(2018-08-22) Too Late To Protect2018 Elections Says Alex Stamos Former Facebook Cso

'Too Late to Protect 2018 Elections,' says Alex Stamos, former Facebook CSO. The latest read from Alex Stamos bears an appropriately grim title. From "It’s Too Late to Protect the 2018 Elections. But Here’s How the U.S. Can Prepare for 2020," at Lawfare:

The combination of offensive cyber techniques with a disinformation campaign would enable a hostile nation or group to create an aura of confusion and illegitimacy around an election that could lead to half of the American populace forever considering that election to be stolen...

How the U.S. Has Failed to Protect the 2018 Election—and Four Ways to Protect 2020

First, on Tuesday morning, Microsoft revealed that it had detected continued attempts at spear-phishing by APT 28/Fancy Bear, the hacking group tied to Russia’s Main Intelligence Directorate (known as the GRU). Later that day, my friends and former colleagues at Facebook unveiled details on more than 600 accounts that were being used by Russian and Iranian groups to distort the information environment worldwide.

the United States has broadcast to the world that it doesn’t take these issues seriously and that any perpetrators of information warfare against the West will get, at most, a slap on the wrist. While this failure has left the U.S. unprepared to protect the 2018 elections, there is still a chance to defend American democracy in 2020.

The fundamental flaws in the collective American reaction date to summer 2016, when much of the information being reported today was in the hands of the executive branch.

Following an acrimonious debate inside the White House, as reported by the New York Times’s David Sanger, President Barack Obama rejected several retaliatory measures in response to Russian interference—and U.S. intelligence agencies did not emerge with a full-throated description of Russia’s meddling until after the election.

the subsequent actions of House Republicans and President Trump have signaled that our adversaries can expect powerful elected officials to help a hostile foreign power cover up attacks against their domestic opposition.

The GRU attacks relied upon well-known social engineering and network intrusion techniques. Likewise, the Internet Research Agency’s trolling campaign required only basic proficiency in English, knowledge of the U.S. political scene available to any consumer of partisan blogs, and the tenacity to exploit the social media platforms’ complicated content policies and natural desire to not censor political speech. After Facebook’s announcement on Tuesday, it is clear that Iran has also followed this playbook

First, Congress needs to set legal standards that address online disinformation.

The Honest Ads Act, introduced by Democratic Sen. Amy Klobuchar and supported by 30 bipartisan co-sponsors, is a good start.

Second, the United States must carefully reassess who in government is responsible for cybersecurity defense.

This leaves the FBI as the de facto agency coordinating cyber defense in the United States. While the bureau has many skilled agents and technologists, it is at its core a law enforcement entity that focuses on investigating crimes after they occur, diligently building a case and, eventually, bringing the perpetrators to justice

The United States should consider following its closest allies in creating an independent, defense-only cybersecurity agency with no intelligence, military or law enforcement responsibility

Third, each of the 50 states must build capabilities on election protection.

The fourth step

Americans must demand that future attacks be rapidly investigated, that the relevant facts be disclosed publicly well before an election, and that the mighty financial and cyber weapons available to the president be utilized immediately to punish those responsible