Why are memory-corruption bugs still a thing?

The challenges of securing software at an assembly level

Doug Britton
CTO, RunSafe Security Inc.

10:30-11:30 Monday, 8 April 2019, ITE346

Methods to chip away at the danger of memory-corruption bugs have been available for some time.  Why has the going-price of memory-corruption-based exploits not spiked?  If the methods were have a broad-based result in mitigating exploit vectors, there would be a reduction in supply, causing an increase in prices.  Also, there would be a reduction in the pool of people qualified to develop zero-days, allowing them to push the prices up.  The data suggest that prices have remained generally stable and attackers are able to move with impunity.  What are the challenges to large-scale adoption of memory-corruption based mitigation methods. 

Doug Britton serves as Chief Technology Officer and Director of RunSafe Security, Inc. Mr. Britton Co-founded Kaprica Security, Inc., in 2011 and serves as its Chief Executive Officer. Prior to his leadership role in Kaprica, Mr. Britton was a cyber-security focused research and development manager at Lockheed Martin. He has an MBA and MS from University of Maryland and a BS in Computer Science from the University of Illinois.

The post talk: Why are memory-corruption bugs still a thing?, 10:30am Mon 4/8, ITE325 appeared first on Department of Computer Science and Electrical Engineering.

SFS cyberdefense scholarship applications due Noon Monday, April 15

The next application deadline for SFS cyberdefense scholarships at UMBC is 12:00 noon Monday, 15 April 2019, for possible scholarships beginning in the fall of 2019. See the Center for Information Security and Assurance site for details and application forms.

These major scholarships include tuition, generous stipend, and more, in return for government employment. Applicants must have at least junior status in fall 2019. BS, MS, MPS, PhD in any cyber-related field may apply (CS, CE, EE, IS, Cyber, and possibly others). SFS applicants must be citizens or lawful permanent residents capable of obtaining a secret clearance at federal, state, local, or tribal government. The annual stipends are $25,000 undergraduate and $34,000 graduate; in addition, each scholar will receive $6000 per year in professional development funds.

The scholarships are highly competitive (e.g., the median GPA of current SFS scholars at UMBC is 3.8) and favor students who have excelled in upper-level technical courses and who have demonstrated a passion and talent for cybersecurity through relevant accomplishments. We will consider applications from rising juniors and above with GPA over 3.0. All SFS scholars at UMBC are expected to engage in cohort and research activities. UMBC is in the first year of a five -year, $5 million NSF grant, which will support 34 students. For more information, see the SFS FAQ page.

Interested students should contact

Dr. Alan T. Sherman
Professor of Computer Science
Director, UMBC Center for Information Security and Assurance (CISA)
*protected email*

The post SFS cyberdefense scholarship applications due April 15 appeared first on Department of Computer Science and Electrical Engineering.

Exploiting IoT Vulnerabilities

Dr. Yatish Joshi, Senior Engineer, Cisco Systems

11:45am-1:00pm Monday, 18 February 2019, ITE 325-B

The past decade has seen explosive growth in the use and deployment of IoT (Internet of Things) devices. According to Gartner there will be about 20.8 billion IoT devices in use by 2020. These devices are seeing wide spread adoption as they are cheap, easy to use and require little to no maintenance. In most cases, setup simply requires using a web or phone app to configure Wi-Fi credentials. Digital home assistants, security cameras, smart locks, home appliances, smart switches, toys, vacuum cleaners, thermostats, leakage sensors etc are examples of IoT devices that are widely used and deployed in home and enterprise environments.

The threat landscape is constantly evolving and threat actors are always on the prowl for new vulnerabilities they can exploit. With traditional attack methods yielding fewer exploits   due to the increased focus on security testing, frequent patches, increased user awareness, Threat actors have turned their attention on IoT devices and are exploiting inherent vulnerabilities in these devices. The vulnerabilities, always ON nature, and autonomous mode of operation allow attackers to spy on users, spoof data, or leverage them as botnet infrastructure to launch devastating attacks on third parties. Mirai, a well known IoT malware utilized hundreds and thousands of enslaved IoT devices to launch DDoS attacks on Dyn affecting access to Netflix, Twitter, Github and many other websites. With the release of the Mirai source code numerous variants of the malware are infecting IoT devices across the world and using them to carry out attacks.

These attacks are made possible because the devices are manufactured without security in mind!. In this talk I will demonstrate how one can hack a widely available off-the-shelf IP Camera and router by exploiting the vulnerabilities present in these devices to get on the network, steal personal data, spy on a user, disrupt operation etc. We will also look at what can be done to mitigate the dangers posed by IOT devices.

So attend hack & defend!

Dr. Yatish Joshi is a software engineer in the Firepower division at Cisco Systems where he works on developing new features for Cisco’s security offerings. Yatish has a PhD in Computer Engineering from UMBC. Prior to Cisco Yatish worked as a lecturer at UMBC, and was a senior software engineer developing TV software at Samsung Electronics. When not working, he enjoys reading spy thrillers and fantasy novels.

The post talk and demo: Exploiting IoT Vulnerabilities, 11:45-1:00pm Mon 2/18 appeared first on Department of Computer Science and Electrical Engineering.

Using Deep Learning in Identifying Network Intrusions

Dr. Rajeev Agrawal
Information Technology Laboratory
US Army Engineer Research and Development Center

10:30-11:30 Monday, February 11, 2019, ITE325

Deep Learning algorithms have been very successful in computer vision, natural language processing, and speech recognition. However, there is a big challenge in applying it in cyber security domain due to non‐availability of ‘real’ cybersecurity data. Many researchers have tried using synthetic data such as KDD‐NSL or newer UNSW-NB15 network intrusion datasets, however, it is difficult to determine the performance of the proposed research on a dataset captured from an enterprise network. The DoD’s High Performance Computing Modernization Program (HPCMP) operates Defense Research Engineering network (DREN), which has multiple security software and hardware tools installed across the network. A variety of cybersecurity logs are captured using these tools. We use a TensorFlow based framework to analyze DREN’s Bro alert data generated under Cybersecurity Environment for Detection, Analysis and Reporting (CEDAR) project. These alerts are marked as bad or normal by the cybersecurity analysts and used as ground truths. This labeled data is used to measure the performance of our approach in identifying network intrusions. We are able to achieve high level accuracy by tuning hyper-parameters used in any deep learning approach. In this presentation, we will discuss the results of our approach which harnesses the power of HPC systems to train our proposed model.

Dr. Rajeev Agrawal joined Cyber Engineering and Analysis branch (CEAB), Information Technology Laboratory in 2016. He is the Data Science lead of the High Performance Computing Architecture (HPC) for Cyber Situational Awareness (HACSAW) Project. The goal of this project is to analyze the cybersecurity data captured across Defense Research and Engineering Network (DREN). He is also a member of the HPC-based deep learning project team and exploring deep learning applicability in cybersecurity domain. Dr. Agrawal received his Ph.D. in Computer Science with minor in Engineering from Wayne State University in 2009. Prior to joining ITL, he was an Associate Professor in the Department of Computer Systems Technology at North Carolina A&T State University.  Dr. Agrawal’s research interests include Deep Learning, Cyber Security, SCADA/ICS, Machine Learning and Pattern Recognition. He has published more than 80 technical papers and book chapters in refereed conferences and journals in these areas. He was selected a Data Science Fellow by the National Consortium of Data Science (NCDS) in 2014. His research has been funded by NSF, US Army, John Deere, ACM, RedHat, National Consortium of Data Science and Michigan State University.

The post talk: Using Deep Learning in Identifying Network Intrusions, 10:30am Mon 2/11, UMBC appeared first on Department of Computer Science and Electrical Engineering.

MD Data Science Conference
Friday, 25 January, PAH Concert Hall, UMBC

Miner & Kasch, a AI and data science consulting firm founded by two UMBC alumni, will hold a one-day Data Science Conference at UMBC on Friday, January 25 in the Linehan Concert Hall of the UMBC Performing Arts & Humanities Building. A limited number of free tickets are available for current UMBC students. To attend, you need to register here.

The event was originally scheduled for January 14, but had to be rescheduled due to inclement weather. If you had registered and obtained a ticket earlier, you will need to re-register.

The event brings together local companies and professionals to share what new and exciting things they are doing with their data. It will be attended by business managers, startup founders, software engineers, data scientists, students, and other curious people that want to learn more about the cutting edge of data science, machine learning, and AI. See the conference website for topics and speakers.

The post Maryland Data Science Conference, Fri. 1/25, UMBC (new date) appeared first on Department of Computer Science and Electrical Engineering.

Countering Russian disinformation the Baltic nations’ way

Terry Thompson, University of Maryland, Baltimore County

As the new Congress begins, it will soon discuss the comprehensive reports to the U.S. Senate on the disinformation campaign of half-truths, outright fabrications and misleading posts made by agents of the Russian government on social media in the run-up to the 2016 presidential election.

After years of anemic responses to Russian influence efforts, official U.S. government policy now includes taking action to combat disinformation campaigns sponsored by Russia or other countries. In May 2018, the Senate Intelligence Committee endorsed the concept of treating attacks on the nation’s election infrastructure as hostile acts to which the U.S. “will respond accordingly.” In June, the Pentagon unleashed U.S. Cyber Command to respond to cyberattacks more aggressively, and the National Cyber Strategy published in September 2018 clarified that “all instruments of national power are available to prevent, respond to, and deter malicious cyber activity against the United States.”

There are already indications that Cyber Command conducted operations against Russian disinformation on social media, including warning specific Russians not to interfere with the 2018 elections. However, low-level cyberwarfare is not necessarily the best way. European countries, especially the Baltic states of Estonia, Latvia and Lithuania, have confronted Russian disinformation campaigns for decades. Their experience may offer useful lessons as the U.S. joins the battle.

The Baltic Sea region of northern Europe. Estonia, Latvia and Lithuania are in light green in the center, west of Russia in blue. Stefan Ertmann/ Wikimedia Commons, CC BY-SA

The Baltic experience

Beginning in 1940 and continuing until they declared independence in the early 1990s, the Baltic countries were subjected to systematic Russian gaslighting designed to make people doubt their national history, culture and economic development.

The Soviets rewrote history books to falsely emphasize Russian protection of the Baltic people from invading hordes in the Middle Ages, and to convey the impression that the cultural evolution of the three countries was enabled by their allegiance and close ties to Russia. Even their national anthems were rewritten to pay homage to Soviet influence.

Soviet leaders devalued Baltic currencies and manipulated economic data to falsely suggest that Soviet occupation was boosting the Baltic economies. Further, Soviet authorities settled ethnic Russians in the Baltic countries, and made Russian the primary language used in schools.

Since the fall of the Soviet Union and the independence of the Baltic countries, the Russian Federation has continued to deliver disinformation to the region, making extensive use of Russian-language social media. Some themes characterize the Baltic people as ungrateful for Soviet investment and aid after World War II. Another common message criticizes Baltic historians for “falsification of history” when really they are describing the real nature of the Soviet occupation.

A massive Russian attack

After independence, and as the internet grew, Estonia led the way in applying technology to accelerate economic development. The country created systems for a wide range of government and commercial services, including voting, banking and filing tax returns electronically. Today, Estonia’s innovative e-residency system is being adopted in many other countries.

These advances made the Baltics a prime target for cyberattacks. In the spring of 2007, the Russians struck. When Estonia moved a monument memorializing Soviet soldiers from downtown Tallinn, the country’s capital, to a military cemetery a couple of miles away, it provoked the ire of ethnic Russians living in Estonia as well as the Russian government.

For three weeks, Estonian government, financial and media computer systems were bombarded with enormous amounts of internet traffic in a “distributed denial of service” attack. In these situations, an attacker sends overwhelming amounts of data to the targeted internet servers, clogging them up with traffic and either slowing them down or knocking them offline entirely. Despite concerns about the first “cyber war,” however, these attacks resulted in little damage. Although Estonia was cut off from the global internet temporarily, the country’s economy suffered no lasting harm.

These attacks could have severely damaged the country’s financial system or power grid. But Estonia was prepared. The country’s history with Russian disinformation had led Estonia to expect Russian attacks on computer and information systems. In anticipation, the government spearheaded partnerships with banks, internet service providers and other organizations to coordinate responses to cyberattacks. In 2006, Estonia was one of the first countries to create a Computer Emergency Response Team to manage security incidents.

The Baltic response

After the 2007 attack, the Baltic countries upped their game even more. For example, Estonia created the Cyber Defense League, an army of volunteer specialists in information technology. These experts focus on sharing threat information, preparing society for responding to cyber incidents and participating in international cyber defense activities.

Internationally, Estonia gained approval in 2008 to establish NATO’s Cooperative Cyber Defense Center of Excellence in Tallinn. Its comprehensive research into global cyber activities helps identify best practices in cyber defense and training for NATO members.

In 2014, Riga, the capital of neighboring Latvia, became home to another NATO organization combating Russian influence, the Strategic Communications Center of Excellence. It publishes reports on Russian disinformation activities, such as the May 2018 study of the “Virtual Russian World in the Baltics.” That report analyzes Russian social media activities targeting Baltic nations with a “toxic mix of disinformation and propaganda.” It also provides insight into identifying and detecting Russian disinformation campaigns.

“Baltic elves” – volunteers who monitor the internet for Russian disinformation – became active in 2015 after the Maidan Square events in the Ukraine. And the Baltic nations have fined or suspended media channels that display bias.

The Baltic countries also rely on a European Union agency formed in 2015 to combat Russian disinformation campaigns directed against the EU. The agency identifies disinformation efforts and publicizes accurate information that the Russians are seeking to undermine. A new effort will issue rapid alerts to the public when potential disinformation is directed against the 2019 European Parliament elections.

Will the ‘Baltic model’ work in the US?

Because of their political acknowledgment of threats and actions taken by their governments to fight disinformation, a 2018 study rated Estonia, Latvia and Lithuania the three European Union members best at responding to Russian disinformation.

Some former U.S. officials have suggested adopting similar practices, including publicizing disinformation efforts and evidence tying them to Russia. The Senate Intelligence Committee has called for that too, as has the Atlantic Council, an independent think tank that focuses on international affairs.

The U.S. could also mobilize volunteers to boost citizens’ and businesses’ cyberdefenses and teach people to identify and combat disinformation.

Disinformation is a key part of Russia’s overall effort to undermine Western governments. As a result, the battle is ever-changing, with Russians constantly trying new angles of attack and target countries like the Baltic nations identifying and thwarting those efforts. The most effective responses will involve coordination between governments, commercial technology companies and the news industry and social media platforms to identify and address disinformation.

A similar approach may work in the U.S., though it would require far more collaboration than has existed so far. But backed by the new government motivation to strike back when provoked, the methods used in the Baltic states and across Europe could provide a powerful new deterrent against Russian influence in the West.Terry Thompson, Adjunct Instructor in Cybersecurity, University of Maryland, Baltimore County

This article is republished from The Conversation under a Creative Commons license. Read the original article.

The post Countering Russian disinformation the Baltic nations’ way appeared first on Department of Computer Science and Electrical Engineering.

The UMBC Cyber Defense Lab

Workshop on Usable Security

Nikola K. Blanchard
10am-4pm, Tuesday, 18 December, 2018, ITE 228, UMBC

We invite people interested in cybersecurity to join us for research conversations with Nikola Blanchard, an expert in usable security. Visitors are welcome to participate in any or all of the workshop.

How do we make better codes and passwords? As security constraints increased at the expense of usability, we saw no real improvement in practical performance. This session will introduce some basic notions of usability of security (with applications to voting technology), and the first mental-only password management algorithm. Participants will then be presented with the problem of evaluating such algorithms, and will have a brainstorming activity on designing alternative methods.

Biographical Sketch. After an initial training in mathematics and informatics at ENS Paris, Nikola K. Blanchard started a PhD at IRIF, supervised by Nicolas Schabanel and Ted Selker. In 2015, they joined the Random Sample Voting Project to develop voting protocols, prevent vote selling and improve the deployment of new voting technologies, organizing multiple test elections. They recently started doing research on usability of security with Ted Selker, initially for secure voting technologies but expanding into the field of password research. As e-democracy research requires not just security or usability but also political science, they joined the Chôros think tank and teamed up with Géza Tessényi to co-found the Public Opinion Platform, adding the deliberation aspect needed for any e-democracy project. They are currently in the process of publishing a book on the use of randomness in political institutions.

Host: Alan T. Sherman, *protected email*

Biweekly Cyber Defense Lab meetings will resume in the spring term, 12noon-1pm on Fridays

This event is supported in part by the National Science Foundation under SFS Grant 1241576

The post Workshop on Usable Security, 10-4 Tue 12/18 appeared first on Department of Computer Science and Electrical Engineering.

Dr. Jacob Mendel, Tel Aviv University

11:00am Thursday, 15 November 2018, ITE 459, UMBC

The last decades have witnessed unprecedented population and urbanization growth with the implication that today, for the first time in human history, more than half of the world’s population lives in cities. The consequences of the cybersecurity threats of this urbanization trend along with the notion of smart cities are the main subject of this session. The smart city (system of systems) integrates Big-data and the Internet of Things (IoT) to optimize the operation cost, efficiency and to provide a better services to the residents. Smart cities worldwide are checking blockchain as the foundation for urban living. Using blockchain technology in smart city can create a marketplace for Smart Grid.

The increased complexity of smart cities (system of systems), globally connected, economic and political systems has increased the cybersecurity vulnerability. The cybersecurity threats get magnified by the city big-data and its dependency on the technology. The cybersecurity challenges that smart cities faces demand for research and investment in physical security and economic security. In this session we will highlight various cybersecurity and blockchain parameters of a smart city, existing cybersecurity challenges and possible solutions.

Dr. Jacob Mandel is The Moshe Hogeg Blockchain Research Institute managing director at the Tel Aviv University, and former the General Manager Cyber Security COE at Intel. He is a serial cyber security entrepreneur; He has been the CEO and Co-Founder of SCsquare Ltd., where he founded a business enabler for cybersecurity technologies. Dr. Jacob holds 16 approved patents in the area of cybersecurity. His career in cybersecurity over the past 20 years is a unique mixture of broad practical experience and research expertise. His practice included extensive involvement in cybersecurity offensive projects (software and hardware), business development and product management. Proven worldwide track records in secure operating systems, digital rights management, security certification (CC, FIPS), penetration test, reverses engineering, Machine Learning, Blockchain, IoT security and Smart Grid cybersecurity.

His current main research interest is on The Economic Perspective on Smart Grid Cybersecurity and Blockchain technology with a special focus on malware attacks, privacy issues and business continuation. He holds a PhD in Economics from Poznan University of Economics and Business, Poland and Masters of Business Administration (MBA) degree from Ben-Gurion University of the Negev, Israel.

The post talk: Challenges of Smart Cities Cybersecurity and Privacy with Blockchain, 11am Thr 11/15 appeared first on Department of Computer Science and Electrical Engineering.

The National Science Foundation recently awarded Alan Sherman, professor of computer science and electrical engineering (CSEE), and his colleagues, two grants totaling over five million dollars to support students and research at UMBC.

Tools to assess learning

One of the two NSF grants asks the question, what is the most effective way to teach cybersecurity—with competitions, games, hands-on experiences, or other techniques? Through this award, Sherman and colleagues will focus on developing evidence-based tools to assess the effectiveness of various approaches to teaching cybersecurity.

Sherman is working with Dhananjay Phatak, associate professor of CSEE; Linda Oliva, assistant professor of education; and collaborators at the University of Illinois at Urbana-Champaign to create two educational Cybersecurity Assessment Tools (CATS) that assesses a student’s conceptual understanding of cybersecurity. The first tool will be a concept inventory for students in any first course in cybersecurity. The second will be for students graduating from college who will be entering a career in cybersecurity.

Training future cybersecurity professionals

Sherman was awarded more than $4.9 million over five years through NSF’s CyberCorps: Scholarship for Service (SFS) program. The program is designed to increase the number of cybersecurity professionals that are trained to enter careers in government, focused on protecting the nation’s information, communications, and computer systems. Rick Forno, assistant director of UMBC’s Center for Cybersecurity, is co-PI on the new SFS program grant, as well as UMBC’s prior SFS awards.

This funding will allow Sherman to extend the work that he began with support from his previous NSF CyberCorps grant, which ends in August 2019. The Scholarship for Service program at UMBC will support 34 students who are pursuing degrees at the undergraduate and graduate levels in computer science, computer engineering, information systems, cybersecurity, and other cyber-related programs.

The grant funding will also allow Sherman to develop stronger connections with two community colleges in Maryland. Each year, one student graduating from Montgomery College and one student graduating from Prince George’s Community College will be selected to participate in the program beginning in their last year at community college, and continuing through their transfer to UMBC to complete their four-year degree. This collaboration will continue to strengthen the talent pipeline and increase the number of cybersecurity professionals who pursue public service careers.

The scholar experience

The SFS program and other cybersecurity education initiative help students develop their abilities to be prudent, thoughtful, and strategic in “managing trust and information in an adversarial cyber world.” Sherman explains, “Students must also pay careful attention to details and master relevant technical knowledge and skills, such as cryptology, network protocols, system design, and secure programming.”

Each student who receives a scholarship completes a summer internship with a government agency at the local, state, federal, or tribal level. Each recipient is also required to complete government service in a cybersecurity-related position in their field after graduation.

Based on a cohort model, the UMBC program encourages the SFS scholars to learn from each other and to engage in cybersecurity research on campus, such as through Sherman’s Cyber Defense Lab. Each January, the scholars complete a week-long collaborative research project in which they analyze a specific aspect of the security of UMBC’s computer system.

“As we enter the next five years of this grant, UMBC’s SFS program remains a unique, robust opportunity for students to explore the wide range of possibilities in the cybersecurity discipline,” explains Forno. “It allows them to fully prepare for and commit themselves to entering the federal cyber workforce, and make a difference on Day One no matter where they begin their careers in the service of our nation.”

Adapted from a UMBC News article by Megan Hanks. Banner image: Rick Forno, left, and Alan Sherman. Photo by Marlayna Demond ’11 for UMBC.

The post UMBC’s Alan Sherman and colleagues receive over $5M in NSF support for cybersecurity education appeared first on Department of Computer Science and Electrical Engineering.

Threats remain to US voting system – and voters’ perceptions of reality

Richard Forno, University of Maryland, Baltimore County

As the 2018 midterms proceed, there are still significant risks to the integrity of the voting system – and information warfare continues to try to influence the American public’s choices when they cast their ballots.

On the day of the election, there were a number of early hitches in voting at individual polling places, such as polling places opening late and vote-counting machines not plugged in. But there seem not – at least not yet – to be major problems across the country.

However, not all the election-related news and information voters have been encountering in recent days and weeks is accurate, and some of it is deliberately misleading. As this election’s results come back, they will reveal whether the misinformation and propaganda campaigns conducted alongside the political ones were effective.

Securing election systems

America’s electoral process remains highly fragmented, because of the country’s cherished tradition of decentralized government and local control. While this may leave some individual communities’ voting equipment potentially vulnerable to attack, the nation’s voting process overall may be more trustworthy as a result of this fragmentation. With no unified government agency or office to provide, administer and protect election technologies, there’s not one central national element that could fail or be attacked.

Across the country, though, many districts’ voters will cast ballots with the help of machines that have long-standing security concerns. Fortunately, 45 states keep a paper record of each vote cast – whether for fear of threats to voting integrity or just budget constraints preventing purchase of newer gear. But that means five states – Louisiana, Georgia, South Carolina, New Jersey and Delaware – don’t keep paper records of their voters’ choices.

Voting machine vendors have been reluctant to appear before Congress to explain their systems’ security practices – and shortcomings. However, federal agencies have helped some states reduce the likelihood of voting machines being hacked or physically tampered with.

Beyond voting machines

Election security is about much more than voting machines and vote-counting systems, though they are the most visible technologies at work on Election Day. State systems that track voter registrations, or allow users to register online, are enticing targets for hackers, too. Security firm Carbon Black reported that 81 million voter records from 20 states are available in online forums. This data, obtained by hacking various official and corporate databases, could be used to facilitate voter fraud or sow confusion at polling places on Election Day: How would you feel if you were told that someone using your name and address had already voted?

There are security concerns even in states like Oregon, where everyone votes on paper and mails in their ballots in advance of Election Day. That state’s election officials were targeted by hackers seeking to gain access to state email and database systems. With that access, attackers might be able to digitally impersonate a government official to send false or confusing emails, press releases or other notifications to citizens, journalists or poll workers.

Also at risk are public-facing official websites that carry election information. Merely changing the reported location of polling places or voting hours could prevent some people from voting. Also vulnerable are states’ methods of announcing preliminary election results. At a major internet security conference in August, children were able to compromise replicas of several states’ election-reporting systems. The most remarkable was that in just 10 minutes, an 11-year-old boy cracked the security on a copy of the Florida secretary of state’s website and was able to change the publicly announced vote totals for candidates. That could be enough to cast doubt on whatever was later reported as the official results – and the integrity of the system itself.

Managing information on social media

A more difficult threat to defend against is information warfare, which doesn’t attack voting machines or election officials’ computers. Rather, it targets voters’ perceptions and decisions, seeking to influence how they vote.

Long before the 2016 U.S. presidential election, information warfare was influencing elections around the world, including in Ukraine, Myanmar and Egypt. But after 2016, Facebook and Twitter came under intense scrutiny for their role in providing digital environments that facilitated the spread of misinformation to sow discontent, and special counsel Robert Mueller began investigating Russians’ influence efforts.

In the run-up to the 2018 midterms, Russians and others were still hard at work trying to influence Americans to vote in ways that help foreign interests. In October, the U.S. Department of Justice charged a Russian woman with creating thousands of fake social media accounts allegedly representing American citizens to “create and amplify divisive social media and political content” before the election.

This year, though, unlike two years ago, social media companies are taking action. Twitter and Facebook have both deleted thousands of accounts they identified as engaging in propaganda and influence-peddling. And they have made other efforts to identify and fight falsehoods on their platforms, too.

Nevertheless, online misinformation continues to thrive. More than 80 percent of the Twitter accounts that often shared links to false and misleading information in 2016 are still active today. And the amount of online misinformation is higher than it was two years ago.

Investigating alleged wrongdoing

U.S. intelligence and police agencies are concerned about the potential effects of misinformation on the American electorate. But large proportions of the country don’t trust those organizations to be politically independent. It doesn’t help that the White House continues to claim, without evidence, that voter fraud is a significant problem.

Mainstream news organizations can find themselves under scrutiny too, either for reporting falsehoods that appear to gain traction online or for failing to filter out or properly identify inaccurate information for their readers.

Looking ahead

Protecting democracy is a huge challenge. I’ve written before that it involves more than technical solutions to computer problems. The U.S. government, and the people it serves, must find the desire and the drive to establish secure and trustworthy procedures for running elections across the country. Education is also key, teaching people from an early age how to recognize propaganda and misinformation, and think critically about the information they encounter. Facts are not subject to alternative views; without widespread agreement on common objective realities, society and government cannot function well.

Technology continues to evolve, presenting challenges to individuals and society alike. Emerging “deepfake” technology is already helping create convincing videos of people appearing to say and do things they never said or did. In addition, intelligent social media bots are becoming more human-like, making identifying and blocking them much more difficult. That’s just some of the challenges that democracies will face in the future.

Many of these problems will not have a clearly defined fix, because they involve a nuanced balancing of individual rights and social necessities. Real and lasting solutions must come from civil discourse by rational and objectively informed people who have, above all, the actual honest desire to do it right.Richard Forno, Senior Lecturer, Cybersecurity & Internet Researcher, University of Maryland, Baltimore County

This article is republished from The Conversation under a Creative Commons license. Read the original article.

The post Richard Forno: Threats remain to US voting system – and voters’ perceptions of reality appeared first on Department of Computer Science and Electrical Engineering.