Election security in a digital democracy
Thanks to the Digital Age, there are emergent and ever growing risks to elections. Whilst we have come through the Australian Federal election unscathed, ensuring trust in the process and results is now a team sport writes Katherine Bodendorfer and Forrest Allen.
For the past several years, cyber threats to open election processes have become evident to us all. Campaign offices, polling stations and other small centres associated with the election process remain vulnerable to primarily state sponsored, hacktivist and individualist cyber-attacks. Threats to democracy are high because it now comes in digital form. Disinformation campaigns through social media, outdated voting machines, and inadequate cybersecurity measures for voting machines and databases are just a few of the vulnerabilities that leave our elections open to sabotage by adversaries.
In February this year, the Australian Federal Parliament’s computers were hacked. Prime Minister Scott Morrison blamed it on state actors, but with an election looming (though it hadn’t been called at the time), it was a serious breach.
In the wake of this attack, the Australian Electoral Commission (AEC) prepared itself to counter cyberattacks during the election.
Fortunately, no attack eventuated in Australia, but as we turn our attention to US elections next year, the question of cybersecurity will become more and more prominent.
Security is vital to electoral stability
Security has always been a key component of free and fair elections around the world. In the U.S., each state and jurisdiction has measures in place to ensure security in all phases in the election process to ensure the results are true.
Data-driven election campaigns and computerized election infrastructure in the U.S. and around the world are raising concerns regarding security and privacy. Not to mention questions regarding the ethics and the impact on voting trends and practices.
Who are the troublemakers in this space?
Foreign adversaries’ intentions are not to change voter outcomes, but rather something more attainable: undermine and disrupt the confidence of the people in their government, their democratic institutions and even trust in the results their elected representatives. This is an assault on all democracies. And all a threat actor has to do is penetrate systems that have weak end-points and internal vulnerabilities likes weak passwords.
Russia’s cyber-attacks on political party servers and state voter registration databases in 2016 certainly raised alarms. In October 2018, the director of national intelligence, FBI, US Department of Justice, and DHS issued joint statements underlining the concerns regarding threats posed by Russia and other threat actors to election processes. The Justice Department even charged a Russian national for her alleged part in a Russian operation targeting the 2018 US midterm elections.
The threat also comes from beyond nation states like Russia and China. There exist organizations, entities, and individual adversaries looking to disrupt the electoral system. With polarizing politics and accessible online tools, one could easily envision a disgruntled member of the opposing party taking matters into their own hands to shut down a voting center on election day.
Why is it an issue?
As campaign offices and polling locations turn to digital analytic tools and tracking mechanisms, computers become the front line of exploitation by threat actors. One of the reasons computer security is so difficult is having a secure system means doing a lot of things just right. When you talk about something connected to the internet, there are lots of different entry points that can make turn your defenses inside out.
Here are some basic examples: old electoral infrastructure, issues with the basics like: weak passwords, and user vulnerabilities. All of potential risk areas must be addressed correctly in order to maintain a secure system. Malfeasance, technical breakdown or administrative incompetence could easily create disorder with the electronic systems.
Where are the systems vulnerable?
The top election related threats, as identified by the U.S. Department of Justice, are direct damage to computer systems, data theft, fraud schemes, extortion and blackmail, attacks on critical infrastructure, and malign foreign influence operations.
Because of the complicated nature of most democratic societies, state, local, and federal election processes often mean that campaign and electoral systems are somewhat disparate. Further, as elections lengthen, all the many months, and even years of work that being done by campaigns builds the attack surface and richness of the data targets. Political Action Committees, financing institutions, and national political parties provide more opportunities for threat actors. That is all just pre-election!
In the US, the Department of Homeland Security (DHS) designated the voting process as a critical infrastructure, because the networks and systems’ security are vital to the American democracy. As such, if attacked, it would have a significant impact on national security.
What can be done?
Around the globe, democracies need to identify and update election IT basic infrastructure, cybersecurity practices across state voter registration systems, campaign data, and election auditing.
The NIST Cybersecurity Framework offers guidance by helping to understand and manage risks by organizing threats into five functions: identify, protect, detect, respond, and recover. While many campaign offices, polling stations and other centers do not have the expertise or resources to employ a robust IT staff, the basic tenets of this framework provide a solid, simple foundation from which to build.
A cyber risk framework of real time continuous monitoring across all election infrastructure, offices and organizations can be put in place, providing insight into key cyber risk indicators and ongoing activities that help to develop approaches, policies and best practices for each election office and organization. Such services are a commercial commodity and affordable and available to all.
For information about our advisory services contact whitehawk.com