A Web of Vulnerability? Cyberattacks and the US election

On 22 July 2016, during a crucial time in the US presidential race, anti-secrecy organisation WikiLeaks released nearly 20,000 emails hacked from Democratic National Committee (DNC) servers. The emails showed committee members making derisive comments about presidential candidate Bernie Sanders and were widely perceived as confirming the DNC’s preference for Hilary Clinton. 

The timing of the leak was no coincidence; WikiLeaks founder, Julian Assange, had made clear in an interview six weeks earlier that he had obtained emails which he hoped would harm the Clinton campaign. The event was not a one-off occurrence either; subsequent leaks of Clinton’s emails and those of her campaign manager have raised fears that outsiders are trying to influence the US election. 

US officials and cyber experts have insisted that Russian hackers are behind these attacks, voicing concern that this type of interference will persist and intensify through to the 8 November presidential election. Broadly speaking, such a threat could manifest in three types of cyberattacks: theft, disruption or disinformation. 

Traditionally, most hacking has involved theft of information. While cyber theft for political gain is not a new phenomenon, the tactic has evolved significantly. During the Cold War, hackers would covertly steal information on opposition candidates, enemy states or allies. The stolen intelligence was for use by a relatively small group of people: campaign managers, and government or security officials. However, with the creation of WikiLeaks and similar whistleblower groups, there has been a shift in strategy; hackers no longer steal data solely to hold it ransom or to help a particular group of people. Rather, information is stolen to release publicly in an attempt to influence opinion on particular candidates, parties or issues. 

Similar efforts to influence voter behaviour are evident in disruption tactics; the second type of cyberattack. Such tactics typically make use of Distributed Denial of Service (DDoS) attacks, which serve to make an online service unavailable by flooding it with traffic from various sources. In this way, they prevent publication of and access to crucial information as was the case in the 2016 Montenegrin election, which saw access to multiple government sites disrupted on voting day. 

Perhaps the most innovative tactics are those that fall into the third category of cyberattacks: disinformation. This involves various tactics, including covert data alteration, in which a hacker penetrates campaign computers and imperceptibly alters data, rather than simply stealing it, deleting it or holding it for ransom. In this way, hackers can unfavourably influence a campaign using false information, but also limit the confidence a campaign has in its own data collection. A less nuanced, but no less effective tactic involves injecting disinformation into news cycles. With new technology, especially social media, this tactic has the potential for mass disinformation. Hackers are able to bombard news cycles and social media platforms, like Twitter, with information that actively seeks to interfere with political campaigns. Hackers also generate fake twitter profiles, or ‘bots’, in order to create waves of enthusiasm or negativity for particular candidates or for particular issues.

This strategy was used in 2016 during debates in Sweden on whether the country should enter into a partnership with the North Atlantic Treaty Organisation (NATO). Social media platforms were flooded with inaccurate information regarding the implications of membership, including claims that NATO would stockpile nuclear weapons in the country, and that soldiers would have immunity from criminal prosecution in Sweden. These claims spilled over into traditional news media and the defence minister found himself questioned on the false claims in public appearances across the country. 

Disinformation strategies tap into indications that some voting populations increasingly distrust expert opinion. This threat is being taken seriously by European governments and NATO, both of whom recently set up special agencies to identify and counter disinformation campaigns, particularly those emanating from Russia. 

Such strategies have the potential to have major impacts on the US ahead of the election. The international media has focused predominantly on indications that the Democratic campaign has been most affected by email leaks, implying that hackers are trying to ensure that Republican candidate, Donald Trump, gains the presidency. However, cyberattacks run the risk of a more subtle and pervasive effect: that citizens will no longer trust the results of the election, believing that their vote had not been counted, or that votes are being manipulated. This, in turn, is likely to undermine public faith in the state’s ability to successfully carry out basic democratic processes. The erosion of citizens’ confidence in the electoral system, and democracy more generally, illustrates the enduring risk of cyberattacks to breed crises of public confidence. 

This concern is exacerbated by the possibility that hacking will move towards large-scale interference with election infrastructure, such as electronic voting or data-capturing machines. Two recent attacks in the US underscore this threat. In the state of Illinois, the voter registration system was shut down for 10 days in July 2016 after hackers downloaded the personal data of nearly 200,000 voters. A previous attack in Arizona in June 2016, did not result in stolen data, but involved the introduction of malicious software into the voter registration system also disrupting the system for nine days. Evidently, both theft and disruption can be used against physical infrastructure.
 

Researchers and cyber experts have pointed to existing vulnerabilities in election infrastructure for more than a decade with particular focus on electronic voting machines. Princeton professor, Andrew Appel, demonstrated in August 2016 how to break into the Sequoia AVC Advantage electronic voting machine – used in several states – in a matter of minutes. Appel replaced the four memory cards with his own in such a way that the tally of votes would be altered without a voter knowing. Argonne National Laboratory achieved a similar result working remotely in 2011. 

One of the challenges in preventing cyberattacks on US electoral infrastructure stems from its complex and disparate voting system. There are over 8,000 jurisdictions involved in the electoral process. Most of these jurisdictions use different types of machines and employ different ways of collecting, tallying and reporting votes cast. As such, no single prevention strategy is sufficient in maintaining countrywide electoral integrity. In addition, there are multiple points at which an attack can take place. Voting machines are clearly vulnerable but, as Arizona and Illinois illustrate, registration systems are also susceptible and attacks may result in fraudulent voter information, improper voter registrations or fake votes being cast. However, government officials claim that the complex, decentralised nature of the system is actually a form of protection, because no central system that can be infiltrated exists. 

While some cyber experts are working on more sophisticated ways of collating votes, others worry that the more abstract these processes become, the more likely they are to undermine citizen confidence in the system. This election has already seen Trump claiming a rigged election weeks before the vote takes place. Consequently, the greatest threat from cyberattacks may not come from stolen or manipulated information itself, but rather from the resultant weakening of public confidence in key state institutions.