Security through obscurity has been trumped. Let's hear it for security through "clunky."
In an attempt to assuage concerns that Russian hackers might succeed in hijacking U.S. presidential election results, FBI Director James Comey said recently that "the beauty of the American voting system is that it is dispersed among the 50 states, and it is clunky as heck."
Comey has proven himself a master of clunky statements and often appears baffled by technology. One story about his misinformed campaign against encryption was summed up in the URL slug: "FBI Dude Dumb Dumb." In addition to his incessant rants about terrorists "going dark," Comey infamously dismissed constitutional protections against illegal searches, calling them a "typo" in the law. Then there was his over-the-top bluster about how only Apple was capable of breaking into a terrorist's iPhone -- right up until the moment the phone was cracked without Apple's help.
In other words, Comey's credibility on technology-related matters has "dispersed" in a puff of smoke.
Bruce Schneier and other security experts have been sounding the drumbeat about the insecurity of our election system for years. "We need to return to election systems that are secure from manipulation. This means voting machines with voter-verified paper audit trails, and no internet voting," Schneier writes. "I know it's slower and less convenient to stick to the old-fashioned way, but the security risks are simply too great."
Or as a report from the Institute for Critical Infrastructure Technology puts it: "Voter machines, technically, are so riddled with vulnerabilities that even an upstart script kiddie could wreak havoc."
The insecurity of our voting machines is real, but it isn't news. What is new -- and more serious for the long term -- is the prospect of a foreign government waging a cybercampaign to disrupt and influence the upcoming election. Russia is believed to be behind the recent hack of the DNC and leak of Colin Powell's emails, as well as the hacks of voter registration systems in Illinois and Arizona.
"The pattern we see [of hacks and leaks] is intended to call things into question, to sow doubt, to create uncertainty. … You can't patch this psychological vulnerability," Thomas Rid, a professor at King's College London, told Wired.
As media outlets jump on any election news they can find, hackers are able to manipulate coverage. "The media is certainly being used as a battlefield here," Rich Barger, CIO with security firm ThreatConnect, told the IDG News Service.
Hw do we defend against hackers manipulating the media to influence the election? "Folks have to say, ‘where is this information coming from?' and not just focus only on the information," Barger said. "If the hackers have 100 documents, they can choose only to give [the press] 25 of them, because the rest don't fit their narrative."
It would also help if candidates refrain from actively inviting foreign attacks against political opponents and making repeated, baseless claims about rigged elections. "After everyone has voted, it is essential that both sides believe the election was fair and the results accurate. Otherwise, the election has no legitimacy," Schneier says.
This kind of campaign of disinformation is one of the vulnerabilities of democracies, said John Bambenek, a threat intelligence researcher with Fidelis Cybersecurity. "They can be more susceptible to this kind of mass influence of the public."
As it turns out, democracy itself is "clunky."