With the UK bracing for a general election and campaigning ahead of the US 2020 presidential election now in full swing, the threat of election hacking is once more a key topic of conversation.
The now infamous Democratic National Committee cyber attacks, in which hackers with ties to Russia breached the DNC network via a phishing attack, exemplified how easily democratic infrastructure can be affected by outside interference.
However, four years later, the cybersecurity community is still calling for greater efforts to combat the issue.
Verdict spoke to Kevin Bocek, VP of security strategy & threat intelligence at cybersecurity firm Venafi to discover the motivations behind election hacking and whether the threat can ever be fully removed.
“It’s not just about having a certain outcome in an election”
Despite the publication of the Mueller report earlier this year, and the conclusion that Russia “interfered in the 2016 presidential election in sweeping and systematic fashion”, the implications for the Western democratic system are yet to be fully addressed.
Although the exact scope of Russian interference in the US election still remains unclear, experts have warned that the situation is due to worsen in the upcoming election, with threats from China and Iran a possibility, according to the Center for Strategic and International Studies.
With 41% of registered voters surveyed by Agari “very concerned” about foreign interference in the 2020 election, the issue looks likely to be a key focus for voters in the run-up to the election.
But what about the hackers themselves? Bocek explains that for different adversaries, the motivation of election hacking varies. Ensuring that a particular candidate comes out on top is not the only goal, he says:
“We might also then have the adversaries that want to affect our confidence, in the democratic system. They might want to create chaos. So it’s not just about having a certain outcome in an election. And we have to think about who are the adversaries that would want to do that. Is it the large nation states? Is it the rogue nation states? Is it terrorist groups? Or could it be in certain areas down to a small set of individuals? What would they want to accomplish?”
Although the threat of election hacking remains very real, there has been a growth in awareness of the issue since 2016. Earlier this year, a startup named Defending Digital Campaigns was launched with the aim of providing cybersecurity services to political campaigns, with permission from the Federal Election Commission.
However, Bocek believes that there is currently only an “emerging understanding amongst the politicians” of the risks of election hacking. While the Democrat and Republican parties have made efforts to improve their cybersecurity practices, research shows that smaller parties in the US, as well as parties in Europe, maybe creating vulnerabilities due to gaps in cybersecurity.
The Agari 2020 Presidential Campaign Email Threat Index also showed that only 1 of 13 campaigns polling above 1% were fully protected against “spear-phishing attacks, campaign brand abuse, donation diversion threats, and candidate impersonation”.
Not just voting machines
In the US, electronic voting systems are used to cast votes, and the fact that there are no federal regulations on voting technology vendors, as well as the use of outdated technology, means that they are vulnerable to hacking. In 2017, attendees at hacking conference Def Con, demonstrated serious flaws in some of the hardware used in US elections, with one researcher able to gain access to a WinVote voting machine.
Although this is undoubtedly an area that needs watertight security, Bocek believes that the hardware used in elections often receives disproportionate attention. From poor cybersecurity practices within campaigns themselves, as was the case for the DNC in 2016, to breaching voter databases, it is clear to see that voting machines are not the only gateway for attackers:
“There’s a lot of effort and focus, especially in the US where we use electronic voting machines and elsewhere in the world, but it’s really that underbelly, which is the infrastructure and reporting. And that’s when the type of research that Venafi has done when we asked cybersecurity professionals about where do they see the risks in the infrastructure. First of all, they see huge risk in the voting infrastructure, not just ‘is it digital voting, or is it paper plus some digital process?’ Then when they asked them what parts, it’s the software-driven parts…that’s where cybersecurity professionals have seen risks.”
He believes that, when it comes to election cybersecurity, the scope must be widened, with the software that underpins the voting infrastructure an area of concern:
“That’s more of hacking the democratic process than just what think about election hacking. Because then that’s the concern. When we talked about election hacking, you think about the day that people go to vote. It’s not what are the roles? It’s not how we collect the data, how we tabulate. So in that regard, the idea of election hacking, there’s concern that it’s a more narrow view that doesn’t give the whole scope of the problem, what you really should be concerned about, because ultimately we’re concerned about protecting the democratic process. And then ultimately too the adversary is interested in subverting the democratic process.
“It’s really cool to look at hardware. But are we taking a look at the software systems? Are we taking a look at the systems that keep track of who voters are…Taking care of the systems that tabulate and communicate. That’s all software. It’s very different to the hardware machines and get the attention and most of the reporting about election vulnerabilities.”
As well as the technology behind voting, the election process also faces a more abstract threat in the form of the spread of disinformation via armies of bots on social media, which presents a unique challenge to the cybersecurity community:
“It also involves us as the organic side of voting too is, and we’ve seen that people can be manipulated…Some might have been surprised at the methods that Russia used in the 2016 elections. It was classic disinformation and classic psych ops. So that’s again what we have to think about is the methods don’t have to be the traditional “I’m going to hack a voting machine”.
“This should be an area that gets real investment”
Last month, the US Senate announced $250 had been allocated to improving state election security. However, Bocek does not believe this will adequately address the problem:
“$250m, for example, in the US thinking about protecting the election process across 50 states across a whole bunch of different disparate systems. It sounds like a decent amount of money [but] it actually isn’t compared to what’s spent, for example, on defence. And I think this is whereas we move into the future, just aligning the priorities to cyber threats, which are going to more and more affect our everyday life.”
He also points to a shortage of cybersecurity professionals, particularly in the public sphere. Earlier this month at TechCrunch Disrupt SF, the assistant director for cybersecurity for Homeland Security’s Cybersecurity and Infrastructure Security Agency called the lack of cybersecurity professionals “a national security risk”. Bocek said:
“Unfortunately, they’re not as many of [cybersecurity professionals] as there should be. And then when you get into the public sector, there’s even less of us…The notion of hacking the democratic process, this should be an area that gets real investment and new incentives for the smartest minds, whether they’re coming straight out of university, or later on. The NSA and GCHQ they know a little bit about that. So they know how to recruit really bright minds.”
Election hacking: “We’re still very much in the early stages”
Looking to the future, Bocek predicts that election hacking could take the form of more targeted attacks from “more logical actors”:
“Mounting an attack requires resources, requires a level of effort again, that then points back to a certain set of adversaries that would have completed it. So when we look to the future of election hacking, or influencing we’ll see smaller, targeted, and ones that are less attributable, and ones that create certain targeted impact versus broad chaos, for the more logical actors. So we see, for example, the likes of Russia entering, again trying to manipulate the elections, it’s most likely it won’t be en masse and we’ll be targeted places that lead to a greater outcome.”
In this high-risk landscape, what needs to be done to ensure that the integrity of future elections is not compromised by interference? Bocek believes that one solution could be the standardisation of election systems around the world. However, this comes with its challenges.
“The question one might ask is should we be standardising? So for example, in the EU should there be standardisation to try and bring a level of at least the way that the processes are operating and expectations to evaluate election systems so that they are standardised. That would then start to become a political question… embedded in the EU, there’s this idea that there is a state identity and state systems, whereas again, there’s national identities and national systems.”
Ultimately, as is the case with the private sector, an acknowledgement that the threat of cybercriminals and nation-state attacks is one that will not go away is key:
“We have to be very prepared. It’s a huge source and opportunity for adversaries to create that chaos to create concern and distrust, to cause responses. So I think first and foremost is that we have to learn that it has happened. It will happen as we move into more and more software-based world, there’s one certainty, I can guarantee you that in any government, we’re not going to go back to paper-based processes…So I think it’s that understanding that it’s happened, it’s going to happen again…it’s our ability to respond and to recover now, that’s as important or more important to preventing the breach.
“So for example, as we move into greater maturity around protecting the democratic process, it becomes then the ability to detect and respond in ways that are mature…In a democratic process, if there is a breach, if there is an incident. How can we bring back that trust and confidence as soon as possible? And those are things that haven’t been worked on at all. We’re still very much in the early stages.”