That foreign nations will attempt to interfere with the U.S. 2020 elections is a given.
Special Counsel Robert Mueller indicted 13 Russian individuals and three Russian organizations for interfering in the 2016 elections. There is also evidence, although less pronounced, that Russia interfered with the UK’s Brexit referendum in the same year. The purpose is to sow discord and mistrust deep within the political system with little fear of any kinetic response from the targets.
The long-running Mueller investigation with the continuous rumors of Democrat desires to impeach the President in the U.S., and the current state of the British parliament confirm the efficiency of this approach. The UK is embroiled in a constitutional crisis (described by the Speaker as a ‘constitutional outrage’). The current prime minister plans to shut down parliament, apparently denying elected members the ability to question or prevent his own plans for Brexit.
In recent months, both China and Iran have also been censured for attempting to use methods similar to the Russian approach to influence western public opinion.
The question now is not whether there will be foreign attempts against the 2020 elections, but what can be done to protect the vote.
Defending the American vote is not easy – it must be protected from foreign influence and from internal individuals and groups with a political persuasion. There are two primary threat vectors: public opinion that can be influenced on-line, and the voting process itself.
Much has been written about the first. The primary defense is for the media used in such campaigns to recognize and block manipulation campaigns – and companies like Twitter and Facebook are making efforts to do this. However, there has been a new development in socially engineering voter intentions since 2016 – the emergence of deepfake videos.
Protecting the vote itself is a more complex problem, with numerous factors founded in the move to electronic voting. These include aging and vulnerable voting machines with no paper audit trail, voter registration databases stored online, and even the potential to disrupt the physical ability to cast a vote. This is aggravated by a state-level desire to maintain autonomy over their own elections without accepting federal assistance (seen as interference); and an electoral system that leads to results depending on a few localities in a few critical swing states.
Fake news and deepfake videos
Fake news and disinformation is created and spread through fake Twitter and Facebook accounts, politically motivated advertising, and misleading articles in state-run news outlets (such as RT and Sputnik for Russia, and the Xinhua News Agency for China). However, the threat is no longer limited to national governments. Far right organizations have become more politically active throughout the U.S. and Europe. Indeed, F-Secure research found extensive attempts to maintain pro-Brexit feelings in the UK and to influence the European elections both primarily emanated from right groups in both Europe and the U.S. rather than from Russia’s Internet Research Agency (IRA) tweet factory.
Such international and intranational attempts to influence the 2020 elections will undoubtedly continue. The primary defense against them will be blocks at the social media level. However, the recent emergence of deepfake videos (which can very accurately put false words apparently into the mouths of politicians, commentators and industry leaders) is a new development.
We do not know to what extent deepfake videos will be used to influence public opinion ahead of the 2020 elections. It is worth noting, however, that criminal developers of deepfake technology currently outnumber those working on detection by about 100 to 1. ZeroFOX is one vendor looking at detection. “If deepfake campaigns are used in large scale influence operations,” commented Matt Price, principal research engineer at ZeroFOX, “they are more likely to be done by nation states; and nation states normally have a lot of resources at their disposal — almost certainly more than a commercial defender.”
The vote itself is delivered through electronic voting systems. These machines and their software tend to be old, unpatched, and easily hacked. The actual threat from hacked voting machines is, however, difficult to quantify. “The likeliness of this occurring is minimal and has low risks,” comments Joseph Carson, chief security scientist at Thycotic, “due to the need to gain physical access.”
Matt Rahman, chief operating officer at IOActive, has a slightly different take. “There is a supply chain and its integrity issue here,” he says. “Diebold was one of the major manufacturers of electronic voting systems. They got acquired by Dominion, in Toronto. Some of the software and hardware components are developed in eastern Europe. We need to look at supply chain integrity, end to end.” In other words, without better security of and scrutiny over voting machines and their integrity, it is difficult to be certain they do not contain backdoors for foreign attackers.
Nor should we ignore the insider threat from someone with physical access to the machines, and a desire to benefit one party over another. This concern is aggravated by the difficulty in verifying an electronic vote. It is effectively impossible for a voter to be certain that the candidate chosen is the candidate that receives the vote.
Parham Eftekhari, executive director at the Washington, DC-based Institute for Critical Infrastructure Technology (ICIT) think tank, believes that part of the problem is a simple commercial issue. Looking at this from a purely business perspective, the election sector is tiny. “One of the challenges that exists,” he said, “and why there hasn’t been much focus on this historically, is that from a dollars and cents perspective the election sector is not a very large industry compared to something like the defense industrial base or the financial sector.”
Current supply chain threat analyses are focused on the big industrial sectors – such as the Department of Defense, the world’s largest defense buyer, beginning to impose supply chain conditions on its suppliers. “I think the election sector needs to focus on this as well,” continued Eftekhari, “and I think that it can actually look to some of the best practices and lessons learned and programs that are coming out of the other sectors and learn from them.”
Perversely, while the U.S. market for voting machines is limited to just 50 major (state) customers, it is a major purchasing outlay for the individual states. Concern over voting machine and voting in the state of Georgia following the 2016 election was so great that the state was taken to court to prevent the continuing use of its existing stock of direct-recording election (DRE) voting machines that have no means of auditing the votes cast.
In mid-August 2019, the court ordered that Georgia could no longer use these machines beyond 2019. This was expected, and the state had already placed a $107 million order on July 29 for replacement systems. On August 19, days after the old systems were banned, a new petition was filed to prevent use of the new systems (now provided by Dominion). Key to the new complaint is similar to the old complaint: the voting machine results cannot be audited, and voters cannot be confident that their vote has been correctly counted.
To put this in perspective, this one order for machines from Georgia cost $107 million. In 2018, Congress set aside just $380 million “to support equipment purchases and security enhancements to election systems.”
“It needs to be considerably more,” says Eftekhari. He believes the biggest need is to get ‘trust’ back into the electoral system. “There’s been enough finger-pointing, We need to change the tone from finger-pointing to just holding each other accountable; but also let’s come together, let’s understand what the common objectives are, focus on common goals, focus on love of democracy and freedom, and see what we can do to get it done.”
The Open Source Election Technology Foundation (OSET) is one potential route. This is a non-profit, non-partisan organization that is building what it describes as “An open, adaptable, flexible, full-featured and innovative elections technology platform called ElectOS.” By making it open source, it can be trusted. By providing the software free of charge, it can be affordable. And its purpose is to provide what Eftekhari is seeking: to put trust back into the act of voting.
Voter registration databases
Despite widespread concern over the security of voting machines, they are not the most vulnerable area of the election process. This goes to the voter registration database. This database of eligible voters throughout a state has multiple uses – not the least of which is to tell voters where and when they should vote.
States have improved the security around these databases; but an example of what could happen occurred in Georgia. In late August 2016, the Georgia voter registration database and more was discovered online and unsecured. “Cybersecurity researcher Logan Lamb accessed files hosted on the elections.kennesaw.edu server on the public internet, including the voter histories and personal information of all Georgia voters, tabulation and memory card programming databases for past and future elections, instructions and passwords for voting equipment administration, and executable programs controlling essential election resources.”
Richard DeMillo, director of Georgia Tech’s Center for 21st Century Universities, told SecurityWeek, “If I were a hacker trying to affect an election in this state, that’s where I would start. Because once you have access to those databases, you can, for example, on election day send people to the wrong polling stations. I actually think that this is a line of attack that people haven’t looked at which has to do with simply changing contact information for voters.”
Joseph Carson agrees with this analysis. The voter database, he commented, “is where an attacker would be more successful in being able to compromise or impact a nation’s vote, by determining and manipulating the voter data.” The additional PII within that data is also useful in influence campaigns. “By knowing the personality of a voter,” he added, “you can use that data to abuse and create distrust. Poor access controls and lack of privileged access management to voter databases leaves many of them unprotected and simply one wrong click by a campaign employee could mean the database is exposed.”
In the Georgia instance it is unknown and unknowable whether any foreign nation accessed or even altered the voter records. When the database was eventually taken down, several months later, the access logs were also destroyed.
However, the threat to voter registration database security isn’t just from foreign nations, but also from local political activists. In October 2018, Anomali reported that around 35 million voter details were available on the dark web. There was no suggestion that this was part of an attack against elections. However, Anomali commented, “Given the illicit vendor claims of weekly updates of voter records and their high reputation on the hacker forum, we assess with moderate confidence that he or she may have persistent database access and/or contact with government officials from each state.”
Swing states and the ability to vote
One common misperception is that the U.S. is so large and populous that it would be almost impossible to affect the outcome of a presidential election. This view is wrong. “The way the electoral college works,” explains Eftekhari, “a presidential election is ultimately determined by a few states; and by just a few counties and precincts within those states.”
These are the ‘swing states’, where the political demographics are so finely balanced that just a tiny swing in voting from one direction to another can determine the outcome of the vote for the whole state. Controlling the outcome in just five states could change the result of the election – potentially, it could even come down to just a single state.
“So,” he continued, “if there were a sophisticated, well-funded adversary, like a nation state, that did want to influence or manipulate or attack our elections, they wouldn’t have to target machines across all 50 states and thousands of precincts – they would just have to target a handful of localities.”
This could easily be achieved if the attacker has access to the voting machines, perhaps through a back door. It could also be achieved if the attacker has access to the voter registration database with the ability to remove voters from certain districts or send them to the wrong polling station. But if neither of these options are available, there are still other methods.
Consider the recent coordinated ransomware attack on 22 towns in Texas. This was unusual. Recorded Future’s Allan Liska commented, “it may be the first time that we’ve seen a coordinated attack.” Other surprises include that each attack did not attempt to damage the whole town, but appeared to attack certain agencies in all 22 towns rather than the entire government computer systems.
What if this was not a standard ransomware attack? The world has already seen ransomware used as a weapon — probably with WannaCry and almost certainly with NotPetya. So, what if this was really a test of the ability to deliver a weapon to multiple localities simultaneously? What if the ultimate target is not financial, but the ability to limit people’s ability to vote in pre-defined localities within certain swing states?
“I think that what they’re doing right now with the ransomware capabilities,” says Matt Rahman, “are a precursor to things that could come in the future, so I think that there is a correlation some way, somehow. I don’t think we have connected those dots, but I do feel in my heart — and I’ve been doing cybersecurity for close to 30 years — there is some correlation to that.”
Even if the Texas attacks are pure criminal ransomware, they will have alerted foreign nations to the possibility of using ransomware as a weapon within elections — but it would be naive to think they were unaware. It has certainly drawn a rapid response from the U.S.
Reuters reported on August 26, 2019, that the government will launch a program in September 2019 designed to help states protect their registration databases from ransomware. “These systems,” reports Reuters, “which are widely used to validate the eligibility of voters before they cast ballots, were compromised in 2016 by Russian hackers seeking to collect information. Intelligence officials are concerned that foreign hackers in 2020 not only will target the databases but attempt to manipulate, disrupt or destroy the data, according to current and former U.S. officials.”
But the potential for targeted disruption goes beyond the databases. For example, taking out transport systems in specific localities would not prevent the vote, but could limit the voting opportunities in certain locations and among specific political demographics. Coordinated ransomware attacks within swing states could potentially alter the outcome of the state vote – and through the electoral college system, affect the choice of president.
The difficulties in securing accurate and free elections in the U.S. are multiple and complex. Voter registration databases need to be secure. But they also need to be online, and are therefore insecure.
Voting machines need to be secure. But many include hardware and software components manufactured abroad, and there has yet been little investigation into supply chain security. Many do not have the capacity for adequate vote auditing, meaning that voters are ultimately unable to confirm that their vote was delivered to the chosen candidate.
Voters must be free to vote according to their own beliefs; but fake news, and disinformation (both organic and inorganic) is rife on social media. Deepfake videos and audio messages are an unknown quantity – but one good deepfake video would have the potential to destroy a political candidate’s good name and reputation overnight.
The importance of swing states to the final outcome means that attackers can focus efforts on just a few localities within a few states.
“The recent ransomware and other sophisticated attacks targeted towards our cities and municipalities are an effort by the adversary to test our defensive mechanisms and preparedness,” concludes IOActive’s Rahman. “For the 2020 presidential elections, I would recommend prioritizing cyber and physical cyber defenses for the electoral college states first. While we are bolstering our cyber defenses, let’s not forget the insider threats as well. Sixty to 70% of attacks are a combination of a trusted insider working with an outsider.”