What Does It Take to (Cyber)Secure the Presidential Inauguration?

AP17007485671199.jpg

In this Dec. 8, 2016, file photo, construction continues for the Inauguration and swearing-in ceremonies for President-elect Donald Trump on the Capitol steps in Washington. It’s typically an unquestioned honor to participate in the inauguration of an American president. This time, though, it’s different. The sharp divisions over Donald Trump’s election have politicians, celebrities and even high school students debating whether taking part in the inauguration is a political act that demonstrates support for the new president and his agenda or a nonpartisan tribute to democratic traditions and the peaceful transfer of power. (AP Photo/Pablo Martinez Monsivais, File)

The presidential inauguration is one of the biggest events of the year, culminating months of hard fought campaigning and celebrating democracy. The event also provides an international stage for potentially malicious actors to make a name for themselves with thousands of citizens, elected officials and government personnel gathered for the parade and day-long festivities.

The physical challenges for securing this event and preventing an attack are pretty evident, but as cyberspace becomes more ubiquitous it is imperative to make the inauguration festivities cyber secure, as well.

The effort to make the inauguration secure from malicious cyber actors begins almost a year in advance, Assistant to the Special Agent in Charge Kyo Dolan, program manager for critical systems protection in the Criminal Investigative Division of the Secret Service, told Fifth Domain in a recent interview at Secret Service headquarters. Those preparations range from pulling together the latest classified and unclassified threat intelligence to being ready to shut down the entire network.

When initiating this process, teams begin from a macro level – examining critical infrastructure such as energy, gas, water, city IT networks that support emergency services – then move to a micro level to include venues – in this case the convention center in Washington and the Trump International hotel, Dolan said.

“Everything we do from our planning perspective, six, nine months out, is to be as proactive as we can in addressing the cyber threat to our protective mission,” she said.

As the chair of a critical infrastructure subcommittee, Dolan’s team works in collaboration with DHS’s protective security advisors to identify key components for critical infrastructure with individuals from those agencies assisting in developing a comprehensive cyber and physical operational security plan to secure all network systems that could, if attacked, affect the implementation of their security plan or the safety of protectees.

Dolan described Secret Service’s proactive cybersecurity mission as conducting protective advances from a cyber technical assessment perspective and providing computer network defense support in conjunction with partners, namely the system owners as they know their networks “better than we ever will.”

Also part of the prep work, Dolan noted that they continuously receive and read classified threat intelligence and stay up to date on threats and events across the world to stay abreast of adversarial capabilities and potential scenarios. Following trends and attacks abroad, such as the attacks against the Ukrainian power grid, makes Secret Service aware of what adversaries are capable of, Dolan said.

“If we have indicators and behaviors that have been used before, we can look out for that,” she said. They can then deploy their computer network defense capability and look for something seen in pre-reporting.

“We look and spend a lot of time and research, reading intelligence reports of attack vectors, malware, different approaches, threat groups that have focused on different energy countries across the world,” she said. “You ingest that and say how can that affect us – how can the Ukrainian attack and that malware, how can that affect us?”

Secret Service will ask various private companies in the critical infrastructure sector – which owns around 80 percent of the critical infrastructure – if these vulnerabilities or systems are patched or fixed prior to the inauguration date.

Given the inauguration’s designation as a National Special Security Event, or NSSE, Secret Service is responsible for securing the entire city of Washington. As such, they are responsible for protecting the day’s entire festivities from the parade to the inaugural balls later that night.

As such, Secret Service is worried about a variety of scenarios that could happen throughout the course of the day if systems are not secured. These could be power outages – accidental or intentional – during the balls, severing of 911 support services and radios for emergency responders, an explosion set off elsewhere in the city that could be a diversion opening up vulnerabilities with the actual parade route or where protectees might be located.

Could someone hack into security cameras at the convention center or hack into the control system allowing them to open or close all doors locking ball goers in or letting malicious actors in, Dolan asked. While these possibilities in isolation are a major concern, Dolan highlighted the potential that taken together, these events could signal a multi-tiered or coordinated attack the Service must be prepared to defend.

“You’re concerned about what you don’t know,” Dolan said generally about challenges ahead of Jan. 20, naming zero day vulnerabilities, insider threats, reliance on supply chain and their management as examples. “We live in a healthy state of paranoid.”

The international stage and incessant media coverage the inauguration garners provide a perfect opportunity for one to make a name for themselves and present their zero day exploit if they have one, Dolan said.

Preparations begin a week or so before the big day, Dolan said, as they begin to normalize networks as much as possible to safeguard them. This involves looking at anomalous traffic to determine what normal on a particular network looks like.

Inauguration Day is somewhat of a culmination of what officials have already been doing, Dolan said.

If vulnerabilities are detected, she said they ask folks to take the proper mitigation measures and agents at these facilities or networks will oversee that these mitigation efforts take place. Secret Service personnel will also ensure infrastructure owners make software configuration changes if necessary to enhance security protocols.

In the event something goes wrong on Inauguration Day, the first and most important thing, Dolan said, is communication; and not just with infrastructure owners, but Secret Service entities. They’ll work with the owners to identify exactly what the issue might be: mechanical failure, malfunction, insider threat or an actual attack. Once the problem is identified, they can then craft an appropriate response, which would have been worked out in preplanning scenarios.

From an intelligence perspective, often times during a network breach, administrators might want to segment that portion of the network to observe the behavior and gain additional insight into the adversary’s behavior. On Inauguration Day, the protocol is to shut the network down.

“It’s not about developing a case or putting the nation state or hacktivist behind bars, but stopping the threat right away,” Dolan said.

Dolan lauded the weeks of preparation and healthy state of paranoia leading up to the day of the event, adding all the collaboration with partners affords them access to know everything about a network and venue to be as prepared as possible when the unknown occurs.