SALT LAKE CITY — While questions continue to resonate after last week's release of the Mueller report, one of the few undisputed conclusions in the epic document was that the Russian government interfered with the 2016 U.S. elections "in sweeping and systematic fashion.”
And special counsel Robert Mueller's team unveiled new allegations about how Russian intelligence group GRU targeted the country's election apparatus — even down to the level of county election offices — in an attempt to disrupt and manipulate outcomes.
Techniques employed by those state actors underscored what continues to be the most vulnerable component of any cybersecurity system — human operators.
Utah election officials say the impacts of those intrusion attempts, on their radars long before the Mueller report became public, have elevated the work and money that is going into keeping the state's own election process free from bad actors.
And the process is one that has no end in sight.
"Election security has always been a big part of the job we do," Utah Elections Director Justin Lee said Monday. "With the revelations that came out about disruption attempts in 2016, it became an even bigger thing. But from our perspective it is now just the norm.
"Our (cybersecurity) teams are constantly upgrading and monitoring."
Utah election systems keep electronic voting and tabulation machines physically isolated from any internet or digital network connections, but one very large asset — the state voter registration database — remains connected. Lee explained that the functional reality is that while Utah counties individually administer the elections in their jurisdictions, each of those agencies requires ongoing access to the information stored in the registration database.
It's that type of data that the Mueller report indicates may have been infiltrated in one Florida county after a spear-phishing email "permitted the GRU to access the infected computer."
While the report indicates the incident was unconfirmed, and Florida officials are disputing the findings, spear-phishing is a technique of targeting a specific person or business with a deceptive email that attempts to lure the recipient into opening an attachment or visiting a website that releases malicious code into their computer or device.
BYU information technology professor and cybersecurity expert Dale Rowe said it is certainly the case that humans remain the weakest link when it comes to securing access to sensitive information stored in the digital ether, like voter registration databases. He noted spear-phishing attacks continue to happen because they are difficult to guard against and have extremely high rates of success.
"The basic approach is exploiting trust," Rowe said. "Potential intruders are trying to trick you into believing they are someone they're not.
"Most of what we’re seeing is from external actors, someone sitting outside making out that they’re from within the organization or from a trusted partner."
Rowe said digital malefactors can sometimes construct a spear-phishing attack using very specific information that's gleaned from a target's publicly available information. Social media nodes can provide a wealth of personal data that can be used to convince a spear-phishing recipient that the sender is a friend or associate. Twitter messages, Instagram pics or Facebook postings are all potential fodder for customizing an attack.
Lee noted that while state cybersecurity experts are constantly updating digital protocols as intrusion techniques evolve — and the state is using about $2.3 million from a federal grant received last year to upgrade the voter registration database — securing human behavior remains a challenge.
To that end, Lee said the state has adopted an annual training requirement for every person who has access to the voter registration database. Failure to complete the training immediately terminates the user's access to the data.
In addition, state elections office staffers are regularly meeting with county clerks and their teams for tabletop exercises, ongoing training and how to respond to cybersecurity worst-case scenarios. And, Lee said his department even staged a phishing attack to test the users with access to the voter registration database because, he said, "there's nothing better than a real-world exercise to highlight what can happen."
The best defense against spear-phishing attacks, Rowe noted, may just come down to taking the time for a simple pause.
"Don't respond to things you don't expect," Rowe said. "If an unexpected email arrives, look into it before responding. If something looks attractive, our level of vigilance naturally drops.
"Does the name or an email account look right? And, is the request or inquiry within what would be normal or is something off?"