Security Experts:

Democracy at Risk from Poor Cybersecurity, Foreign Interference: Survey

Survey Shows Distinct Voter Concern for Elections and Cybersecurity

For more than a year, a single thread has dominated American news: foreign interference in US elections. It started in June 2016 in the run-up to the 2016 presidential election, when the Democratic National Committee (DNC) announced it had been hacked, and CrowdStrike accused Russia-based Cozy Bear (APT 29).

Since then, the ramifications have rarely been out of the news. In October 2016 the U.S. government formally accused Russia of being behind the cyberattacks, and by December it became known that the CIA believed that "Russia intervened in the 2016 election to help Donald Trump win the presidency, rather than just to undermine confidence in the U.S. electoral system," The Washington Post reported.

Since then, emphasis has switched to questioning the extent to which the Trump electoral team may or may not have known about or colluded with Russia in order to win the election; and whether it has or has not attempted to hinder or subvert subsequent law enforcement investigations. This has continued throughout 2017 until Wednesday this week when Rep. Brad Sherman (D-Calif.) formally introduced an article of impeachment against President Trump.

The article of impeachment revolves around Trump's dismissal of FBI director James Comey allegedly to hinder the FBI's investigation into former National Security Advisor, General Michael Flynn. "In all of this, Donald John Trump has acted in a manner contrary to his trust as President and subversive of constitutional government, to the great prejudice of the cause of law and justice and to the manifest injury of the people of the United States."

The huge and apparently unending ramifications of what started as just another cyber hack has caused cybersecurity firm Carbon Black to wonder what effect the cyber element has had on the American electorate. In June 2017, it conducted a nationwide survey (PDF) of 5,000 eligible U.S. voters, with particular reference to the upcoming midterm 2018 elections.

In an associated blog post Carbon Black CEO Patrick Morley commented, "In perhaps the most startling revelation from the survey, 1 in 4 voters said they will consider not voting in upcoming elections over cybersecurity fears."

In reality, this figure is easily covered by existing non-voters. Approximately only 57.9% of voters voted in the 2016 election, down less than 1% from the 58.6% that voted in 2012. So, while 25% of voters now say they may not vote in the midterms, this may have no effect on the actual voter turnout.

A second area where the obvious conclusion may not be the accurate conclusion can be seen in 'voter perception on election influence'. According to the survey, "47% of voters said they believe the 2016 U.S. election was influenced by foreign entities." However, there could be a strong element of 'sore loser' in these figures. There is an aspect of tribalism in political affiliation -- some people will always vote for one particular party simply because of tribal affiliations. 

It is estimated that 48% of the electorate voted for Clinton (slightly more than the estimated 46% who voted Trump). There will be a strong incentive for the losing 48% to blame external causes on their loss -- and that could account for a large proportion of the 47% of responding voters who told Carbon Black that the result was influenced by foreign entities.

Despite not being able to definitively relate current sentiment to a past or future threat against electoral democracy, the Carbon Black survey nevertheless shows distinct voter concern for elections and cybersecurity. Several of the survey queries are unambiguous, and the results can be taken at face value. Forty-five percent of voters believe that Russia poses the biggest cybersecurity risk to U.S. elections. Of the remaining 55%, "20% said the United States itself; 17% said North Korea; 11% said China; and 4% said Iran. (3% answered 'other.')" notes the report.

Fifty-four percent of respondents "said the NSA leaks negatively impacted their trust in the U.S. election system to keep data safe;" and 44% "said they believe Russia will 'Be back' to influence future elections."

Carbon Black concludes, "Cyberattacks against our elections seed doubt in democracy. The idea that even a single voter is willing to forfeit their vote in fear of a cyberattack is startling. The fact that 1 in 4 voters said they would be willing to do so speaks volumes about how deeply this doubt has penetrated. The alleged cyberattacks surrounding the 2016 elections were a clarion call that foreign entities are motivated to disrupt U.S. elections." More starkly, it adds, "Our democracy is at risk."

Reality is probably not as extreme as this suggests. Political sentiment polling is very difficult, and Carbon Black has failed to eliminate 'other causes' in some of its questions. It might, for example, have been better to question 5,000 eligible voters that had actually voted in 2016 to get a more accurate picture of future voting intentions.

Nevertheless, it is clear that there is strong voter concern over the future of elections and cybersecurity. The report makes five proposals designed "to help restore voter confidence." The first is to implement stronger cybersecurity protection for online registration systems and voter databases. The second is to limit (or discontinue) the use of electronic voting machines. The third is to create an auditable paper trail of votes in every state and precinct. The fourth is to prohibit online voting.

The fifth is arguably the most important. In January 2017, then U.S. Homeland Security Secretary Jeh Johnson said, "I have determined that election infrastructure in this country should be designated as a subsector of the existing Government Facilities critical infrastructure sector. Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law."

In its fifth recommendation, Carbon Black now calls for the government to "commit the same urgency and resources to protecting its elections as it does for 'traditional' critical infrastructure."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.