Year-round awareness and careful communication, coupled with common sense cybersecurity practices like multi-factor authentication and a Zero Trust perimeter, are the best defense against the fluid combination of varied attacks, evolving vulnerabilities, and human error that comes into play during elections.
“But what about her emails!”
It’s become an unfortunate joke now, but the 2016 presidential election was mired in a seemingly unrelenting string of scandals centered around personal online habits and cybersecurity. While opponents harped on about Hillary Clinton using her personal email for political use – and thus potentially endangering sensitive data – you also had the tangential but related story of John Podesta, former White House Chief of Staff and chair of Clinton’s campaign. He was compromised in a data breach and had thousands of emails – many relating directly to the campaign – stolen in what amounted to a run-of-the-mill phishing attack and simple human error that could have affected any number of non-political businesses or personal accounts.
But while a lot of the noise around these stories was bluster and political posturing, the specter of cybersecurity breaches shaping a presidential election was raised, perhaps permanently. Data can be placed in jeopardy in a myriad of ways, even without hackers actively looking for it. Is election security even possible given the sheer amount of vulnerabilities?
It Can’t Be Just an Election Season Concern
This is why a discussion about election security is really no different from any other conversation about the threats that face all individuals or businesses. It’s also why the notion of election security doesn’t – or shouldn’t – just bubble up when an election is near. It’s a year-round concern, one complicated by numerous vulnerabilities.
And that’s because hackers aren’t necessarily interested in changing votes. Although that very idea was floated as part of Special Counsel Robert Mueller’s investigation into the 2016 election, the results were inconclusive. As Philip Bump wrote in the Washington Post regarding the Mueller probe, “It may be — and appears to be — true that Russia didn’t manipulate actual voting results, changing a county’s pro-Clinton votes into pro-Trump ones…But Russia’s efforts absolutely affected the vote, as they were intended to…”
By “as they were intended to,” Bump is referring to how the registered voter data that hackers collect can be used to sway opinion and affect votes through hyper-targeted misinformation campaigns. By engaging in this scary new kind of digital gerrymandering, hackers can feed incorrect voting dates or false voting locations in an effort to prevent people from reaching the polls at all. In a 2018 Fast Company article titled “How Facebook Blew It,” Alex Pasternack and Joel Winston wrote, “The [Trump] campaign would use Facebook in uglier ways too. Days before the election, Bloomberg reported, the Trump team was rounding out a massive Facebook and Instagram ad purchase with a ‘major voter suppression’ effort. The effort, composed of short anti-Clinton video ads, targeted the ‘three groups Clinton needs to win overwhelmingly . . . idealistic white liberals, young women, and African-Americans’ with ads meant to keep them from voting.”
And yet, adding or removing votes remains a common misconception when the subject of election security is broached. Election hackers are after personal data. There is always danger around centralizing too much data, and elections amplify this threat by offering a window during which massive amounts of personal data for large swathes of the country are gathered and recorded. In the 2016 election, according to a report in Bloomberg News, hackers hit at least 39 states, with breaches into software systems and voter databases. In Illinois, detectives found proof that intruders tried to delete or otherwise alter voter data. In at least one state, hackers accessed a campaign-finance database.
This is why “election security” is such a frustrating issue in a lot of ways. It’s nearly impossible to police at a high level, especially when you’re dealing with the existential threat posed by social platforms like Facebook. How do you prevent the formation of an opinion based on misinformation? The truth is, you can’t – but you also don’t stand a fighting chance of limiting the potentiality if you only begin to act a few weeks before an election, or if you hope some “other” will fix the problem without any changes on everyone’s part.
Be Aware and Be Active
Election cybersecurity needs active participation from everyone. Waiting for someone else to Band-Aid the problem and guarantee a 100% secure election is folly. There are simply too many factors at play here. Year-round awareness and careful communication, coupled with common sense cybersecurity practices like multi-factor authentication and a Zero Trust perimeter, are the best defense against the fluid combination of varied attacks, evolving vulnerabilities, and human error that comes into play during elections. And when we refer to awareness and communication, we don’t mean between campaign managers and their IT personnel. We mean everyone. Get involved, because it’s the only way to ensure every county, precinct, and state is doing what they can. Each state manages its own elections, and we’re all only as strong as our weakest link.
So the call to action is simple: Contact your state and local representatives and ask them these three questions:
- Do they have multi-factor authentication turned on for all email services, devices, and any system or application that manages voter registration or other constituent data?
- Do they have proper access controls in place, and can they prove that only allow authorized individuals access to voter and other constituent data?
- What proactive measures do they have in place to ensure that proper and vetted voting information (like polling dates and locations) are reaching their constituents?