In the past week Microsoft has reported taking down half-a-dozen malicious Web sites tied to Russia that appeared to be politically motivated and Facebook and Twitter reported shutting down hundreds of accounts linked to Russia and Iran apparently disseminating fake news. Earlier this month at DefCon 26 in Las Vegas, young hackers compromised replicas of state voting sites and researchers uncovered vulnerabilities in electronic voting machines.
In the run-up to the 2018 mid-term elections the U.S. election infrastructure is under attack, and political and IT analysts warn that this is probably just a warm-up for the 2020 presidential election. But keep in mind that ultimately our adversaries are targeting us, not our machines.
State officials and voting machine manufacturers routinely discount reports of vulnerabilities. Maybe they are right, although the history of cybersecurity makes me doubt it. In the long run, however, the mere threat of an election day exploit could be as damaging as a successful hack. Sowing discord and doubt about the electoral process is the primary goal of our adversaries, whether they accomplish it through social media or by hacking databases and voting machines.
Gray matters
We would be foolish to ignore the very real threats to election technology. In a recent survey by cybersecurity company Venafi of more than 400 IT security professionals in the United States, the United Kingdom and Australia, 93 percent said they were concerned about cyberattacks targeting election data or infrastructure. Ninety-nine percent recognized that vulnerabilities and exploits are readily available to would-be attackers.
It would be difficult to effectively swing an election by targeting individual voting machines. But vulnerable machines can be attack vectors for systems that transmit and tabulate voting results. And in the end, our adversaries don’t have to actually mess with voting results. They just have to mess with our minds. And they are.
It is important to remember that Donald Trump was elected president in 2016 by a statistical fluke with less than half the vote. His victory was due to a few handfuls of voters in a few key districts. It would be naïve to believe that none of those voters were influenced by the Russian propaganda campaigns identified by the U.S. intelligence community. By hacking vulnerable gray matter the Russians were able to manipulate votes before they were even cast without having to compromise voting hardware or software. Of course, being able to breach databases and emails certainly helps the process of social engineering.
Social hacks
Sowing distrust in our elections can dissuade voters from going to the polls, which can undermine the legitimacy of the electoral process, increase distrust of elected officials, and shrink the electorate to a size that can be more easily manipulated by outsiders or malicious insiders. Vulnerabilities in and attacks against voting machines and associated infrastructure, whether successful or not, contribute to this distrust and must be addressed.
Russia, which has a long history of manipulating its own citizens that extends back through the years of the Soviet Union, is showing itself to be adept in applying this social engineering against foreign populations in the digital age. The attacks don’t have to be precise and surgical; even blunt trauma can do lasting damage to Western democracy.
Protecting ourselves from these threats requires a two-pronged defense that includes improving the security for our electoral infrastructure together with better educating of our electorate. Inability to distinguish between news and propaganda and identify credible sources of information, a willingness to live in an echo chamber and ignore reality, make us increasingly vulnerable to manipulation.
Our founding fathers understood that democracy depends on an informed citizenry. An uninformed citizenry is dangerous. A misinformed citizenry is disastrous.