As our election system modernizes, securing our democratic process has become a chief concern for both U.S. legislators and voters. Just last month, the House passed the SHIELD Act, which is focused on securing our elections. But that’s not going to be enough in an era when technology is turning out entirely new attack surfaces.
In 2016, the Pew Research Center put the number of electronic voting machines — also known as direct-recording electronic (DRE) devices — at 28%. The 2020 election cycle will likely show an uptick in that number. But attacking American voting booths is an obvious move, and attackers consistently follow the path of least resistance. In the case of election security, the weakest point today is critical infrastructure. It’s the framework that supports our modern democratic process, and it runs deep, from traffic light systems and mass transit to the way we receive vital news and information.
My team recently hosted a series of tabletop election hacking simulations that pitted groups of law enforcement professionals against hackers. The latest simulation, held November 5 in Washington, D.C., included participation from the FBI, the Secret Service, the Department of Homeland Security, the Arlington Police Department, and a group of former government hackers. In all of the simulations thus far, attacks on infrastructure vulnerabilities showcased both the massive disruptions that could occur and the defenses law enforcement can provide if they’re prepared. We found that key attacks always center on the areas of greatest vulnerability — and there are several to examine.
Disinformation campaigns (or fake news) were rampant in the 2016 campaign. These campaigns are organized, sophisticated, and fueled by the ubiquitous nature of the internet and social platforms that boost public engagement. Anyone can create a site or a social media profile and publish “truths.” Nefarious players, both foreign and domestic, took advantage.
We’ve held three simulations, and in every one the hacking team wielded disinformation campaigns. The cost of execution versus influence is quite favorable, which is why we saw this move universally used.
While we may now be wiser to this threat, there is no doubt it will persist in the 2020 election. It’s too easy for hackers to infiltrate social media or create a “news” site, and the rewards can be great. A strong defense requires open lines of communication between government departments, media sources, and social media companies. The government can only extend its capabilities so far without the support of the platforms upon which misinformation is spread.
Legitimate information channels
A rise in disinformation campaigns spurred fierce loyalty to “legitimate” sources of information, buoying engagement with news outlets, journalists, and influencers. This loyalty, combined with an increase in the number of people who get their news from social media, presents a clear opportunity for election meddlers. Social profiles are easily hacked, for example, creating an air of legitimacy that isn’t found with random account handles: You might not believe the information posted by some Twitter account, but you could be less likely to question it if it came from one of your favorite influencers or was a headline from your trusted news outlet.
In the 2020 cycle, it’s plausible that the social media profiles of journalists, influencers, or political figures will be the target of bad actors. Typically, these hacks are exposed quickly, but in an election setting where polls are open for only a number of hours, they can result in real damage. The best defense is a quick and collaborative response. Social media monitoring, communication between law enforcement agencies, and swift action are critical tools.
With each progressive simulation in our tests, law enforcement refined their defense execution, which indicates that the more law enforcement faces this threat, the more their knowledge and ability to defend against it grows.
The impact of deepfake videos has emerged in the last year. Nancy Pelosi and Mark Zuckerberg both fell victim to the impact of this technology, and it’s plausible that cyber attackers could use simulations to impersonate public figures to directly impact the outcome of an election. Imagine if you saw a segment from your local news anchor reporting closures at the local polls because of machine malfunctions on the morning of the election. Would you question whether that segment was doctored? Or what if a local police chief released a video of an accident blocking the polling station. Would you think it was a fake video or would you consider the traffic you might have to endure to cast your vote?
In our most recent tabletop simulation, the hacking team employed deepfakes for the first time. They developed and shared a doctored video of a candidate committing racial and domestic violence that the national news outlets in the simulation’s fictional town quickly picked up. Law enforcement in the simulation relied on direct communication with social media platforms to defend against this attack.
With the development of advanced technology, we must consider its consequences and ways to prevent its misuse and abuse. Should such a scenario come to fruition in reality, it could have an enormous impact on how ballots are cast, especially with little time to reverse the damage. The cooperation of social media platforms must not be underestimated.
It’s too early to consider autonomous vehicles as a major threat to the 2020 election, but in our tabletop simulations, we found that cities of early adopters face a heightened risk of hacking. In our fictitious town, hackers were able to gain control of 50 cars and five buses, directing them to crash into polling lines and polling stations and causing mass chaos.
Like a child walking unsupervised along the side of a road, new autonomous technologies enter a world with fast, dangerous traffic, and their immaturity makes them vulnerable.
For now, the most important course of action is to improve authentication, authorization, and trust models, in addition to developing strategies for dealing with massive DOS threats ahead of wide adoption. Attackers are undoubtedly building arsenals and optionality for all the tasks they will soon need. But the sincere hope is that security will be part of the conversation early and often as we re-architect and gear up in a more active cyber world. As we move toward a future of smart cities and smart vehicles, law enforcement training must develop alongside technology. Without education about smart equipment and the means for cooperation in the event of a crisis, we will be unable to adequately defend against attacks on this critical infrastructure.
A more plausible scenario for the 2020 election is disruptions to public transportation, particularly in large metro areas of swing states. A delay or default in the normal course of public transport could have a material impact on the outcome, simply because voters are demobilized.
In the end, adversaries have the advantage over the defender. They can take actions across a huge spectrum of possibilities, whereas law enforcement must work within the bounds of the law. While it is impossible for law enforcement to prepare for every scenario an attacker might implement, creative thinking remains critical to preparedness. As both law enforcement and voters gear up for next year’s presidential election, the best defense begins with awareness.
Roi Carmel is chief strategy officer at Cybereason.