Emmanuel Macron has recently been elected as the new French president. He led a very astute political campaign, building and leading a new movement called “En Marche!” (Forward!) and he made it to the top. He is young. He embraces social media. His campaign team was very cyber-savvy and that served him well, because his campaign also made headlines on cyber security matters.
First, Macron took a very strong position in his counter-terrorism presidential plan with regards to the responsibilities of technology providers and ISPs in not further collaborating in the circumvention of encryption services, especially with regards to messaging services. He vowed to launch a major legal initiative to hold service providers accountable as accomplices of terrorist attacks. Since the elections, Macron and Theresa May have announced a joint initiative to crackdown on terrorism, which includes “how to tackle encrypted communications between extremists”.
Then, Macron was reported to have successfully fought against hackers during his campaign. What his team did was interesting.
Interfering with democratic elections
Democracy, the “rule of the majority”, is a cornerstone to many societies such as in Australia and in France. Free, fair and lawful election processes are critical to preserving a representational democratic system and the values that such a system fosters.
In France, democratic values are best referred to through the well-known republican motto of “Liberty, Equality & Fraternity”. The definition of Equality in the French Declaration of the Rights of Man and of the Citizen of 1789 included “…All citizens, being equal in its eyes, shall be equally eligible to all high offices, public positions and employments, according to their ability, and without other distinction than that of their virtues and talents.”. French citizens certainly value their right to elect their government representatives, such as their president, on the above principle of Equality.
Interferences to election processes, whether from internal or foreign sources, is a risk to the principle of Equality, a risk to democracy and the values that citizens passionately defend in France and in many other countries.
Election interferences, especially of foreign sources, is certainly not a new risk. The risk existed way before our current cyber-era. For example, in 1796 France would have reportedly interfered in a presidential election in the USA. From 1946 to 2000, the USA would have influenced presidential elections in other countries, and would have done so as many as 81 times according to political scientist Dov Levin of Carnegie Mellon University.
Same risk management?
The risk of interference exists for a long time, but managing it efficiently requires a different strategy nowadays because of the cyber means available to threat sources, which makes the risk more difficult to manage. The risk can be materialised through a range of options including:
- tampering with computerised transactions supporting the elections process (e.g. ballot counting and reporting);
- impacting the operations of election campaigns, which heavily rely on data sharing and communication functions; and
- impacting the credibility of candidates through the publication of sensitive information, whether accurate or not.
Managing the risk of interference now requires also covering cyber security. It takes more effort, time, resources and planning to do so efficiently.
Macron’s Cyber Security Campaign
Early in the French presidential election campaign, Macron was reported to be a specific target of foreign interference because of his stance on international matters. It was reported that other French presidential candidates, such as Le Pen or Fillon, would have been preferred by an influential foreign country. Attempts of interference, supported by cyber-attacks, were then expected. A specific risk was identified.
We [Macron’s campaign team] have been hammered every day since December [by hackers] (Mounir Mahjoubi, Emmanuel Macron’s campaign digital lead).
Macron’s team dealt with frequent, targeted and well-crafted spear phishing attacks according to reports. Trend Micro reported that it had made the discovery of fake web domains associated with Macron on infrastructure which they believed was used by a group named “Pawn Storm”, with a caveat that “this [attribution claim] is not a 100% confirmation, but it’s very, very, likely”. They made the discovery by monitoring the creation of rogue, lookalike websites, which were often used by hackers to trick victims into revealing their online passwords.
The Trend Micro’s report provides the example of such a phishing domain with “onedrive-en-marche.fr”, which includes a subtle variation from the real domain. The dots in the real address were replaced by hyphens. “If you speed read the URL, you can’t make the distinction” said Mahjoubi. And when the fake sign-in page came up it was “pixel perfect.”
The intent of the spear phishing campaign was to trick Macron’s team targeted members in providing their credentials and to use those to access the team communications and documents.
During the campaign claims were made that “It’s serious, but nothing was compromised” (Mahjoubi, April 24), but Macron’s campaign was eventually hit with a leak on the eve of election day. It was referred to as MacronLeaks.
On Friday 5 May, a trove of files appeared on the anonymous document sharing site Pastebin, under the title “EMLEAKS”. Macron’s team confirmed the hack, stating it had been the “victim of a massive and coordinated hack … which has given rise to the diffusion on social media of various internal information”.
However, the leak came too late to impact the elections. At the time of the leak, it was also unclear whether the content of the leaked documents would have warranted any tangible impact on the election process. In addition, France’s presidential electoral authority had quickly stepped in and asked the media “to avoid transmitting information from the leaked documents and reminded them of their responsibilities given the “seriousness of the election”. They also called for a “spirit of responsibility”. The call was respected. The French media abstained from publishing the documents and commenting on them so close to election day. French prime newspaper Le Monde said it had seen part of the documents and that the hacking attack was “clearly aimed at disturbing the current electoral process” and it decided not to publish the content of the documents.
At the end, there was no impact on the election process, no surprise to the election result and importantly, there is no on-going political drama related to any alleged foreign interference unlike the situation in the USA.
How did Macron’s team manage the risk?
We knew we were going to be attacked and targeted. (Mahjoubi)
Macron’s team did not fully mitigate the risk. They were still the victim of a hack. However, they were successful in making it more difficult to the hackers and in containing the impact. They focused on the best possible defence, “reducing the risk if anyone managed to break into the system.”.
My key take-away of the measures applied by Macron’s team include:
- Identifying a risk early on, understanding it and planning accordingly to best manage it. According to Mahjoubi, the risk was “to unfocus us”.
- Taking lessons learnt from the USA presidential elections and the alleged DNC server hack that would have impacted Hillary Clinton’s campaign. “The only way to be ready is to train the people. Because what happened during the Hillary Clinton campaign is that one man, the most powerful, [campaign chairman] John Podesta, logged on to his [fake] page.” (Mahjoubi)
- Applying a clear focus on staff security awareness with weekly communications. “Every week we send to the team screen captures of all the phishing addresses we have found during the week.” (Mahjoubi).
- Managing sensitive communications between campaign staff through a mix of different channels and applications (not only emails). As such, the compromise of one channel would not compromise all communications.
- Implementing a soft “counteroffensive” decoy strategy to “flood” hackers with misleading information and get them busy sorting things out. “You can flood these addresses with multiple passwords and log-ins, true ones, false ones, so the people behind them use up a lot of time trying to figure them out.” (Mahjoubi)
Macron’s team handling of the risk was praised in the media. Mounir Mahjoubi, Emmanuel Macron’s campaign digital lead, was hailed as the ‘geek’ who saved Macron’s campaign. It was a great example that cyber security risks can be managed.
Who was behind the attacks?
Some media were very quick at pointing the finger to a specific country, which tends to be quickly blamed for such activities.
I have personally been quite sceptical of recent attribution claims, in this case and in others, because some of those past claims have not been fully assertive, relying on varying degrees of evidence sometimes referred to as a “constellation of evidence”, but not sustained by definitive proof.
In the case of the MacronLeaks, I took great interest in the position of Guillaume Poupard, the director general of the French cyber defence agency known as ANSSI. His agents were called to deal with the aftermath of MacronLeaks. In a recent interview with the Associated Press, which referred to the USA warning to France about “Russian activity” before Macron’s win, Poupard stated that “The attack was so generic and simple that it could have been practically anyone.”, and “To say ‘Macron Leaks’ was APT28 [or Russia], I’m absolutely incapable today of doing that, I have absolutely no element to say whether it is true or false.”.
The most interesting part of his commentary referred to the warning France had received from the USA: ‘We are watching the Russians. We are seeing them penetrate some of your infrastructure. Here is what we have seen.’ (Rogers, NSA Director)”. Poupard said Rogers’ comments left him perplexed and he said: “Why did Admiral Rogers say that, like that, at that time? It really surprised me. It really surprised my European allies. And to be totally frank, when I spoke about it to my NSA counterparts and asked why did he say that, they didn’t really know how to reply either… Perhaps he went further than what he really wanted to say.”.
You may then, like me, take attribution claims with a pinch of salt going forward. After all, the most important is simply to manage the cyber risk as well as we can and that includes dealing with the vulnerabilities that are available for anybody to exploit, wherever the hackers may come from.
Forward with Democracy and Cyber Security
Congratulations to Macron and his cyber-savvy campaign team for their political success and their success in dealing with a cyber threat. This is a good story of cyber security risk management and we need more stories like this one. It may require some focus, planning and resources, but cyber risks can be managed.
Democracy and the values many of us passionately defend are certainly at risk. The risk has always existed and it now requires some cyber risk management considerations. We are adapting to it. It is not easy. Some countries have also curbed or rolled back their technology initiatives with regards to managing election processes more efficiently (e.g. internet vote), over cyber security fears. For example, the Netherlands have decided to revert to manual ballot counting and election result processing, instead of continuing to use a software for it over security fears. France has also recently dropped its internet voting solution for citizens living abroad, which I contributed to trialling. The rollback saddened me, because I like it when technology is delivered to enable improvements. Internet voting could help in reducing abstention rates by delivering a more convenient voting option. It could help in improving democracy. However, I certainly appreciate the security risks at the same time.
Going forward, we ought to further enjoy Liberty, Equality, Fraternity with better Cyber Security.