October 21, 2021
Last week, the Biden Administration brought 30 countries together in a global summit to combat ransomware, the tactic cybercriminals use to gain access to a victim’s network, steal their data, lock their systems, and demand a ransom to regain access and control. These are often relatively unsophisticated attacks, but they can have major consequences — think of any of the many high-profile intrusions we’ve seen over just the past year.
In general, foreign ransomware attacks have been on the rise, and there’s no reason to think that elections infrastructure won’t be a target. In fact, Matt Masterson, who led election security work at the Department of Homeland Security during the 2020 elections, talked very starkly about his fears in remarks at one of our Regional Workshops earlier this year.
Masterson will be joining this week’s workshop with an update, but from his earlier remarks, he said that in 2020 he was “convinced we were going to see ransomware attacks across the United States…With that many counties, townships, cities running elections, that many systems working to support them — no matter how much monitoring, no matter how much cyber hygiene work had been done — we knew that there were some systems out there that were vulnerable.
He continued, “In the end we didn’t see that, thank God…we had a secure election that went without cyber incident and in the end was incredibly well run by the state and local election officials. But the reality is those systems — those old and outdated, unsupported operating systems or email servers — are still out there.”
It is obvious that experts like Matt are taking this threat very seriously, especially given the fact that election infrastructure is a mix of state, local, and private sector holdings — all of which have different security capabilities.
At this recent summit, the United States convened the largest gathering ever of countries devoted to fighting ransomware. It notably did not include the largest offenders in this area, such as Russia, China, and Iran. The resulting product after two days of discussion was a statement that, while light on specific policy commitments, was a signal that much of the world is focused on this threat. The statement mentioned resilience, countering illicit finance, disruption and other law enforcement efforts, and diplomacy as areas ripe for multinational action.
Diplomatic summits in general do not often produce detailed policy action plans, especially not inaugural summits. (For some context, the Paris Agreement on climate wasn’t finalized until COP 21, the 21st annual meeting devoted to the issue.) Our standard for judging the success of these events should not always be ground-breaking policies. Getting so many countries on the same rhetorical page is important, but only so far as it’s followed up with concrete actions. That, of course, still remains to be seen.
This summit was held against the backdrop of steady and quiet diplomacy that has occurred between the U.S. and one of the nations not included in the gathering — Russia — following up on the bilateral meeting between U.S. President Joe Biden and Russian President Vladimir Putin. It was clear at the time that, coming out of that summit, the U.S. team was going to focus on testing Putin and his team to see if there was any real desire on Moscow’s part to draw some lines in the sand around cyber attacks.
(Many of the cyber attacks we’ve seen on U.S. entities come from Russian-based and often government-supported organizations and individuals. The U.S. Intelligence Community and law enforcement agencies have outlined this Russian-linked activity extensively.)
According to the New York Times, “In recent weeks, American officials said they had begun passing intelligence to the Russians about specific hackers who the United States believes are behind the threats to companies, cities and infrastructure. Officials say the Russians have sounded cooperative, but have not yet made arrests.” This is all part of that testing process, to see if there is any possibility of working together in this area (similar in some ways to past bilateral arms control agreements).
In other summit news, the White House is expected this week to send out invitations to a virtual Summit for Democracy, scheduled to take place this December with three stated themes: defending against authoritarianism, the fight against corruption, and promoting respect of human rights. The diplomatic dance about which countries to invite is intensifying, with new reporting from Foreign Policy suggesting that some countries with less-than-stellar democratic records of late may be included.
Given cyber attacks on democratic institutions have been on the rise in many countries around the world — often undertaken by or from authoritarian countries with the goal of undermining democracy — I hope this threat is a topic at the upcoming summit as well. These issues don’t impact our countries in vacuums, and if we care about winning the battle of democracy vs. authoritarianism, we have to do it both at the ballot box and on the internet.
Marie Harf
International Elections Analyst, USC Election Cybersecurity Initiative
Marie Harf is a strategist who has focused her career on promoting American foreign policy to domestic audiences. She has held senior positions at the State Department and the Central Intelligence Agency, worked on political campaigns for President Barack Obama and Congressman Seth Moulton, and served as a cable news commentator. Marie has also been an Instructor at the University of Pennsylvania and a Fellow at Georgetown University’s Institute of Politics and Public Service.