WASHINGTON — The recent hacks directed at state voting systems are not likely to influence the national election, a National Security Agency official said on Tuesday.
“There’s a certain integrity in their (state) systems, simply because they’re not as richly connected,” said Curtis Dukes, the NSA’s deputy national manager for national security systems. “Each state approaches it differently and have a mixture of systems.”
But that was a small comfort amid his otherwise unflattering assessment of the nation’s cybersecurity defenses in the wake of cyber exploits in the past 24 months, which he shared at the American Enterprise Institute.
Not one zero-day exploit—a vulnerability that appears and is exploited on the same day—has been used in the major intrusions that occurred over the past two years, he said.
While this appears to be good news, Dukes said it actually means those agencies and organizations’ security systems were so “poorly secured,” adversaries simply exploited known weaknesses.
“So far, we haven’t actually changed the equation for the adversary,” he said. “They can still easily attack us.”
This is indicative of three cyber trends Dukes identified that now pose a challenge. First, networks have become increasingly connected and easier to exploit. Second, cyber defense is mostly implemented individually, making security inconsistent. Third, defense has been critical in all recent cyberattacks, and basic security levels are inadequate.
Meanwhile, bureaucracy, confusion over leadership, and imbalanced funding impede the nation’s ability to protect against cyberattacks, Dukes said.
The NSA often takes days to a week to respond to an incident due to paperwork, Dukes said. When the agency gets there, it often finds the victim has an unclear picture of what the network looks like, how to determine if the intruder is still on the network, and what the mitigation strategy is.
When the NSA, FBI, and Homeland Security Department all get involved in an incident response, leadership is also a challenge, Dukes said.
“By the time we get all that sorted out, we’re at a disadvantage to an adversary and how they can attack us,” he said.
Dukes is “firmly convinced” we have to “rethink how we organize cyber defense.” One solution he proposed is consolidating all agencies when it comes to cybersecurity. The system in Great Britain could serve as a model, he said.
Unveiled last November as part of the nation’s new national security plan, Great Britain’s National Center for Cyber Security is a single government agency devoted to cybersecurity.
Last February, President Barack Obama established the Cyber Threat Intelligence Center under the Office of the Director of National Intelligence. It essentially serves as a glorified assistant for interagency and individual agencies’ efforts, providing analysis and helping them get better at sharing information.
A good baby step, Dukes said, but not enough.
“We have to think more holistically,” he said.
He also said both the public and private sector needs to spend more money on cyber defense. The NSA has been working with Johns Hopkins University and small security companies to develop consistent, automated responses to different types of intrusions.
“The key point here is you have to get the humans out of the loop,” he said. “By the time a human can respond and make a decision…typically in cyber-time the advantage is to the adversary.”
And what of potential Election Day threats? Dukes declined to comment on whether the Russians were responsible for the attempted state voting system hacks. The source of reported hacks in Arizona and possibly Illinois has been hotly debated by intelligence officials and cybersecurity experts.
So far, no voting data have been manipulated in attempted hacks, and earlier this month, Homeland Security Secretary Jeh Johnson told Reuters it’s unlikely intruders could fake votes to affect the electoral outcome.
Meanwhile, other officials and experts have shared Dukes’ assessment that the voting systems’ decentralized nature actually make such hacks unlikely, Reuters reported.
