothering to vote at all. You know things like this
are already ramping up with bots and sort of, farms of people commenting on social media. So, do you have a strategy
for combating this pernicious sort of disinformation menace? – I think that we learned a
lot, obviously we learned a lot in the last election,
in the 2016 election, about how social media was used
by some of our adversaries. And I think that companies
like Facebook and Twitter have gone to great lengths
to ensure that it’s not gonna happen again. To the best of their ability. I think DHS Homeland Security’s
also have gotten involved, and they’re helping
advise companies on how to ensure that it doesn’t happen again. But I’m gonna go back
to mobile because like, I’ll tell you, it’s still
the wide open platform. For the adversaries
because no one’s thinking, “Hey, how should I protect that device? “How should I protect
the candidate themselves? “How should I protect the staffers? “How should I protect the voters? “How should I protect the voting app “for the absentee ballad type situation?” I just, I don’t think that
that’s being considered. So, in my opinion, they’re
leaving a wide open gap for the adversaries to have an impact. We already talked about
various ways that they can engineer a change in the result. You know, through the text
messages or the messaging apps, and you know et cetera et cetera. So, I think that the
campaigns have gotta take a much broader look. And frankly, some of em’ already have. I can tell you, some of em’
are already using our product. I’m not gonna go into which ones. – Okay. – As you can imagine, when
somebody buys a security platform, they don’t want people to know who or what it is. – Of course, yeah absolutely. – They can remain protected so. So, some of em’ are already
doing it but you know, there’s a long ways to go, in my opinion. – Okay, so obviously,
we’ll keep the anonymity of the clients but can
you tell me a bit more about the product and what
it’s meant to do in this area? – Yeah, sure. So our enterprise product is
protecting the device from man-in-the-middle attacks. So that’s, you know, as you
can imagine, your device is trying to connect to every
Wi-Fi network out there, you don’t want somebody to
get in the middle of that connection to potentially steal your credentials or your data. So we’re protecting you against that. We have anti-phishing product. And our phishing solution
is pretty in depth. We’re not just looking at URLs, we’re looking at the text
messages, we’re looking at the messaging apps, we’re
looking at the browser searches. You know, things of that nature to ensure that the person is not being phished. And then we can stop them from potentially going to a site that’s not
gonna be beneficial for them. Let’s put it that way. We also monitor every
application that’s on the device. And we’re looking for malware
that’s been, you know, injected into those applications. And then the fourth areas
are vulnerabilities, because you know, what
the adversaries look for is a vulnerability or in an application, or an operating system,
that they can try and write malware or an exploit
to take advantage of. So we’re monitoring for
vulnerabilities as well. So those four areas are
the things that we’re helping protect the candidates from. And we’re just, I’ll just say we’re kind of a piece of mobile security. You know, there’s a
couple different, you know I think of course, you
need Lookout, but you also need some sort of encryption on the device to help you as well. And then some sort of,
device management tool, that helps with enforcement of policies. – Uh, just in general,
for people you know, obviously we all have
mobile phones at this point, or you know smart phones or whatever. What would be your sort
of, comprehensive like, gist as a basic security pack? What should everyone have on their phones, just to keep them as safe as possible? – So that the, every consumer, so we’re, Lookout’s fortunate, we
have a consumer application that’s in the Google Play
Store and the iTunes Store. And it’s a freemium model, so
you can download it for free. You get security for free because our founders believed in
protecting the devices. And then there’s of
course, some eye candy that you can upgrade to if you deem necessary. Like identity protection and
things of that nature so. – Gotcha. Okay, so we’ll start with that. So, I guess going back to the candidates, back in 2015, 2016, there
were all these reports about which candidate sites
were easiest to hack into and we did some of those articles as well, who had the safest, you know,
websites and things like that. And I guess, with all
the info around this, why are candidate websites and stuff still the easiest things to hack into? It seems, you know, like
we would’ve learned by now. What advice would you give for candidates? Obviously other that get Lookout, what advice would you give them to harden their security profile, in general? – Yeah, I’ll say a couple of things here. One is, it probably boils down to money. – Okay. – I think that they have cyber budgets, but do they necessarily
have the expertise, as part of their campaign, to
help them lock systems down. So I think that they
need to be able to use some of the donations that they get to insure that they’re secure. And I don’t know that they have the ability to do that today. So that’s one thing. And then you mentioned mobile or Lookout, protecting their mobile devices. I’ll say that the mobile
devices, as I mentioned earlier, wide open in my opinion. If I’m an adversary,
what I’m gonna try and do is to get on your mobile device
and steal your credentials for access into the network. Because I guarantee that
most of the staffers today, and probably the candidates
themselves, are accessing all the data that they need to
get, via their mobile device, and they’re entering in
some sort of credentials. So if I can get on that
device, that has no protection on it today, then I can
get into the network. So that’s, that’s another
area that they need to take a hard look at to ensure that they’re protecting it adequately. – So, on a equally large
scale, apart from bots and social media farms,
and robocalls and what not. There’s issues like Cambridge Analytica, who can sway elections
via marketing campaigns. So, you said that DHS
and others have sort of, gotten involved with social media. Do you feel like there
are enough safeguards that have been put in place
to prevent things like this, and if not what safeguards
could realistically, be put into place sort of quickly? – You know I think that, you
know I mentioned servers. Servers are you know, protecting a server’s pretty
well know at this point. Protecting a desktop pretty well known. Laptop, same thing. I think that there’s more
education that needs, that’s required in protecting
the entire ecosystem. I just don’t know that
we do a good enough job of ensuring that people are educated on the potential threats that’s exist. When they’re using a mobile device, or laptop or anything else. So I think we could do a lot better job of just education, in general. – Okay, so to that end, could we talk about some
social engineering issues. What should voters be watching
out for that’s out there or look out of the ordinary? You said if a weird text
or a weird thing comes up on your phone, what are
some red flags that people should be looking out for? – Yeah, don’t take things for granted. If you get things out of the blue, just don’t click it,
don’t click on a link. Try and browse through
the website directly. So that you can make sure that it’s it’s a valid link. You know if your, if you
get a strange message from a candidate out there,
again, do your homework. Just don’t take it for granted. Make sure that it’s valid before you take any sort
of action whatsoever. I guarantee, if somebody
is asking for a donation over a text message, is this something that you would expect from your candidate? Probably not. There are traditional forms
of campaign donations, or from the phone or face-to-face. – Right. Or the usual, sort of
text such and such and then it gets added on your phone bill, or something crazy like that. Are there, are there any type of
like, education processes that you think can be
undertaken to bring the voting populous up to speed
about current security dangers, and are there ways of getting the word out about the importance
of staying safe online and on your phone, you
know that’s informative but doesn’t feel partisan to one side or the other or what have you? – Yeah, I actually don’t
think it is a partisan issue– – Oh it’s not, but I think it’s, you know, I think if worded
strangely people can say, “Oh you’re just trying to
get me to blah blah blah.” You know, whatever, you know– – Yes. – As soon as every you know,
certain fake news websites where reported by Facebook,
it was a smear campaign of what have you. – Yeah, I understand what
you’re saying and I agree. But the, I think that, sometimes I like to just
go back to the basics. Public service announcements,
trying to educate people on how to protect themselves. I mean, it’s in all of our best interests to ensure the integrity of
our elections, are kept sound. So, you know, that’s, and so, you know, it’s both
parties or all parties, should be getting, trying
to get the word out, in a nonpartisan way to say,
“Hey here are the things “that we need to do as
citizens of The United States “to protect our election process.” – Yeah, whoever you’re
voting for, just make sure that you’re being safe about it and such. – Right. – So what’s the balance
to be found between social engineering concerns
and out and out software fraud? What do you think should be the sort of, main focus for this next cycle? – Yeah, I don’t think that, I think that both are critical concerns. So, I don’t think there’s
balance to be struck there. I think that both have
to be equally pursued to ensure that, you know, we have, like I said, our campaigns are kept at the
highest level of integrity. So, we’ve got to protect
against social software vulnerabilities, and
we also have to protect against the social engineering. The adversaries are doing both. So it’s, I don’t think
there is a balance there. I think it’s focus on both. – All at once. Is there any place in
the equation for sort of, ethical hacking to be utilized? Where, you know, we can
go in and sort of like look for possible breach
points into campaign sites or voting software, anything like that? Do you have any sort of like, preemptive tech ideas or whatever to sort of see where the holes are? – Yeah, so Lookout was
founded on ethical hacking. The co-founders discovered a vulnerability in a Motorola device, via Bluetooth. They tried to disclose it, and weren’t greeted
with open arms (laughs). – Sure. – So they decided that
nobody really cared about the protection of mobile
devices and that’s what they’re gonna make
it their mission to do. – Right. – So, I’m a big believer
in ethical hacking. You know, a lot of
companies out there offer bug bounties for ethical hackers. I think that the government
can do the same thing for election systems and processes. Just offer some bounty out there for the ethical hackers to go test
the integrity of the systems. To see if they can if they can get in. And I think it would
help them out immensely. – Yeah, and when hear of so
many old, like really old voting machines that have, you know, old firmware issues and things like that. It seems like someone needs
to raise some money some where to get a lot of these things up-to-date. You hear so many things about, like old, old voting machines,
and no one’s doing anything to sort of patch them
and things like that. I don’t know, if you
were to be given a magic legislative gavel to put a
passel of laws into place, to make voting safer and more accurate, like apart from doing
things on a technical level, what laws do think would
it be possible to enact? To make this happen? – Yeah, I’d love to see
some mandates, in regard to mobile security. None exist today. I’ve been on Capitol Hill,
speaking when, you know, a lot of legislators about. They’re trying to raise the awareness and they all agree that it’s something that needs to be focused
on but nobody’s put together any legislation yet, to try and mandate the
protection of the mobile devices. There’s a lot of mandates out
there for your traditional desktop and your laptop. You gotta have anti-phishing,
you gotta have anti-virus, and you have to have DLP
for, insider threats. But nothing for a mobile device. So I think something needs to, some sort of mandate needs to exist, so that organizations
understand that, hey, this is important and it’s something
that we need to focus on and protect our candidates, our staffers, and our voters from. – Okay, so as we wrap up
today, we’re obviously talking about the things
we’re most afraid of and the biggest concerns. Are there any sort of
signs that you’ve seen that people are noticing these things, or taking preemptive action
that they weren’t in 2016? Are seeing any sort of, light
at the end of the tunnel, or good news anywhere? – Yeah, as I mentioned earlier, I think there’s a ton of
lessons that have been learned. People are, you know,
their awareness has grown. I think most candidates have
some sort of cyber advisor, in their staff now, to help protect them. I think that based on the
evidence, the candidates have purchased Lookout, as an example. Several candidates have purchased Lookout. There’s an, there’s a raised awareness. Back in 2016, we didn’t have
any candidates as customers. So now we have quite a few. So, I think there is
a, a raised awareness. And I’ll also say that the
government has gotten involved. Like DHS, as I mentioned
earlier, has gotten involved. And they’re trying to ensure
the integrity of the campaign. So, I think it’s getting better, there’s still work that
needs to be done, as always. But it is definitely moving
in the right direction. – Do you think there are sort
of, employment possibilities for people, who have a
cyber security background, who can do sort of,
run up to the election, sort of, cyber, not recon necessarily but sort of, cyber hardening and people
who can volunteer themselves to their local political campaigns, to help with safety issues
or their local poll office, or is that already covered? – No, I don’t think it is,
I think it’s a great idea, it’s a great point. They could volunteer, if
they want to contribute to a campaign, that’s one of the things they could bring is their
expertise to the table. Not just going door-to-door to try and get somebody to vote for an individual. It’s a great point you bring
up, volunteer, volunteer– – Ethical hackers out there, (mumbles) it’s a great
experience, it looks great on your resume, make you very civic-minded, and you might learn something. – Exactly, exactly. – Okay, so to sum up, tell me again, a little
bit about you organization, how to reach you online and so forth. – So, you know, it’s Lookout, and we focus on the protection of mobile devices. You know, I mentioned the
four areas that we cover, so man-in-the-middle, safe
browsing, so anti-phishing, vulnerabilities and
malware on the devices and, if you’re interested in
protecting your mobile device, you can certainly reach me
at Bob.StevensatLookout.com – Okay, and the freemium phone app, is that just called Lookout
on the app store or? – It is, if you search for
Lookout on either of the stores you’ll find Lookout and
download it, like I said, for free and if you want to pay, you can get some extra eye candy, so. – Cool, Bob Stevens, thanks
once again for your time and insights. – Thank you, have a great day. – Okay, and thank you all
for listening and watching. If you enjoyed today’s
video you can find many more on our YouTube page. Just go to YouTube.com and
type in Cyber Work with Infosec to check out our collection
of tutorials, interviews, and past webinars. If you’d rather have us in
your ears during your workday, all of our videos are also
available as audio podcasts. Just search Cyber Work with
Infosec in your favorite podcasts catcher of choice. See the current promotional
offers available to listeners of the podcasts, go to InfoSecinstitue.com/podcasts. And once again, use our free
election training resources, to educate co-workers. For information on how to
download your training packet, visit
infosecinstitute.com/IQ/election-security-training or click the link in the description. Thanks once again to Bob
Stevens and thank you all for watching and listening. We’ll speak to you next week. (funky music)

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *