Whatever your preference of candidates might have been, one thing was clear from the 2016 U.S. presidential election: the Russian government targeted American political organizations of both parties with an aggressive wave of cyber intrusions. Both private sector analysts and the U.S. Intelligence Community agree on this point. Furthermore, FBI Director James Comey recently told a congressional committee that “they’ll be back in 2020…they may be back in 2018.” The head of the NSA, Admiral Mike Rogers, concurred, saying that he “fully expect[s] they will maintain this level of activity.” As we head into the 2018 mid-term election season and beyond, candidates, campaign staff, and political consultants all clearly need to harden their systems against attackers. As a nation, we need to act now to protect our democratic process against foreign meddling; PreVeil, a cybersecurity company born out of MIT and Berkeley can help do just that.
Faced with a potential onslaught from persistent and technically advanced adversaries, PreVeil has a solution: an application for end-to-end encrypted email and file-sharing that’s easy to use. Among its many advantages, three of PreVeil’s unique features could have saved political organizations a massive series of headaches during the previous election cycle. First, all PreVeil messages are end-to-end encrypted. This means that even if an adversary successfully breaches an organization’s server, like in the case of the Democratic National Committee (DNC), doing so would not have revealed their content. Second, PreVeil does not allow for privileged “super users.” By exploiting the vulnerability of these accounts in the DNC networks, hackers were able to steal and leak thousands of internal communications. Third, PreVeil does not use passwords, which are themselves major security vulnerabilities due to the fact that people often make them easily guessable, re-use them, and are tricked into giving them away. By eliminating these key risks, PreVeil can be a critical asset in securing the sensitive internal communications of campaigns and their partners.
In lead up to the 2016 elections, two independent and advanced cyber actors targeted the DNC’s computer servers. The first one to strike, known as Advanced Persistent Threat (APT) 29 or COZY BEAR, was an unidentified Russian group possibly affiliated with the country’s internal security service. The second one, known as FANCY BEAR or APT 28 in cybersecurity circles, was probably a component of Russia’s military. The former group sent a string of spear phishing emails to people working at American government and nonprofit organizations in the summer of 2015, likely including someone with legitimate access to the DNC network. The latter one waged a massive campaign in parallel; from October 2015 to May 2016, it sent almost 9,000 spear phishing emails with malicious links to nearly 4,000 similar targets. As the two attackers did not appear to be working together, one or more people at the DNC clicked on embedded links from each group, giving the Russians access to the network.
One of the attackers eventually gained control of a privileged administrator account, and was able to steal tens of thousands of sensitive emails. After the Russians’ infiltration was exposed publicly, they passed the stolen information to a variety of actors such as DCLeaks.com and WikiLeaks, who then published much of it. Instead of giving administrators “super user” privileges to view vast amounts of information – one of the reasons the DNC attackers were able to steal so much material – PreVeil uses the concept of Approval Groups. In this model, only a predetermined combination of trusted individuals can retrieve the encryption keys for messages on the server. This restriction, which gives cryptographic “shards” of keys to certain individuals, prevents a single hijacked administrator from wreaking havoc on an organization’s information technology systems. It would also require attackers to gain control of the individual devices of approval group members, which is far more difficult.
Furthermore, PreVeil messages are encrypted end-to-end, meaning that information stored on the server is protected even if the server is hacked. PreVeil makes encryption easy by automatically encrypting each message using a unique key before it leaves the user’s device and only decrypting it when it reaches the recipient. No one else, not even PreVeil can read user data because only the users have the keys to decrypt it. If attackers breach the “walls” protecting the server – such as traditional password portals and firewalls – all they will find is encrypted, useless gibberish. This was not the case at the DNC, nor is it standard practice for most major communications providers, which store their customers’ information on their servers unencrypted.
Finally, in the DNC hack, FANCY BEAR/APT 28 took advanced counter-forensic measures such as corrupting and deleting internal server logs to obscure its presence. PreVeil encrypts the logs of all communications to prevent exactly this from happening.
Whether Democrat, Republican, or Independent, everyone should understand that systems that leave sensitive data unencrypted while at rest, as well as those that allow for “super users,” are vulnerable to advanced cyber intrusions like the one the DNC suffered.
While they were attacking the DNC’s servers, members of FANCY BEAR/APT 28 were also busy at work attempting to breach other systems, namely the personal email accounts of Democratic Party officials and staff members. Perhaps the most attractive target was then-candidate Hillary Clinton’s campaign chairman John Podesta. Like many busy and important people, he did not have time to remember a slew of different passwords for every web site he used. He occasionally asked his aides to remind him of his passwords via email and probably re-used them among multiple different applications. PreVeil recognizes that passwords can be a security liability as well as a hassle for users and does not require them. Instead, it employs nearly unbreakable 77-digit private keys stored on users’ computers and mobile devices. Only from devices on which users install this key can they access their accounts.
Unfortunately, Podesta did not have PreVeil. Receiving an email alert – probably from the Russians – warning him that an unauthorized user was trying to access his Gmail account, he or one of his staff members reached out to the campaign’s information technology support team. After getting some confusing advice, either Podesta or one of his assistants clicked on an embedded malicious link to a fake password reset portal. He fell for the ruse and entered his credentials, giving them to the attackers. The FANCY BEAR/APT 28 actors were then able to access and download nearly ten years worth of private communications. The Russians later used the stolen materials to create another “October Surprise” for the campaign by again providing the information to WikiLeaks.
In retrospect, using PreVeil could have prevented all of this. By keeping encryption keys only on a user’s device, there is no need for passwords to access one’s communications. Not having to remember and type them in all the time makes it impossible to accidentally give them to hackers too.
Although the 2016 election is in the books, the cybersecurity lessons we can learn from it are critical for future cycles. We know that at least one foreign country will take “active measures,” like hacking political organizations and campaigns, to support its preferred candidate. Regardless of whom you support, every American should be able to agree that sensitive internal communications like campaign emails must remain private and secure. With PreVeil, political organizations of every stripe can do just that. It’s free, works on computers and phones, and can be set up in minutes.