Any apparent election interference from countries like Iran and Russia is typically met with partisan posturing. But while politicians are busy debating which candidate might benefit, there’s a good chance that someone, somewhere, is trying the same thing again right now.
Foreign interference like the recent incident announced by the U.S. Director of National Intelligence John Ratcliffe is more common than ever because no online data is completely safe from hackers, and digital data is valuable for what it reveals.
Huge tech companies are big red targets because their business models revolve around data. But what about governments? It’s certainly not surprising that bad actors are targeting this year’s shiniest and most tempting data trove: the massive amount of remote, digital voter data shuffling across the Internet in the ongoing U.S. General Election.
Challenges of voter cyberdefense
The American voting process has become less manual over the years, and even more digital since COVID-19, with online voting, voter registration, ballot tracking and counting, and other relevant data, all of which are a potential goldmine for hackers. With 41 states and Washington, D.C., offering online voter registration, this information is within reach of those who might steal it for purposes that go beyond identity theft and into the realm of democratic manipulation, suppression, or disarray. While voter registration data is often public information and sometimes easily found online, it is subject to individual states’ mandates, which vary greatly.
Risks are higher for voter data than for consumer data, because election infrastructure is less centralized, often temporary, and because the economics of protecting voter data are different. For companies, data means proprietary business processes, customer information, financials, and more. This data is central to profitability, so we can assume businesses invest their profits into its defense. Yet breaches still happen. If those with an enormous incentive to protect their data can’t, how can we be sure that the voting apparatus -- sometimes hastily organized and often reliant on the consensus use of taxes or even donations -- will be any better off?
Election IT assets are sometimes short-lived and exist primarily over the span of a campaign, with their protection funded by taxpayer, donor, and PAC dollars. Corporate cybersecurity processes take years and millions of dollars to plan, while many campaigns might only exist for several months. For every dollar candidates spend on cyberdefense, that’s a dollar they can’t spend on ads fortifying their election. Securing thousands of dollars in donations for encryption, for instance, may not be seen as worthwhile.
That’s why it’s important to fund an election security plan that supports permanent fairness and transparency at every level. But election defense must cover the entire system, and that means getting a polarized government to align on the issue. Any solution must include a plan for deployment across a country-wide system full of siloed IT systems, many running on outdated software, and resembling an old spare-parts jalopy more than an efficient modern machine.
How to break an election
Within the public sector IT system, data is so spread out and compartmentalized that even if a decision on how to protect it was unilateral, it would still be a monumental task to find and deploy a relevant solution or solutions. Yet for this higher degree of difficulty in data protection, consequences for failure are much worse than they are in the corporate world. Multiple past examples demonstrate how election data and unorganized, unprotected IT assets can be usurped to create havoc.
Websites are an easy target because they are connected to the internet at all times. We’ve seen how hacked sites have been used against the campaign or the election process before, and the results are truly discouraging. Whether for registering voters, announcing the election winners and losers, or some other purpose, sites targeted by state-backed hackers are in serious trouble.
In Ukraine, the 2014 presidential election results website was injected with malware to falsely display that the far-right candidate had won, no matter the result, and this was only discovered after Ukraine broke through a Russian DDoS attack on the same site. Simultaneously, Russia had announced that the losing candidate had won, sewing confusion that could have resulted in a recall under other circumstances.
Campaign staff and their devices are weak points as well. Phishing attempts on the social media and email accounts of campaign workers is the number one most serious issue for elections, according to the Department of Homeland Security. In 2016, we saw the campaign chairman for Hillary Clinton fall for a phishing attack, after clicking on a targeted link that then sent thousands of his and Mrs. Clinton’s emails to hackers’ computers and were later disseminated.
Attacks on voting machines are harder to pull off, but have gained a significant spotlight since Robert Mueller’s report on 2016 election interference by the Russian GRU. Though these machines have been around for over 15 years, many that we use have software that’s older still, making them vulnerable to ancient attacks that are easily deflected. The Mueller Report noted that GRU forces were seen to be targeting state election offices and voting machine makers in order to compromise them at the source, injecting machine malware that changes peoples’ votes, or the final tally, and then is programmed to erase itself. Unfortunately, this means that we can’t determine if results are compromised unless they’re audited -- a process that states tend to avoid.
What should we do to defend democracy?
For governments, it’s easier to create laws that make something illegal rather than laws that establish processes for legally doing things efficiently. This applies to election IT, as well. Determining a solution for election data theft and interference that both parties agree on and that fits an unorganized national IT system is nearly impossible. Instead, laws that identify relevant cyber tools for individual election assets, and that make it illegal not to use them in any election, can help to produce a reliable democratic result.
Securing leaky voter registration databases is a good first step. States must mandate that these databases, which can be used to steal or change personal voter information, be secured with a multi-layer mix of solutions that include 2FA, traffic monitoring, and more. Several state databases were scanned and probed in 2016 by malicious actors, but without proper auditing technology or processes, there is no evidence that data was corrupted in any way.
Auditing and paper ballot backups are vital to securing a confident, democratic election result, yet many states do not adopt this technology. As many as 14 states still use easily-compromised touchscreen tablets to register voters and accept ballots, meaning that manipulated election results are not immediately obvious. With no paper trail to back up electronic ballots that are already a proven target for hackers, results can be called into question. Moreover, at least five states still neglect to keep any backups at all, so even if they wanted to prove their elections weren’t tampered with, they couldn’t.
Relying on digital will disappoint
Ultimately, digital processes will always leave a door open for hackers somewhere. Mandating a multilayer security system for election assets is the first step, but nowhere should we rely on digital results alone. Paper is still key to democracy, as are ideas like making social media advertising more transparent, removing money from politics, and stopping the spread of misleading news. This is all to say: The battle is uphill.
It’s also hard to deal with the fact that those who have already been elected are also the only ones who can build a better system for the candidates and elections to come. That’s why it’s important to embrace proper cybersecurity (and paper security) if it is to remain supportive of democracy into the far future.