At a federal level, there are several laws and regulations related to cybersecurity, data breaches, and incident response, but most are sector and state-specific and not designed for general application. These include the Payment Card Industry (PCI) Data Security Standard (DSS), the Gramm-Leach-Bliley Act (GLBA), the Defense Foreign Acquisition Regulatory Supplement (DFARS) Compliance Assessment, the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA), the New York Department of Financial Services (DFS) Cybersecurity Requirements, and the Federal Information Security Modernization Act (FISMA), to name just a few. These laws and rules have varying event notification and incident response requirements, including:
Understanding the fragmented and complex regulatory landscape can be challenging, but by prioritising cybersecurity and building resilience, organisations will be better prepared to ensure compliance. Regular programme assessments, training, practicing incident response, and updating protections based on an evolving threat landscape will not only significantly mitigate cyber-risks, but also help keep pace with regulation. Demonstrating that real efforts around cybersecurity are regularly occurring will help regulators view organisations impacted by a cybersecurity incident more favourably than those who are willingly negligent.
Various agencies, both state and federal, enforce data protection and cybersecurity laws. These groups include the Securities and Exchange Commission (SEC), the Department of Health and Human Services (HHS), the Federal Trade Commission (FTC), the Department of Justice (DOJ), the New York State Department of Financial Services (NYDFS), and attorney generals. Penalties and consequences for not having proper cybersecurity protections implemented, or for reporting failures, can result in fines, lawsuits, and sanctions.
Generally speaking, data breaches involve information being accessed or compromised by an unauthorised party. The information is often personal, but it can also extend to proprietary or confidential data – eg, valuable software code. Cybersecurity incidents are much broader and can include ransomware or distributed denial-of-service attacks, to misinformation campaigns and “deepfake” propaganda.
In the United States, the key regulators and government agencies include but are not limited to:
From a broad perspective, regulators and government agencies have the authority to conduct investigations stemming from their own determinations or based on violation complaints and reports of cybersecurity and privacy incidents. Conducting proactive audits, requesting information on cybersecurity measures, issuing subpoenas, and ultimately, imposing penalties and fines are all within the purview of many of these regulators and agencies.
The administration and enforcement process followed by regulators and authorities varies by agency and jurisdiction. Applicable governing bodies have the ability to determine appropriate paths forward, and informal resolutions are a common outcome of violations.
Details regarding key regulators, their jurisdictions, and their enforcement powers can be found in 1.2 Regulators.
***
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates or its other professionals.
While there is not a federal cybersecurity law in the United States that is applicable to every organisation, there are sector and state-specific regulation.
There are, however, federal laws such as the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which is a federal US law that was enacted in 2018. The CLOUD Act addresses cross-border and privacy concerns regarding data specific to law enforcement investigations and is intended to protect individual rights regarding their information, while ensuring law enforcement can continue to pursue criminals. Although a US-based law, the CLOUD Act is applicable to foreign governments as well.
For additional context, please see 1.1 Laws.
Law enforcement involvement is often critical during incident response, especially in situations where the illegal transfer of funds has occurred. However, law enforcement and regulatory bodies are different entities and choosing to collaborate with law enforcement does not supersede the need to maintain compliance with applicable regulation. This demonstrates the importance of seeking the advice of legal counsel to help determine the extent of collaboration with governmental organisations, with the goal of resolving the incident.
Organisations impacted by a cybersecurity incident (eg, business email compromise or ransomware) can report these events to the FBI’s Internet Crime Complaint Center (IC3). However, best practices encourage establishing relationships with federal, state, and local law enforcement ahead of a cybersecurity incident. This will reduce delays in determining who to contact, while in the midst of a crisis.
Please also see comments under 7.1 Required or Authorised Sharing of Cybersecurity Information.
The main difference between operating under a national system and a subnational approach is that more onus is put on organisations to achieve compliance with various requirements from a sectoral perspective. Instead of a comprehensive, single framework that combines various cybersecurity regulations, such as the General Data Protection Regulation (GDPR) in the EU, in a subnational environment, organisations must identify which regulation is applicable and take steps to ensure requirements are met, despite potential overlaps. Enforcing potential infractions is also a differentiator, as subnational approaches have numerous agencies with the authority to impose penalties.
A range of new regulatory requirements have been introduced across industries, requiring impacted organisations to comply. These requirements can vary widely, as can the outcomes the regulators are looking to achieve. Taking a piecemeal approach to compliance is no longer an option. Instead, new operating models that aggregate regulatory requirements to take a resource-focused and holistic approach is booming a necessity. Individuals other than the Chief Information Security Officer and their team are needed to support regulatory requirement efforts, including the general counsel and risk and compliance teams. Regulators and organisations want the same outcome – resilient organisations and a secure society – so collaboration is key.
Please see comments under 11.1 Further Considerations Regarding Cybersecurity Regulation.
Please see comments under 1.1 Laws.
Please see comments under 1.2 Regulators.
Please see comments under 7.1 Required or Authorised Sharing of Cybersecurity Information.
Please see comments under 1.2 Regulators.
Please see comments under 1.2 Regulators.
Please see comments under 1.2 Regulators.
There are several frameworks that are considered industry standard best practices by organisations and regulators alike.
Payment Card Industry (PCI) Data Security Standard (DSS)
PCI DSS is a set of security control objectives that raise the cybersecurity bar for companies that accept, process, store, or transmit payment card data, thus making it harder for cybercriminals to steal.
ISO 27001
Developed by the International Organization for Standardization (ISO), this international information security framework provides guidance regarding information security management systems (ISMS) and how they can be created, operated, maintained, and improved, with the goal of protecting critical assets and adhering to regulatory requirements.
NIST Cybersecurity Framework (CSF)
Created by National Institute of Standards and Technology (NIST), this framework provides five focus areas (identify, protect, detect, respond, recover) to improve risk management processes and overall cybersecurity posture.
CIS Critical Security Controls (CIS Controls)
Developed by the Center for Internet Security (CIS), these best practices help enhance overall cybersecurity posture through simplifying threat protection strategies, complying with regulation, practicing cyber hygiene, and aligning cybersecurity and business goals.
Please see comments under 3.1 De Jure or De Facto Standards.
In the United States, certain regulation exists, such as the Health Insurance Portability and Accountability Act (HIPAA), which requires that written information security plans be developed. HIPAA also requires impacted organisations to have incident response plans in place. Different industries face sector specific regulation, such as cybersecurity rules published by the New York Department of Financial Services, which all covered entities must meet. Although not legally mandated, organisations who make ransomware payments can face potential implications, for example, if the threat actors are on a sanctioned entities list.
While not a legal requirement, various organisations provide recommendations aimed at improving cybersecurity protections and response capabilities, such as National Institute of Standards and Technology (NIST) Cybersecurity Framework, which was updated to version 2.0 in February 2024. NIST, and similar US agencies, publish standards for cybersecurity best practices, which include specific guidelines, such as implementing multi-factor authentication.
Please see comments under 1.4 Multilateral and Subnational Issues.
Please see comments under 1.1 Laws.
Please see comments under 1.1 Laws.
Please see comments under 7.1 Required or Authorised Sharing of Cybersecurity Information, specifically regarding the Cybersecurity and Infrastructure Security Agency (CISA)
The Computer Fraud and Abuse Act (CFAA) is a US law that has been amended and updated several times since being enacted in 1986 and can be useful in preventing denial of service attacks. The Act prohibits purposeful unauthorised computer access and is often used to prosecute cybercrimes.
Please refer to 5.6 Security Requirements for IoT.
See 3.3 Legal Requirements and Specific Required Security Practices.
What constitutes a reportable data security incident, breach, or cybersecurity event largely depends on applicable regulation or specific industry standards. A data security incident, breach, or cybersecurity event is generally defined as unauthorised access to networks, systems, or devices that compromises the integrity of sensitive information or significantly interrupts business operations. Understanding exact definitions is important. For example, the Securities and Exchange Commission (SEC) has cybersecurity rules that require organisations to report “material” cybersecurity incidents and data breaches within four days. This is a subjective concept, however, and is not specific to the SEC. Broad definitions could result in uncertainty and the risk of non-uniform treatment of cybersecurity incidents.
More formally, the National Institute of Standards and Technology (NIST) defines a cybersecurity incident as “[a]n occurrence that (1) actually or imminently jeopardises, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies”.
The data elements covered in a data security incident, breach or cybersecurity event involve sensitive or confidential information, including personally identifiable information (PII), protected health information (PHI), financial records, proprietary business information or intellectual property, credentials, and metadata.
The systems covered in a data security incident or cybersecurity event include servers, applications, network infrastructures, databases, endpoints, monitoring tools, cloud-based platforms, and back-ups.
In the United States, the Food and Drug Administration (FDA) released guidance titled “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submission”. This guidance allows the FDA to require that medical device manufacturers “demonstrate reasonable assurance that the device and related systems are cybersecure”.
North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)
The NERC CIP framework consists of a series of standards designed to govern, oversee, and enhance the security of the Bulk Electric System (BES) within North America (the continental United States; the Canadian provinces of Alberta, British Columbia, Manitoba, New Brunswick, Nova Scotia, Ontario, Quebec, and Saskatchewan; and the Mexican state of Baja California Norte). Focused on the cybersecurity dimensions of the BES, these standards establish a comprehensive cybersecurity infrastructure for pinpointing and safeguarding essential assets critical to the dependable and effective distribution of electricity across the North American BES.
Federal Energy Regulatory Commission (FERC) Order No 848 and CIP 013-1, CIP 010-3, CIP 005-6
FERC Order No 848 and CIP 00806
A unified set of requirements specific to IoT do not yet exist, but the guidelines and frameworks included in 3.1 De Jure or De Facto Standards, are applicable and offer guidance on how to protect IoT devices and mitigate corresponding cybersecurity risks.
Software providers should ensure that cybersecurity is considered from the onset and addressed at every stage of development, versus trying to ensure a fully baked product is secure. While not specific to software, the guidelines and frameworks included in 3.1 De Jure or De Facto Standards are applicable and offer guidance on how to secure the software development life cycle.
Please see comments under 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.
Please see comments under 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.
Key Cybersecurity Tools
In today's interconnected digital landscape, cybersecurity defences are paramount to safeguarding sensitive information and mitigating evolving cyber threats. When network monitoring or cybersecurity defensive measures involve the processing of personal data, it becomes imperative to adhere to relevant obligations governing data protection and privacy. This necessitates not only a commitment to compliance with applicable regulations, but also a principled approach that prioritises cybersecurity and privacy and ensures the ethical and transparent use of monitoring technologies.
Utilising network monitoring tools, organisations detect and analyse network traffic for suspicious activities like unauthorised access attempts, malware communications, or data exfiltration. Email monitoring tools play a crucial role in scanning inbound and outbound emails for phishing attempts, malicious attachments, or suspicious links, thus mitigating the risk of email-based threats. Additionally, regular monitoring of website traffic and activities is essential for identifying and responding to potential cybersecurity incidents, such as unauthorised access attempts, SQL injections, or website defacement. Deployment of data loss prevention (DLP) solutions ensures monitoring and control of sensitive data movement within the network, thereby ensuring compliance with regulatory requirements and protecting against data breaches. Deep packet inspection (DPI) technologies facilitate the inspection and analysis of packet-level data to identify and block malicious or unauthorised traffic, providing enhanced cybersecurity measures against advanced threats.
Data Privacy Considerations
Organisations must ensure that network monitoring practices and tools do not infringe upon the privacy rights of individuals. Monitoring activities should align with applicable laws and regulations, with consideration given to cybersecurity and privacy concerns. Unauthorised surveillance of users’ personal communications should be prohibited, unless explicitly authorised for legitimate security or compliance purposes. Organisations should maintain transparency regarding their network monitoring activities, informing employees and users about the types of monitoring conducted and the purposes of the monitoring.
Further, organisations should ensure that their network monitoring practices comply with relevant regulations, such as HIPAA or the PCI DSS, depending on the nature of the data being monitored. Establishing ethical guidelines to govern the use of network monitoring tools and practices is essential. Additionally, mechanisms for oversight and accountability should be established to oversee the use of network monitoring tools and ensure adherence to established policies and procedures.
The intersection of cybersecurity and privacy/data protection raises several critical issues that revolve around balancing the safeguarding of sensitive information with respecting privacy rights of individuals. A critical issue is the need for robust cybersecurity measures, which often involve extensive data collection and surveillance, and individuals’ right to privacy. Many cybersecurity defensive measures, such as deep packet inspection and email monitoring, involve monitoring practices that may impact individuals’ privacy. Balancing the need for effective threat detection with the protection of personal privacy is a significant challenge.
Organisations often retain and utilise vast amounts of data collected through cybersecurity measures for various purposes, including threat intelligence analysis and incident response. Prolonged retention and secondary use of this data may impact privacy concerns when personal information is involved.
Compliance with data protection and privacy regulations adds another layer of complexity to the intersection of cybersecurity and privacy. Organisations must navigate a complex regulatory landscape, ensuring that their cybersecurity practices align with the requirements of regulations, while also effectively mitigating cyber threats.
Maintaining transparency regarding cybersecurity practices and obtaining informed consent from individuals affected by monitoring activities are essential principles for upholding privacy rights. However, achieving transparency and obtaining meaningful consent in the context of cybersecurity measures can be challenging, particularly when real-time threat detection and response are prioritised.
In navigating the intersection of cybersecurity and data privacy protection, it is important to carefully consider these critical issues. Emphasising transparent and ethical cybersecurity practices is key to effectively mitigating cyber threats while respecting individuals’ rights to privacy and data protection.
In the ever-evolving cybersecurity threat landscape, collaboration and information sharing have become indispensable tools in the fight against malicious threat actors. Across industries, organisations recognise the importance of pooling resources and expertise to enhance their collective resilience against cyber threats.
The Cybersecurity and Infrastructure Security Agency (CISA) facilitates the exchange of cybersecurity-related information between private sector entities, government agencies, and other stakeholders through its Automated Indicator Sharing (AIS) service. Under CISA and their AIS service, organisations share cyber threat indicators and defensive measures in real-time. This sharing enables a more comprehensive understanding of the threat landscape and facilitates timely responses to cyber-incidents. When sharing information and resources, organisations can enhance their ability to detect, prevent, and respond to cyber threats, ultimately improving the overall resilience of the cybersecurity ecosystem.
In response to the rapidly evolving cybersecurity landscape, Information Sharing and Analysis Centers (ISACs) were established by a US Presidential directive. These sector-specific organisations serve as pivotal nerve centres for encouraging information and cyber-intelligence sharing among industry peers. Through ISACs, organisations within various sectors collaborate to exchange vital intelligence on both physical and cyber threats, as well as best practices for mitigation.
There has been a recent rise in enforcement, litigation, and settlements stemming from large-scale data breaches, most notably against fintech companies, cryptocurrency companies, and third-party vendors servicing some of the largest financial institutions. These events have led to increased focus by federal and financial services regulators, resulting in the introduction of new cybersecurity rules, such as the New York Department of Financial Services Part 500, guidance from the Securities and Exchange Commission, the “Final Rule” enacted by the Office of the Currency Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Federal Reserve.
Financial regulators have levied multi-million-dollar fines on companies whose alleged lax cybersecurity led to consumer financial losses. Additionally, regulators have sued private sector entities for causing financial losses to their constituents. More recently, the New York Attorney General sued a global bank for inadequate cybersecurity and anti-fraud protocols, which had led to millions of dollars in losses for New York account holders.
See 8.1 Regulatory Enforcement or Litigation.
As a result of a popular file transfer software being exploited in 2023 by threat actors, which resulted in the compromise of sensitive information for millions of people, multiple lawsuits were filed. Some of the suits contain negligence and breach of contract claims for failing to properly protect personal information.
A data breach at a credit bureau company in 2017 that compromised the personal information of more than 100 million people resulted in a class action lawsuit and ultimately a settlement with US agencies and states, including the Federal Trade Commission and the Consumer Financial Protection Bureau. As part of the settlement, the credit bureau was responsible for paying more than USD400 million to those impacted by the breach.
Some of the latest changes to the SEC’s cybersecurity rules and NYDFS Part 500 rules have requirements related to elevated oversight and risk assessments.
The SEC, specifically, requires publicly traded companies to disclose:
The New York Department of Financial Services 23 NYCRR 500 requires that entities that fall in their Class A category, base their cybersecurity programme on their risk assessment. This risk assessment will have to conduct independent audits of its programme. Further, these rules require that each covered entity designate a Chief Information Security Officer to retain responsibility for compliance. The CISO is required to report in writing at least annually to the covered entity’s senior governing body on the entity’s cybersecurity programme, including on material cybersecurity issues. The senior governing body should exercise oversight of the covered entity’s cybersecurity programme.
Class A companies are those with at least USD20 million in gross annual revenue in each of the last two fiscal years in New York State and either:
Today, pre-transaction due diligence includes cybersecurity and data privacy elements. Utilising industry standards such as the CIS Critical Controls Framework, companies can identify gaps and develop a prescriptive implementation roadmap to bolster cybersecurity maturity of the target company.
In July 2023, the Securities and Exchange Commission adopted new cybersecurity rules impacting any public company doing business in the United States. The aim of these rules is to inform investors and strengthen abilities regarding cybersecurity and incident reporting. A main element of the rules is that organisations are required to report material cybersecurity incidents and data breaches within four days. Further, on a quarterly basis, impacted organisations also need to provide details regarding incidents that were previously disclosed.
Major Cyber Threats
In an era defined by rapid technological advancements and global interconnectivity, the intricate relationship between geopolitical tensions and cyber-risk has emerged as a critical concern for American business operations. As seen in previous times of global tension, both state and non-state actors alike capitalise on instability and uncertainty to exploit vulnerabilities, advance political objectives, conduct espionage, and take advantage of financial opportunities. Organisations are encouraged to collaborate with national agencies such as the FBI when issues threatening nation-state cybersecurity arise.
In addition to national security threats, ransomware remains a top concern for organisations in the United States. Ransomware actors continue to seek increasingly creative and aggressive tactics to coerce victims into meeting ransom demands. The double extortion model has evolved to triple extortion, where after stealing and encrypting data, cyber criminals both demand a ransom and threaten the organisation’s customers or partners. Threat actors will directly contact employees and customers, often threatening exposure of private information, to increase payment urgency. The latest iteration of coercion strategy involves leveraging compliance reporting requirements: threat actors amplify pressure by notifying a regulator that they have compromised the victim, before the victim can report the incident themselves. By targeting an organisation’s legal obligation to report cybersecurity incidents, cyber criminals can add a layer of urgency and complexity to their demands. Companies faced with a ransomware attack must not only consider the immediate operational and reputational impact of the attack, but also the potential legal and regulatory consequences.
Artificial Intelligence
As businesses across the United States hurry to implement artificial intelligence (AI) into their processes and business models amidst the technology’s rapid rise, the risks posed must be fully evaluated. As with any new technology, reliability concerns are an issue, with AI and machine learning models only being as accurate as the information they receive. Threat actors may intentionally target data model sources to generate inaccurate information. AI also raises privacy concerns around sensitive and consumer information. If an AI model is not properly configured or implemented, there are risks of unintentionally release of the sensitive data used in the model. In January of 2023, the National Institute of Standards and Technology (NIST) released an AI risk management framework to assist organisations with the secure implementation and management of AI systems. As the NIST cybersecurity framework is the standard for many organisations, it is reasonable that the NIST AI framework will become the expectation for secure AI development and implementation across the United States.
Additionally, generative AI, or AI capable of creating images, text, and synthetic data, has the potential to fuel sophisticated cyber-attacks. Threat actors can use generative AI to create deepfakes, spread misinformation, and easily write malicious code, allowing threat actors with limited technical skills to execute advanced attacks. The advent of generative AI technologies has brought about new avenues for threat actors, with the development of malicious tools. These AI chatbots have been listed for sale across various dark web marketplaces, offering a “blackhat” alternative to ChatGPT and other AI chatbots designed to operate under strict ethical limitations. Specifically engineered for illicit purposes, these tools are tailored to assist in a range of malicious activities including automated phishing and social engineering attacks, facilitating fraud and scams, creating malware, and accessing the dark web.
Cybersecurity Insurance
Cybersecurity insurance has grown in popularity for businesses of all sizes across the United States, but the market remains disrupted as cyber-attacks become more frequent and costly. Rates are increasing and insurance companies are looking more closely at the cybersecurity measures organisations have in place before agreeing to coverage. In addition to traditional cyber-insurance, organisations are also beginning to consider director and officer (D&O) liability insurance, which protects individuals, in addition to the organisation, in the event of a cyber-incident. An increasing focus on individual accountability when it comes to cybersecurity has led to legal troubles for several executives, and new regulations including the SEC cybersecurity rules and the NYDFS Part 500 cybersecurity rules place greater emphasis on board and executive involvement in cybersecurity protections, leaving more liability on individuals in the event of an organisational cybersecurity incident.
555 12th St NW STE 700
Washington, DC 20004
USA
+1 (202) 312-9100
+1 (202) 312-9101
www.fticonsulting.com/about/contact-us www.fticonsulting.com/Securing Democracy: The Criticality of Physical and Digital Security
Election security in the United States is an issue of national security. Impacts on elections, including the upcoming 2024 US presidential election, can damage democracy and instil doubt and confusion that may last for generations. Potential impacts are often due to the actions of threat actors, who have turned to cyber-attacks and influence campaigns to achieve their goals. In turn, physical and digital security becomes critical this election season, since information can be our greatest asset and our greatest risk, depending on how and by whom it is used. Maintaining and safeguarding the integrity, dependability, and impartiality of elections to uphold the foundation of democracy requires prioritising physical and digital security and considering and addressing the corresponding risks.
Mitigating these risks and protecting against potential impacts to election results requires an all-hands-on-deck approach, with the public and private sectors collaborating on efforts. This union should work to ensure that critical election security pillars are upheld, defensive measures are proactively bolstered, threats are regularly assessed, and strategies are adjusted to account for changing risks.
By better understanding the cyber threats to election security, preventative measures can be implemented to ensure impacts are minimal and democracy is secured.
Cybersecurity threats to election security
Having worked at the White House during the 2016 presidential election, serving as the Director for Cyber Incident Response at the US National Security Council, I worked first hand to monitor for interference and intrusion attempts, which increased as the election grew closer. In order to create guidance around how to protect the election from cyber threats, key pillars were established on the areas of accessibility, integrity, and reportability, and mitigating cyber-risk seemed straightforward. This was partially due to large-scale tampering attempts being relatively easy to identify because the electoral infrastructure had protection redundancies that would alert observers of any widespread tampering.
In the private sector numerous third-party vulnerabilities exist, which present a different opportunity for threat actors to exploit and impact elections. Third-party cyber-risk is a major threat to all organisations, and not just to election security, oftentimes because of a disconnect between who is responsible for mitigating threats. Third-party suppliers may wrongly assume that they are adequately secured because the hiring organisation has protections in place, or vice versa.
Specific to election security, weaknesses around voter registration systems, mailing voter cards, and voting machine security, coupled with election systems being run at the state and local level and not sharing a uniform set of cybersecurity standards across the nation, present endless access points for threat actors to exploit. While this disconnected set-up reduces the risk of a large-scale attack across a singular system used for election purposes, it does create significantly more third-party risk. For example, a threat actor could steal unencrypted registration information in transit by accessing a third-party data storage provider, or hack into the network of vendor who supplies voting machines and use that access to gain administrative privileges to alter the integrity of the machines.
Threat actors can also leverage emerging technology, specifically artificial intelligence (AI), to fuel cyber-attacks. AI-generated content, such as deepfakes, which are digitally altered videos or audio recordings designed to realistically replicate an individual’s likeness, can be used to influence elections by swaying public opinion or inciting unrest prior to casting votes. AI is capable of cloning voices of trusted people or those with large followings, such as government officials or CEOs of global tech companies, to influence outcomes (eg, a video of a candidate announcing they are dropping out of the race), or create distrust (eg, false news that would damage a candidate’s reputation). Earlier this year, voters in New Hampshire received robocalls from an AI-generated voice recording pretending to be President Biden, ahead of the state’s presidential primary election. The goal was to disrupt the election by suppressing voting. The challenge then becomes how to verify that the information being consumed is real and accurate.
Threat actors are not limited to using AI to create deepfakes. AI also has the ability to turn basic phishing campaigns into sophisticated cyber-attacks, as AI generated phishing emails lack the obvious red flags of spelling and grammar mistakes so often seen in handcrafted phishing emails, making them harder to identify as malicious. Spear-phishing campaigns, which are targeted attacks that take time to gather personal details, can now be launched at scale because of AI’s ability to quickly find information about targets that is then used to make their messages appear genuine or even urgent, increasing the chances a malicious link or attachment is successfully clicked on or downloaded.
Beyond emerging technology, misinformation campaigns are additional threats to election security. Whether intentional – threat actors distributing false information to push their agenda – or unintentional – a news outlet unknowingly reporting inaccurate or unofficial results – the sheer volume of information available for consumption creates confusion. Voters do not know what to trust or believe and false narratives gain momentum and threaten the democratic election process.
Misinformation attempts can be launched by nation-states to try and push voters in a direction that benefits their geopolitical interests or to create general discord, by political organisations aiming to discredit opponents, or by individuals looking to advance their personal agendas. Regardless of the source, misinformation can impact public opinion, stifle voter turnout, and erode trust in the electoral process. It is a significant risk to election security.
Preventative measures
Mitigating risks from a myriad of cybersecurity threats requires collaboration, dedication, and a strategic approach from all involved parties. Election officials, state and local officials, and connected entities should all have tailored incident response plans that have been regularly practised and adjusted to account for new threats. This should involve scenario-planning so that election fraud claims, misinformation attempts, or even distributed denial-of-service (DDoS) attacks can be quickly thwarted and the legitimacy of the election remains intact.
A robust incident response plan involves five key elements:
These key areas will ensure that
In addition to incident response planning, the integrity of voting machines should be assessed in advance of any election. After voting machines are calibrated, they are handled by various third parties en route to their destination for voting. Each third party, and the vulnerabilities they possess, presents a risk to the integrity and calibration of the voting machines. Through penetration testing and vulnerability assessments, potential malicious activity can be discovered and addressed by analysing the configuration and weaknesses of voting machines when they are originally calibrated, and again once delivered to their voting location. If possible, establishing constant monitoring of systems will also provide notice of unauthorised access and attempts to cover up signs of intrusion.
The processes and tools in place for the storage, transfer, and anonymisation of registration information and voting results should also be assessed for vulnerabilities and protections should be implemented based on the unique threat profile of each system. Using a standard approach or checklist is not sufficient in accounting for election security threats, especially as threat actor tactics evolve and baseline guidance rapidly becomes obsolete. It is possible that during the 2024 US presidential election, unforeseen attack vectors will be used, making cyber-resilience – the ability to quickly respond and recover, while maintaining essential functions – vital to election security.
Cyber-resilience requires shifting conventional cybersecurity strategies, which prioritising defensive measures only, and operating under the mindset that incidents will occur, so planning should involve how to limit damages as much as possible. Building cyber-resilience generally includes the following elements, which can be applied to the electoral infrastructure: prevent, practice, detect, respond, and recover.
Building cyber-resilience is not a novel concept for the private sector and this strategy can be applied to the electoral infrastructure to help anticipate, endure, and recover from cyber-incidents. Combatting misinformation campaigns requires a slightly different approach, however.
Threat actors spreading false information rely on human nature to perpetuate these campaigns. In other words, the hope is that individuals react and share the inaccurate information without thinking. These campaigns can be particularly effective if the message reaffirms an individual’s belief or agenda, as they are more likely to share content they agree with before confirming its legitimacy. Consumers of any content, but especially election related information, should first consider the source, determine its credibility, and where it came from (an unsolicited message, shared by a friend, etc) before further sharing.
In order to remove part of the onus from the individual, some of the world’s largest tech and social media companies have developed platforms and policies that flag AI-generated content. The goal is to help consumers understand what exactly they are viewing, which could restrict the reach of illegitimate information. There is a fine line, however, because not all messages within AI-generated content are inaccurate, so it is not safe to assume that anything marked as AI cannot be trusted. Just as individuals are often considered the weakest link when it comes to cybersecurity, the same rings true for combatting misinformation – these campaigns will be effective if consumers do not think before they act.
2024 Election Security Outlook
Election meddling by a nation-state during the 2016 US presidential election is well-documented, including in a report from the Senate Intelligence Committee, and while it is challenging to quantify the impact on the results of the election, this interference does confirm that opportunities exist for threat actors to exploit.
Lessons were learned ahead of the 2020 US presidential election, and improvements were made across the board to prevent repeat meddling. In a report released by the National Intelligence Council in March 2021, it was determined that there are “no indications that any foreign actor attempted to alter any technical aspect of the voting process in the 2020 US elections, including voter registration, casting ballots, vote tabulation, or reporting results”. However, their assessment showed that several nation-states launched influence operations and attempts to undermine confidence in the electoral process.
The ramifications of who is elected president in the US are felt globally, and powerful nation-states will use any means necessary to sway the election in their favour. Cyberspace presents an ideal arena for these efforts. Attribution is challenging and nation-states frequently hide behind cybercriminal organisations, who are often deemed responsible for attacks, allowing for plausible deniability. Further, cyber-attacks can be conducted from anywhere in the world and do not require being in close proximity to the target. A threat actor can be across the globe and still remotely access a voter registration database. Campaigns in cyberspace targeted at elections, whether social engineering or spreading false narratives, can be done quickly and at scale, especially with the assistance of AI. Threat actors have become more efficient with their attacks, increasing the chances of achieving desired outcomes.
Successful meddling in previous elections likely encourages threat actors to continue their efforts in future elections, especially as technology that fuels these campaigns evolves and new attacks are created. Securing elections in 2024 will be challenging, but just as technology can be leveraged maliciously, it can also be used for good. Advanced tooling, a mindset of cyber-resilience, and an all-hands-on-deck approach will help mitigate cyber-risk, improve overall protections, and ensure democracy remains intact.
***
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates or its other professionals.
555 12th St NW STE 700
Washington, DC 20004
USA
+1 (202) 312-9100
+1 (202) 312-9101
www.fticonsulting.com/about/contact-us www.fticonsulting.com/