Arrrgh! I need to complain about the Senate Intelligence preliminary report on “Russian Targeting” and the inevitable media coverage to follow.
If you read the official narrative, it sounds ominous. Russians targeted U.S. election systems. Oooh, scary.
“Russian actors scanned databases for vulnerabilities, attempted intrusions, and in a small number of cases successfully penetrated a voter registration database.”
That sounds just horrible, doesn’t it? What does it mean?
Let’s go through the major “findings” together:
1. “At least 18 states had election systems targeted by Russian-affiliated cyber actors in some fashion. Elements of the IC have varying levels of confidence about three additional states, for a possible total of at least 21. In addition, other states saw suspicious or malicious behavior the IC has been unable to attribute to Russia.”
In simpler terms, up to 21 states may have received something akin to spam or attempts to login.
“Targeting” doesn’t require a person. A program can be written to send spam. To anything. Just because your site was hit, it doesn’t mean that any human was involved.
“Russian-affiliated” is a clever way of saying “not Russian” while making it sound Russian. Russian-affiliated could be any country near or with ties to Russia. Which ones specifically?
“Cyber-actors” are not necessarily real people. They can be automated.
Now, put it in context. iBrattleboro, and virtually every web site on the internet, is “targeted” by Russian, Chinese, Ukrainian, English, and other “cyber actors” every day of the year. We see them attempt to become members and to post links, and we use a combination of human and software-based strategies to keep them from ever doing anything. This is daily, common stuff.
2. “Almost all of the states that were targeted observed vulnerability scanning directed at their Secretary of State websites or voter registration infrastructure. Other scans were broader or less specific in their target.”
This paragraph is written backward. Bots were scanning all sorts of sites all over the internet, as they always do, looking for security holes. Some of the sites just happened to be related to elections.
Of course, throughout this period bots were also looking for vulnerabilities on all other sites that exist.
What are these vulnerabilities? Bots look for sloppy password use, for example. They’ll try all the common logins and passwords that exist. If your site has a user called “admin” and a password of “1234” a bot can easily get past your lack of security.
They’ll also look for old, out of date software that has know security flaws.
Note that there is no allegation of what these bots would do if they did find a hole. It’s left to the reader’s imagination, and the reader might assume that real people from Russia were trying to break into to election systems to elect Trump. It’s far more likely that bots from all over the world were looking for holes in attempts to send spam, mine bitcoins, demand a ransom or some other, typical, daily attack, and election systems were part of the bigger set.
Remember basic math – election systems are a subset of a larger set of websites, and this report is somewhat deceptive by not making that point very clear.
3. “In at least six states, the Russian-affiliated cyber actors went beyond scanning and conducted malicious access attempts on voting-related websites. In a small number of states, Russian-affiliated cyber actors were able to gain access to restricted elements of election infrastructure. In a small number of states, these cyber actors were in a position to, at a minimum, alter or delete voter registration data; however, they did not appear to be in a position to manipulate individual votes or aggregate vote totals.”
Again, “Russian-affiliated” doesn’t not mean Russia, and “cyber actors” isn’t necessarily real humans. Wording matters, and the report uses these words for a reason.
“Malicous access attempts” means “tried to log in.” Tried.
Every few days we see numerous attempts at Structured Query Language (SQL) injections for all sorts of web sites, none related to elections. This is common, everyday reality of having a website.
“…were in a position to, at minimum, alter or delete.” If you own a computer, you are in a position to do harm. Doesn’t mean you did anything.
And, burying the lede, “they did not appear to be in a position to manipulate individual votes or aggregate vote totals.” They were unsuccessful. Nothing happened.
In case you missed it: “The Committee saw no evidence that votes were changed and found that, on balance, the diversity of our voting infrastructure is a strength. Because of the variety of systems and equipment, changing votes on a large scale would require an extensive, complex, and state or country-level campaign.”
Also buried: “The Committee does not know whether the Russian government-affiliated actors intended to exploit vulnerabilities during the 2016 elections and decided against taking action.” But they will write a report that sure sounds like it and will be reported incorrectly!
…
The summary report goes on to say that Russian spies were, gasp, doing Russian spy things. They also say this report is based on incomplete information.
The report includes a long list obvious weaknesses to our systems – outdated software and machines, paperless ballots, internet-connected election systems, and vendors of all the election software and equipment. If one wanted to be honest and assess blame, these known weaknesses would be a good starting point. It’s hard to be horrified that a robbery took place if the victim left the front door open with a sign on it saying “good stuff inside.”
Recommendations at the end of the summary – to tighten things up – are good. But they are things that should be done regardless of the country-affiliated bots roaming the web on a daily basis, looking to stir up trouble.
If it takes being scared about Russians to do the work, so be it. But the truth of the matter isn’t nearly as ominous as the report makes it appear.
Spies will continue to do spy things. Criminals will continue to unleash bots and try to hack into insecure sites. Site owners will continue to upgrade and defend. Sometimes security will fall short.
It’s the ugly, annoying underbelly of the internet and many people don’t understand it because they haven’t seen it.
Web site attackers
As someone who manages web sites, the hackers and spammers who attack web sites via bot every hour of every day are the bane of my existence. It’s constant and annoying, and it takes up an inordinate amount of time.
For the record, this weekend’s top countries for trying to hack into iBrattleboro were: China (nearly 7000 attempts! probably for bitcoin mining which is big in Asia), followed by Romania, Finland, South Korea and yes, the United States. Not a Russian among them, at least by IP address. That doesn’t mean Russians weren’t doing it too but they’re not in the top 5 — this week, anyway.