What Governments, Enterprises Can Learn From 2016 Election Hacks

The 2016 U.S. presidential election was historic for numerous reasons, not the least of which was the prominent role cyber-security played throughout the campaign and in the first weeks of the new administration. Nation-states and politically motivated actors realize the effectiveness of stealing and releasing politically damaging information as a means of shaping public opinion, posing a threat to election outcomes and resulting in widely publicized attacks, such as the Democratic National Committee hack. In this eWEEK slide show, using insight from Travis Farral, director of security strategy at Anomali, we provide a timeline of events related to cyber-security incidents during last year’s political campaign, what steps other nations can take to prevent similar attacks and how governments can use threat intelligence technologies to stop hackers before they can cause material damage.

On June 14, 2016, the Democratic National Committee hack is made public. Russian government hackers are suspected to have penetrated the computer network of the DNC, gaining access to sensitive party emails. The next day, a hacker by the name of Guccifer 2.0 publicly claims it was he who hacked the DNC and sent stolen DNC documents to WikiLeaks.

On July 1, DC Leaks publishes some of the emails supposedly stolen by Guccifer 2.0, but not the treasure trove that he claimed to have. However, as promised, WikiLeaks on July 22 publishes 19,252 emails and 8,034 attachments supposedly from the hack. As a result, several prominent members of the DNC, including Chairwoman Debbie Wasserman Schultz, later resign. The same day as the WikiLeaks publication, Hillary Clinton’s campaign accuses Russia not only of the hack itself, but of deliberately trying to help Donald Trump win the election. Julian Assange, proprietor of WikiLeaks, strongly denies the Russian allegations and claims the leaks came from a Democratic insider.

Following the DNC hack and subsequent fallout, cyber-security and election hacking continues to play a major role in the presidential campaign. On Aug. 29, the FBI announces an investigation into attempted breaches of voter databases in Arizona and Illinois that could compromise voter information. Investigators found that the voter database in Illinois had been accessed but not altered, while the Arizona voter database had not been successfully accessed by attackers.

On Sept. 23, Guccifer 2.0 publishes additional documents claiming that he also hacked the Democratic Congressional Campaign Committee (DCCC), a mere two weeks after news broke that the FBI was investigating a possible breach at the DCCC.

Heading into the most crucial weeks of the presidential campaign, Guccifer 2.0 announces that he has hacked the Clinton Foundation. The hacker then proceeds to share the information with WikiLeaks, which releases more than 50,000 emails from Hillary Clinton’s campaign chairman, John Podesta, on Oct. 7. The same day, the Obama administration officially blames Russia for hacking political elements in the United States and releasing sensitive information in an effort “to interfere with the U.S. election process.”

Only days before the election, Guccifer 2.0 announces he hacked the Federal Election Commission and that Democrats were planning on rigging the election for Hillary Clinton—an announcement that damaged the Clinton campaign in the final days of campaigning. As the world now knows, on Nov. 8, then-Republican candidates Donald Trump and Mike Pence defeated Hillary Clinton and Tim Kaine, despite several polls showing Clinton with a favorable lead. This has led many people to the belief that Russia intended to influence the election in favor of Trump.

As his days in office dwindled, President Obama issued an executive order announcing sanctions against several Russian entities and individuals for election interference. These actions reflect the assertion by U.S. spy agencies that they do indeed have direct evidence of the involvement of those entities named. Concurrently, the DHS and the FBI release a Joint Analysis Report on suspected malicious Russian cyber activity that includes a list of indicators associated with the hacking activities suspected of coming from entities associated with Russian government.

Early in January, the U.S. Office of the Director of National Intelligence releases a declassified report aimed at bolstering its case that the Russian government was behind the election-related attacks of 2016. The report is devoid of clear evidence pointing to Russian government involvement but does offer more substantial details than the FBI report noted previously. Meanwhile, the Joint Committee on the National Security Strategy in the UK launches an inquiry into cyber-security, noting that the government would treat an information security attack on the UK as seriously as a conventional attack.

Addressing threats in the information security realm is a daunting task for any organization but especially for governments that typically have limited budgets for such things. Applying the resources they do have as effectively as possible can make the difference between stopping potential attackers or ending up as a news story. One of the most commonly overlooked defensive capabilities is that of retrospective analysis. More often organizations are focused on looking at current threat intelligence feeds and logs.

As European countries such as the UK, France (which elected Emmanuel Matron in May) and Germany hold their own election campaigns in 2017, many will face similar concerns about cyber-security and breaches of critical election infrastructures. However, they may not be aware of the steps needed to properly prepare for cyber warfare. The most important of these is simply to raise awareness within their organizations about these types of cyber-threats, set clear boundaries for staffers regarding personal device and application use for sensitive information. 

Equally crucial to preventing a massive data breach is how government organizations use threat intelligence technologies. In many cases, once a hacker gets into the system, he or she can sit in a network for up to 200 days undetected, allowing them to find and collect massive amounts of damaging materials to release. An effective threat intelligence system will be able to sift through data and highlight potential risks to help stop hackers before they can cause material damage. Lesson to learn: Government and political organizations need to encourage intelligence-sharing among themselves.