Executive Perspectives, McAfee Labs

CTO Q&A: Campaign Hacks, Yahoo! and Clinton-Trump

By on Oct 03, 2016

Over the last several days, we’ve seen headlines on potential cyberattacks on state voter registries, cybersecurity front and center in the Clinton-Trump presidential debate, and new revelations into the Yahoo! cyber-breach that appears to have compromised more than 500 million user accounts.

Intel Security CTO Steve Grobman fielded a number of questions on these events and revelations:

What do you make of the FBI and DHS announcements that the agencies have detected cyberattacks on voter registration websites in more than a dozen states?

“These announcements certainly raise concerns. Elections are meant to be anonymous and not traceable back to the individual voter. Thirty-one states and DC offer the kind of online voter registration that the FBI says was targeted. The perpetrators are hacktivists. They probably seek to shake voter confidence in the American electoral system, and they only have to have one high-profile attack to achieve this goal.”

What do you make of reports that cybercriminals are behind the theft of 500 million Yahoo! users’ accounts, not government-backed hackers, and these actors sold the data to a state actor?

“Some nation-states have the same cyber gap in their offensive operations as the rest of the world has in defensive operations. Moreover, they face the threat of kinetic repercussions resulting from the digital attribution of a cyberattack. Therefore, it’s conceivable that these state actors could use a wide range of tactics to mitigate these issues. This could indeed include partnering with criminal or private organizations to achieve their strategic objectives.

Because of this, we need to be careful not to interpret what little we see as definitive proof of a conclusion.

For example, the fact that stolen data can be leaked through criminal underground networks could simply indicate that a nation-state is attempting to mask a cyber espionage operation as a standard cybercriminal breach. It may also be a side effect of a criminal actor acting on a nation-state’s behalf. A similar deception can occur in reverse, in which a criminal or terrorist group can use tactics to falsely implicate a nation-state.”

What should we make of the possibility of a nation-state potentially hacking a U.S. corporation for user emails as an act of espionage?

“For state actors, the political or strategic incentives of orchestrating such a large breach are as real as the obvious financial ones for cybercriminals. A rival state’s intelligence services could find and access the messages of individuals with political, government, military, and even corporate public profiles.

Consider the recent compromise and disclosure of former Secretary of State Colin Powell’s personal email messages. While probably more tame than the average citizen’s messages, the public disclosure of his communications revealed statements that proved controversial in political and other government circles.

The emails of the less tame or even reckless candidate, three-letter agency chair, general, or CEO could contain material sensitive enough to destroy careers, enable blackmail, endanger a mission, or influence high-level negotiations and decisions.”

Regarding Verizon’s planned acquisition of Yahoo!, is an analysis of a company’s computer security expected as part of the due diligence in a purchase?

“It is common practice for technology companies conducting due diligence of a potential acquisition to evaluate the cybersecurity posture of that target. This due diligence often includes requesting a list of IT breaches, reviewing the results of any security audits or certifications, evaluating the company’s policies and procedures for IT security, reviewing the company’s privacy policies, and assessing the nature of personal information held by the business, among others.”

Who generally performs such an analysis? Are they paid by the buyer or the seller?

“Security-related diligence is often conducted through a combination of internal teams employed by the acquirer, and, if needed, third-party specialists. The cost of any third-party evaluation is typically borne by the acquirer.”

Would such an analysis have picked up this breach?

“The due diligence process generally requires disclosure of known IT breaches. Security audits or other evaluations conducted during the course of diligence would attempt to assess the likelihood of future breaches or potentially undiscovered IT breaches.”

What was your reaction to the prominent mention of cybersecurity in the presidential debate between Hillary Clinton and Donald Trump?

“It was refreshing to see cybersecurity at the forefront of the national security conversation during the debate. In just a few years, we’ve seen cybersecurity go from a function of the IT back office, to the nation’s Oval Office.

While events have tended to drive government into action, more and more of our nation’s top leaders understand the cyber battlefield is as critical as land, sea, air, and space. The prominence of cybersecurity in this week’s debate is tremendous progress, with the promise of further progress to come in the coming months and years.”