End-to-end encryption could be key to securing political campaigns

Whatever your preference of candidates might have been, one thing was clear from the 2016 U.S. presidential election: the Russian government targeted American political organizations of both parties with an aggressive wave of cyber intrusions. Both private sector analysts and the U.S. Intelligence Community agree on this point. 

Furthermore, FBI Director James Comey recently told a congressional committee that “they’ll be back in 2020…they may be back in 2018.” The head of the NSA, Admiral Mike Rogers, concurred, saying that he “fully expect[s] they will maintain this level of activity.”

{mosads}As we head into the 2018 mid-term election season and beyond, candidates, campaign staff, and political consultants all clearly need to harden their systems against attackers. As a nation, we need to act now to protect our democratic process against foreign meddling; and here is how we can do just that.

Faced with a potential onslaught from persistent and technically advanced adversaries, political organizations should use end-to-end encrypted email and file-sharing applications that are easy to use. These applications must have three characteristics:

First, they must encrypt every message and file end-to-end. This means that even if an adversary successfully breaches an organization’s server, as in the case of the Democratic National Committee (DNC), doing so will not reveal any information.

Second, these applications should not allow privileged “super-users.” By exploiting the vulnerability of super-user accounts in the DNC network, hackers were able to steal and leak thousands of internal communications.

Third, these applications must not use passwords, which are themselves major security vulnerabilities. People often create passwords that are easy to guess, and they divulge them too readily.

How end-to-end encryption protects user data even if a server is hacked

When messages are encrypted end-to-end, the information stored on the server is secure even if the server is hacked. Each message should be automatically encrypted with a unique key before it leaves the user’s device and only decrypted when it reaches its recipient. 

If attackers breach the “walls” protecting the server – such as traditional password portals and firewalls – all they will find is encrypted, useless gibberish. This was not the case at the DNC, nor is it standard practice for most major communications providers, which store their customers’ information on their servers unencrypted. 

The DNC Breach and The Risk of “Super Users”

In lead up to the 2016 elections, two independent and advanced cyber actors targeted the DNC’s computer servers. The first one to strike, known as Advanced Persistent Threat (APT) 29 or COZY BEAR, was an unidentified Russian group possibly affiliated with the country’s internal security service.

The second one, known as FANCY BEAR or APT 28 in cybersecurity circles, was probably a component of Russia’s military. The former group sent a string of spear phishing emails to people working at American government and nonprofit organizations in the summer of 2015, likely including someone with legitimate access to the DNC network.

The latter one waged a massive campaign in parallel; from October 2015 to May 2016, it sent almost 9,000 spear phishing emails with malicious links to nearly 4,000 similar targets. As the two attackers did not appear to be working together, one or more people at the DNC clicked on embedded links from each group, giving the Russians access to the network. 

One of the attackers eventually gained control of a privileged administrator account, and was able to steal tens of thousands of sensitive emails. Instead of giving administrators “super-user” privileges to access vast amounts of information, new encrypted email applications use the concept of Approval Groups. With this paradigm, only a predetermined combination of trusted individuals can retrieve the decryption keys for messages on the server. Instead of giving administrators “super user” privileges to view vast amounts of information – one of the reasons the DNC attackers were able to steal so much material – a model that allows only a predetermined combination of trusted individuals to recreate the decryption keys of other users should be used. 

This restriction, which gives cryptographic “shards” of keys to certain individuals, prevents a single hijacked administrator from wreaking havoc on an organization’s information technology systems. It would also require attackers to gain control of the individual devices of approval group members, which is far more difficult.

Finally, in the DNC hack, FANCY BEAR/APT 28 took advanced counter-forensic measures such as corrupting and deleting internal server logs to obscure its presence. Logs of all communications should be encrypted to prevent exactly this from happening.

Whether Democrat, Republican, or Independent, everyone should understand that systems that leave sensitive data unencrypted while at rest, as well as those that allow for “super users,” are vulnerable to advanced cyber intrusions like the one the DNC suffered. 

Why passwords make systems vulnerable

While they were attacking the DNC’s servers, members of FANCY BEAR/APT 28 were also busy at work attempting to breach other systems, namely the personal email accounts of Democratic Party officials and staff members. 

Perhaps the most attractive target was then-candidate Hillary Clinton’s campaign manager John Podesta. Like many busy and important people, he did not have time to remember a slew of different passwords for every web site he used. He occasionally asked his aides to remind him of his passwords via email and probably re-used them among multiple different applications.

Passwords can be a security liability as well as a hassle for users, which is why politicians, candidates, and their aids should use strong, locally-stored cryptographic keys instead. These keys, which are dozens of digits long, can be automatically created and stored on users’ computers and phones. The keys are so complex that it would take all the supercomputers on earth billions of years to guess. 

Unfortunately, Podesta’s Gmail account used passwords to decrypt his emails instead of cryptographic keys stored locally. Receiving an email alert – probably from the Russians – warning him that an unauthorized user was trying to access his Gmail account, he or one of his staff members reached out to the campaign’s information technology support team. After getting some confusing advice, either Podesta or one of his assistants clicked on an embedded malicious link to a fake password reset portal. He fell for the ruse and entered his credentials, giving them to the attackers.

The FANCY BEAR/APT 28 actors were then able to access and download nearly ten years worth of private communications. The Russians later used the stolen materials to create another “October Surprise” for the campaign by again providing the information to WikiLeaks.

It is unfortunate that, in retrospect, using end-to-end encryption with strong cryptographic keys could have prevented all of this. By keeping encryption keys only on a user’s device, there is no need for passwords to access one’s communications. Not having to remember and type them in all the time makes it impossible to accidentally give them to hackers too. 

Get ready for 2018 by securing your systems today

Although the 2016 election is in the books, the cybersecurity lessons we can learn from it are critical for future cycles. We know that at least one foreign country will take “active measures,” like hacking political organizations and campaigns, to support its preferred candidate. Regardless of whom you support, every American should be able to agree that sensitive internal communications like campaign emails must remain private and secure. With an end-to-end encrypted messaging protocol, political organizations of every stripe can do just that. 

Walter Haydock works for PreVeil, a Boston based cybersecurity company where he interfaces with political campaigns, think tanks, and other government-facing clients. Previously, he served as a staff member for the House of Representatives as well as an officer in the Marine Corps. The views expressed in this article do not necessarily reflect the official policy or position of the United States government.

The views expressed by contributors are their own and are not the views of The Hill.