Should Spy Agencies Alert Political Parties of Cyberattacks?Concerns Raised Over Foreign Impact on America's Election Process
If intelligence or law enforcement agencies know that an organization's information systems are being attacked, when should they alert the victim, if at all? What if the victim is a political party?
"Sorry, there is no simple algorithm that we can use to get to the right answer."
U.S. intelligence officials told congressional leaders in a top-secret briefing a year ago that Russian hackers had targeted Democratic Party computers, but the lawmakers were forbidden to tell the target about the breach, according to the news service Reuters.
The DNC apparently did not become aware of the breaches until the FBI notified it in April, according to news reports. The FBI publicly revealed the hacks in July, just before the Democratic National Convention, when it announced it was investigating the cyberattacks (see DNC Breach More Severe Than First Believed).
Hackers Influencing Election Process
Emails published by WikiLeaks, ostensibly culled from the breach, showed the DNC leadership favored eventual nominee Hillary Clinton over Sen. Bernie Sanders during the Democratic primary race, with those revelations resulting in the resignation of the DNC's top four officers, including its chairwoman, Rep. Debbie Wasserman Schultz of Florida.
What makes the Democratic Party breaches worrisome is that the DNC and other political organizations are part of the electoral process that will decide the next president of the United States and Congress. And the failure to promptly alert political organizations that they're under cyberattack could result in the pilfering and publication of sensitive data that could influence the campaign, and potentially, the election.
My last blog, Should Political Parties Be Deemed Critical Infrastructure?, analyzed whether the electoral system, if designated by the federal government as critical infrastructure that needs additional cyber protections, should include just the voting infrastructure or be expanded to other organizations, including political parties, that have an impact on elections.
This is especially relevant because the Russian government is believed to be behind the Democratic Party hacks. Do hacks by a foreign nation interfere with the American electoral process if leaks of information from political party computers are made public? Of course, they do.
And it's not just the release of damning information that could help sway an election; it's also whether hackers tampered with leaked information. "You may have material that's 95 percent authentic, but 5 percent is modified, and you'll never actually be able to prove a negative - that you never wrote what's in that material," CrowdStrike Co-founder Dmitri Alperovitch told the news site Politico. "Even if you released the original email, how will you prove that it's not doctored? It's sort of damned if you do, damned if you don't."
Still, under certain circumstances, intelligence agencies and law enforcement want to keep a hack hush-hush, not even alerting the victim, "because they don't want to alert the attacker so they can build a criminal case against them or gain a better understanding of the adversary that could produce intelligence and/or create better defenses," says Stewart Baker, a former DHS assistant secretary for policy.
But in some circumstances, victims can be alerted without jeopardizing intelligence services getting the goods on the hackers, as John McClurg, Cylance vice president and former FBI special agent, said happened when he served as chief security officer at Honeywell International.
In the electoral process, should the needs of the intelligence community and law enforcement take precedence over preserving the integrity of the voting system?
There's no simple answer, and some experts contend each instance of a cyberattack must be judged on its own merits. "Sorry, there is no simple algorithm that we can use to get to the right answer," says Robert Bigman, former CISO at the CIA.
Bigman says the intelligence community acted correctly by not notifying the DNC of the alleged Russian intrusion into their systems last year. He suggests that by not alerting the DNC - and perhaps tipping off the hackers - CrowdStrike forensic experts contracted by party leaders were able to identify the malware code used in the breaches, which has been tied to previous Russian hacks.
Stewart Baker, a former DHS assistant secretary for policy, points out that law enforcement and intelligence agencies don't always notify victims when they detect an attack so that they can "keep secret any [breach investigation] sources and methods that could be put at risk. ... As the risk of harm to the victims becomes more imminent, the balance shifts, and more creativity might be devoted to finding a way to provide notice without risking sources. In the case of hacks aimed at the Democratic campaign, it's worth noting that the parties were also hacked in 2008 and 2012 by nation-states, so only someone very naive would ignore the risk in 2016. One question the government may have asked is whether telling the targets about the risk would actually lead them to protect themselves effectively. If not, you've blown a source for nothing."
But alerting an organization about an ongoing cyberattack could raise awareness of vulnerabilities that could be addressed. Yet, knowing a hack is occurring doesn't always necessarily mean the information garnered can be used to mitigate the breach.
"Many indications and warnings are not particularly actionable," says Martin Libicki, a cyber policy expert at the think tank The Rand Corp. "The intelligence community hasn't publicly revealed what it knows and how it gained that knowledge about the attack on Democratic Party computers, making it hard to evaluate whether earlier disclosure would have made a difference."
Nonetheless, political institutions play a key role in our electoral process. If these groups are hacked, intelligence service should err on the side of notification.