Is the election, as Donald Trump so often claims, rigged?
“I’ve got phone lines open to each of the 50 states, we’ve got constant two-way video screens, and I’ve got eight government agencies—FBI included—with me on standby,” Dr. Phyllis Schneck told me this week. Schneck is deputy under-secretary for cybsersecurity and communications at the Department of Homeland Security.
At the heart of her operation is the National Cybersecurity and Communications Integration Center. The NCCIC is situated in a windowless, classified room in an office building near Schneck’s workspace in Virginia. It’s high security in there. No cell phones or laptops are allowed in. A red light bulb on the ceiling blinks on and off to alert the team of my outsider presence. The walls are covered in screens of maps with flashing colors. As Schneck explained, no unnecessary officials will be let into the room on Election Day. “I want the NCCIC to focus uninterrupted,” she says.
Nearby in an even more claustrophobic room is the National Cyber Alert Systems (NCAS) lab. In there works the so-called “Red Team,” an army of 32 cyber detectives whose job it is to seek out vulnerabilities across our private sector and government networks. Team member Jason Hill, a stocky man with tattoos, explains cheerfully how he exploited the Ashley Madison breach in 2015 by sending out a spear phishing email to a client that read: “We have gained an initial dump of the [Ashley Madison] database. If your name is in here, you need to go see HR and re-sign the acceptable use policy.” According to Hill, 87 percent of the people who received the email clicked on it within an hour; some people even clicked on it four or five times. The good news, according to Hill, is that although he “always gets in” when he sends a spear phish like this, most of his clients are able to protect their truly sensitive data. “We’ve not been stopped getting in. We have been stopped getting to the things that we need to get to,” he says.
Schneck says she has reached out to each of the state election agencies to extend the support of the Red Team and anything else she can offer on Election Day. She says she is as over-prepared as she can be for the election, comparing her readiness to “Y2K” levels. The biggest challenge of her job is that she is not in direct control, since the government does not own the Internet, nor the so-called “Internet-of-things.” She has to be invited in by the owners of the voting machines—by state and local agencies in the private sector—to help. But she is relatively sanguine. “There’s some confidence in the way the systems are structured.” she explains. (Most are not connected to the Internet).
Schneck’s responsibilities are extraordinarily vast. She oversees the cyber protection of critical infrastructure (power grid, water systems, and electronics), government departments, and the private sector. Whenever we read about a cyber attack, whether it is on Sony or the White House, Schneck’s team is usually called in to analyze what went wrong and fix it. The only thing she doesn’t do is catch the bad guys–that’s the job of the FBI. “If the FBI is the policeman, we are the firemen,” she says.
When DHS under secretary Suzanne Spaulding told Schneck “to shake things up” upon her arrival to the department in 2013, there was a lot to do. The government shut down gave her time to study “Einstein,” the government’s intrusion detection and prevention system. Tongue-in-cheek, she reported to her colleagues that “Einstein is not 10 years old,” as they had assumed. The bad news: “It’s 25 years old.” As Schneck explained it, the system worked like a vaccine. It was effective, even essential, but it recognized only what it had seen before. This left the system vulnerable to new attacks, a flaw that was exposed last year when Schneck’s team discovered, during a check, that the Office of Personnel and Management (OPM) had been hacked by the Chinese.
“The OPM hack was ingenious and appalling in that the OPM data was a treasure trove of information for our enemies,” says R. P. Eddy, a former state department diplomat and former director of the National Security Council at the White House, now in the private sector. The OPM stored SF86 forms, which are the pre-requisites for all government employees with security clearance. “They are dozens of pages long. They include details of medical history, of neighbors and friends. You feel naked when you fill it out,” says Eddy. “The idea that that information would not be protected is egregious.”
Part of Schneck’s department’s job is to share information with friendly governments. This is why when hackers sponsored by the Russian government shut off the power grid in Western Ukraine, leaving 230,000 people without power as winter closed in, a team of Schneck’s computer and controls systems experts immediately flew to Kiev. While the U.S. geeks worked on the grid, the engineers drove out into the field and put on the old mechanical cranks. “It really helps if you have the guy that knows how the electricity flows next to the guy that knows how the bits and bytes work.”
How worried should the rest of us be about a Cyber Armageddon?
We would be “80 percent” more protected, Schneck says, if we all practiced “cyber hygiene,” like changing our passwords and not handing over all our personal information to the grocery store or car salesman. But culture, she says, is hard to change. “Seat belts, until they were regulated, nobody wore one,” she explains. It takes a shock of a kind none of us want. “Suppose you go out to your car and you can’t start it until you pay some criminal electronically. Suppose you can’t start a fire truck or an ambulance, a plane. Those are the kinds of things we worry about,” she says. Or, more accurately, the kinds of things she worries about on our behalf.
At the time of this writing, Schneck’s Red Team is busy doing cyber hygiene reports on each of the 50 states, so, all being well, voting day goes off seamlessly. “I am hoping,” she says, “that all this preparation is for nothing.”