This year, more global voters will head to the polls than ever before, with 50 countries holding national elections. Davey Winder takes a look at the cyber vulnerabilities threatening to disrupt and undermine democracy
More than two billion people, including UK and US citizens, are set to head to the polls this year, which invites plenty of speculation about the security of the voting process.
In the UK, we have already seen the move to require an official form of photo identification for voters participating in local council elections. In the US, the fallout from the Trump 2020 ‘Stop the Steal’ vote-rigging-gate is as loud as it ever was four years ago.
It’s all too easy to write these things off as over-enthusiastic electioneering, but here’s the thing: without robust protections to ensure the integrity of any election, wherever in the world they are, speculation about political impropriety will grow. And, as we saw following the 2020 US election, that can lead to disorder and violence.
So, it’s more important than ever that security, including cybersecurity, issues are addressed transparently and effectively. The so-called CIA Triad of security, ‘Confidentiality. Integrity. Availability’, is precisely what we want from our electoral processes. Unfortunately, that is easier said than cyber done when the risk profile includes AI, disinformation, malware, ransomware and hackers.
And the survey said…
Perhaps it’s no wonder that when the Center for Digital Government, a US national advisory institute focusing on technology policy in state and local government, surveyed 130 local government leaders, the results were not reassuring. The survey for security operations specialist Artic Wolf found more than half weren’t adequately prepared for cyber incidents targeting the US 2024 election.
“The US government is underprepared and under-resourced for the 2024 Presidential election”
Additionally, 47% of respondents expected an increase in election cyber attacks compared to 2020, and 36% cited inadequate cybersecurity budgets as a major concern. The research concluded that the US government is underprepared and under-resourced for the 2024 Presidential election. It is, therefore, imperative to understand where the real cyber threats lie and if election infrastructure and integrity are to be adequately protected this year.
Malware and ransomware
So, where do we start? Well, malware and ransomware are as good a place as any, given they are the two biggest threats facing almost any organisation today. In some regards, securing an election is no different from securing your business; it’s just that the stakes are higher. This is the biggest year for democracy in human history, with over two billion people going to the polls, which leaves the door open to cyber criminals and nation-states, for that matter, to leverage the interest around these elections.
“It is entirely possible we will see malware and ransomware campaigns – possibly with nation-state affiliations – targeting specific areas of campaign infrastructure across the political spectrum,” says Jess Parnell, CISO at threat intelligence experts Centripetal, citing “phishing emails using the election as a springboard for cybercriminal activity.”
“Despite being falsified, these deepfakes can quickly gain traction on social media and sway public opinion during elections, either for or against candidates” Dan Schiappa
The response from an election perspective is no different than for any organisation: adopt a proactive cybersecurity stance, engage intelligence-powered solutions, and get the basics right. The reconnaissance phase of many ransomware attacks will encompass scanning for weaknesses to gain entry to a network or resource: unpatched vulnerabilities, open-source intelligence (OSINT) gathering, and targeted phishing expeditions. Basic security practices of patch management, multi-factor authentication, social media policy, awareness training, and so on go a long way to mitigating risk.
AI, deepfakes and disinformation
Mitigating some of the most disturbing threats to elections means getting to grips with artificial intelligence, something that cannot be ignored in the threat landscape today. Disinformation is increasingly being created by employing deepfake technology driven by AI. The evolution and availability of open-source AI tools have made it easier to promote false narratives and deploy those deepfake creations across multiple campaigns. That’s the concern of Dan Schiappa, CPO at Arctic Wolf. “Despite being falsified, these deepfakes can quickly gain traction on social media and sway public opinion during elections, either for or against candidates,” Schiappa says. And with a seemingly endless supply of AI-generated content, these campaigns can continue over months. There is little real irony in the fact that AI can also be used on the defensive side of the disinformation fence to detect bots and fake accounts on social media and spot deepfake video or audio content online.
Adam Pilton is a former detective sergeant investigating cybercrime at Dorset Police and a cybersecurity consultant at CyberSmart. He told Assured Intelligence that candidates, policies, and voting procedures will undoubtedly receive online false, misleading, or manipulative treatment this year. But that doesn’t necessarily mean thinking beyond the boundaries of basic security best practice. “Security leaders should consider how their platforms could be maliciously used and not only consider ways to prevent this,” Pilton says, “but also allow users to report such misuse so that its impact can be reduced.” Doing so effectively cuts off one distribution route down which disinformation travels. Then there’s the good old test and verify mantra, which applies to data stored that could be used to target voters, election officials or infrastructure used during the election. Implement strong passwords, MFA, the principle of least privilege and so on. Even simpler, we shouldn’t ignore security daily admin tasks. Questions regarding who can access data, whether those access controls are correctly configured and even if a ‘Joiners, Leavers, Movers’ process has been implemented need to be asked. The latter, not updating all access controls when someone takes a job, leaves a job, or is promoted, is “often overlooked and can lead to insider threats, a rising attack vector,” Pilton warns.
Know thine enemy
Knowing what the threat looks like is the first step to identifying it. This is why it’s so crucial for security leaders to work collaboratively with election authorities, social media platforms, and the public to mitigate these cyber threats and safeguard the integrity of forthcoming elections. As such, Pilton says that security leaders must prioritise their efforts to prevent and defend against the most realistic threats that face them and their organisations. “This should be evidence-based and form part of a considered risk assessment,” he concludes, “as opposed to being influenced by the hype these elections are creating and which we will continue to see.”
Election cyber threat red herrings: voting machine hacking
It is just as important to know where not to invest resources as it is to identify the most pressing threats. That’s a given across any strategic cyber posture, including those that look to defend the election threat landscape.
“Although it’s possible to hack a voting machine, and voting machines can make mistakes, the chances of widespread tampering or flaws that affect multiple voting machines are minimal” Adam Pilton
There can be no more overhyped threat to election integrity than the supposed compromise of voting machines, which has dominated the news cycle since Trump lost the 2020 US election. “I think we might see red herrings about voting machines being hacked,” says Paul Bischoff, a consumer privacy advocate at Comparitech. “This non-issue was brought to light after Fox News allegedly defamed Dominion Voting Systems, resulting in Fox paying a $787 million settlement. Although it’s possible to hack a voting machine, and voting machines can make mistakes, the chances of widespread tampering or flaws that affect multiple voting machines are minimal, especially when backed up by paper ballots.” Adam Pilton agrees, arguing that while “direct hacking attempts of voting infrastructure is likely to happen, these are unlikely to be successful. Any success will likely come from indirect attacks, impacting the people and technology surrounding the true target.”