Since the 2016 US election, there have been murmurs about hacking elections. There are reports of hacktivists trying to compromise the ballot and rogue governments trying to control the outcome. But in a post-truth world, how much of this is legitimate? How much can we brush aside as fake news? If the recent controversial Iowa caucuses are anything to go by, we are definitely at risk.

Sometimes bad actors also hack other criminals to use their network and hide their true identity. Recently, this was the case when a group of hackers from Eastern Europe compromised the network of elite Iranian hackers. In this scenario, governments and private companies in the Middle East and Britain were attacked while Tehran was set up to take the blame.

So it begs the question, in the current threat landscape, what does it mean to hack an election?

Election hacking defined

Hacking an election can mean different things to different people. For the most part, election hacking can refer to the physical hacking of voting machines or aggressive social media campaigns designed to manipulate public opinion.

According to David Emm, senior security researcher at Kaspersky Lab, “the term ‘hacking’ often gets used loosely to refer to different attempts to interfere in elections. These include using social media to try and shape opinions or stealing data held on compromised computers to try and shame political figures, as well as tampering directly with machines used to manage the voting process.”

Mateo Meier, the founder and CEO of Artmotion, a cloud security company, agrees that “threat actors will use all available tools at their disposal to hack the outcome [of an election]. So it’s always likely to be a multi-pronged approach rather than a single data breach during election season.”

In recent years, governments have made some serious accusations, and researchers have demonstrated how vulnerabilities in voting machines can be targeted.

“Such vulnerabilities have also been seen in the real-world, with NSW election results being challenged over [the] iVote security flaw. Yet, it’s difficult to gauge the impact a successful real world attack would have. This would depend on the scale of an attack (which might itself depend on how widespread the use of a particular device is across a country and the numbers involved in any given situation),” Emm added.

David Klein, senior director of cyber security at Guardicore and a former US Government agency contractor who worked with several government agencies, Congress, and the Executive Office of the President, suggests a third approach to election hacking.

“Gaining access to campaigner or party laptops and servers to glean or manipulate data. For as long as politicians and their parties have used computing, there have been attempts by state actors to exploit [it],” he said.

Klein states that these exploits fall under two categories, namely, covert and overt operations. “Most of the time, this is done in a covert fashion to understand how the party in question operates and is thinking in order to find weaknesses in strategy and in people. Hacking isn’t merely done electronically but also incorporates the older forms of espionage, seeking to blackmail, bribe, or thwart key individuals.”

Overt, on the other hand, “seek[s] information that the nation-state subsequently releases — under false flag premises to manipulate the election outcome. The false flag is an essential portion of these techniques and takes some real panache. In some cases, the state actor is caught red-handed but denies being the source. Those that utilise proxies (often multiple in a chained approach) tend to do better, attribution being hard to pin on them.”

Nation State hacking: a long history?

Among the many scandals the pervaded the US election, the notion of state sponsored hacking was a theme that dominated candidate rhetoric and media coverage the most. Read here

Voting machines hacking

“According to the security researchers, the voting machines could most easily be hacked on location, meaning that corrupt officials with access to the machines could potentially install exploits or tamper with the voter registration in those machines to alter the outcome of the election,” said Ray Walsh, researcher, reviewer and journalist at ProPrivacy.

“In addition, the researchers have stated that if officials make mistakes or purposefully tamper with machines to allow remote access, those voting machines could be accessible via the internet in order to interfere with the election process from afar. This is concerning, because in some states majority leaders are purposefully blocking bills that would mandate that all voting machines must be patched with security fixes. This would seem to serve as circumstantial evidence that political parties intend to make use of current security flaws present in those machines.”

Klein added, “most surprising, even to me, is the Senate Intelligence Committee concluded mid-2019 that election systems in all 50 states were targeted by Russia in 2016. It’s an effort more far-reaching than previously acknowledged and one largely undetected by the states and federal officials at the time. Unfortunately for us, most of the details are still classified, so we don’t know to what extent nor how it affected the outcome.”

However, what’s unsettling is the fact that nothing has been done to mitigate the risk of election hacking. “According to researchers who purchased a number of different voting machines on eBay in 2019, they found ways to hack into every single model either due to poor encryption or weak default passwords. The Def Con researchers have noted that these are the same voting machines that will be used during the 2020 elections, meaning that the Presidential elections are again susceptible to election machine hacking,” said Walsh.

Cyber populism: is social media damaging democracy?

In a talk at Chatham House, a panel of experts discussed the growing problem of the manipulation of information on social media. Read here

Social media hacking

By now, you have probably seen the popular Netflix documentary, “The Great Hack,” and know all about Cambridge Analytica and their activities. In this scenario, Facebook user data was scraped, analysed, and those deemed the most impressionable were bombarded with (real and fake) advertisements to swing the vote.

Millions of fake social media profiles and impressions were also used to manipulate the outcome. According to Klein, “social media manipulation has proven to be a very powerful [tool] and appears to be an influencing technique that is frequently replicated. Russia used similar social media manipulation in Ukraine’s 2018 election as well. And if we look too at the most recent national elections in Germany, a minority, and somewhat unpopular German far-right party named AfD (Alternative for Germany) was able to command the majority of interactions on Facebook.”

He added, “in investigating the traffic, cyber investigators found a network of over half a million fake Facebook accounts, most originating from outside of Germany. While still a minority party, many believe that their bot accounts, with high volume posts of sensational material that got strong emotional reactions, led to an unprecedented 12.6% of the German popular vote.”

This is similar to what happened four years ago. “The 2016 Presidential campaign also saw online social media platforms being used not only to exaggerate the turn out at Republican rallies for Donald Trump but also to spread misinformation about the state of Hillary Clinton’s health. Among other things, hoaxed footage was disseminated in which Hillary Clinton was made to look like she was having a stroke and passing out,” said Walsh.

He added, “this kind of fake footage helped to create a viral campaign in which Hillary Clinton’s suitability to run the country was brought into question. That footage and conspiracy information was disseminated rapidly using the hashtag #HillaryHealth. This is an example of how the media and online platforms can be exploited to rapidly spread misinformation that stands to ‘hack’ the outcome of an election.”

The Great Hack: are data scientists becoming the new bond villains?

The Netflix film the Great Hack illustrates why data could be the new weapon of mass destruction of the fourth industrial revolution and why, if they are not careful, data scientists will become the new Bond Villains. Read here

Covert and overt hacking

Covert and overt hacking techniques can be deployed to manipulate the outcome of an election by an individual, group, or nation-state. When everything is connected, even a minor vulnerability can be exploited to compromise data and manipulate it for nefarious gains.

According to Walsh, “in the run-up to the 2016 US Presidential elections, a hacker going by the name Guccifer 2.0 released a cache of documents purportedly stolen from the DNC and Hillary Clinton.The contents of those documents, and the press they generated, served to damage Hillary Clinton’s image and reputation in the lead up to the ballot, thereby helping to sway people towards voting for Donald Trump. Following the elections, it was found that many of the documents that were released to WikiLeaks by Guccifer had been purposefully faked and mixed in with real documents to create a coordinated misinformation campaign.”

How do we protect our elections and democracy?

What will increase our risk exposure to a compromised election will be voting machines provided by a single vendor. If the voting machines are entirely electronic without supporting paper ballots, it will be considerably easier to hack. So the government needs to take steps to mitigate this issue.

Securing our elections and protecting our democracy also starts at home. As citizens, we all have a role to play in the current threat landscape. According to Meier, “we live in a highly connected world, and we can’t afford to just unplug and disconnect. This makes cyber security every citizen’s responsibility.”

He went on to add that “encryption of sensitive information and strict adherence to cybersecurity best practices should become a way of life for all citizens, not just politicians, and government agencies.”

Beyond cyber security, there also needs to be legislation and reforms to help curb the spread of misinformation. For example, social media platforms, rogue governments and criminals that exploit them have to be held accountable. There have to be consequences for such security events where the damage can be far-reaching.

“Government agencies and political parties need to start taking security seriously and hire security experts to help them. While this approach isn’t fool-proof in a rapidly evolving threat landscape, it will help government agencies identify and respond to breach quickly,” said Meier.

The fight to save our democracy is real, and it starts with cyber security. As citizens, we should all be alert to deep fakes and be alert to trolls and social media manipulation.

“As an individual involved in your country’s elections at any level, ensure you and those around you are vigilant and follow good cyber security hygiene. In [the] research I’ve done in the past two years, I’ve found that even the state actors start with ‘low hanging fruit’ in trying to break in. This means the ways we can protect ourselves is often surprisingly easy,” stated Klein.

“Keeping an eye out for spearfishing, keeping your software up-to-date, or well patched and following your team’s security protocols… Finally, be the educator: let others know about the above. Spread the word so that we all become more aware, and so maintain a trustworthy election system,” he advised.