Via The SecDev Group
David Mussington, professor at the University of Maryland and former White House National Security Council staff member, is a renowned expert on election cybersecurity, social media information security and the security of ICT supply chains. Below is what he had to say about top digital risks for the 2020 US presidential elections in an interview with SecDev.
What can we expect that is different in terms of cyber threats to election integrity in 2020 that we didn’t see in 2016?
While 2016 saw an initial focus on cybersecurity controls and risks to key systems, network access, and sensitive data protection, the real story was the vulnerability of users - citizens - to manipulation by those targeting perceptions and voter preferences. These preferences affect who votes and govern the participation of particular communities that have suffered from impaired access to the ballot. Voter preferences are targets, used by attackers to achieve purposeful and focused results. We may be graduating from random attempts at manipulation to more nuanced campaigns against well understood communities. Cambridge Analytica’s now well documented activities fit this pattern.
The July 2020 revelations of the hacking of “blue check” verified twitter users is a disturbing evolution of an ongoing concern with messaging and information manipulation on social media. Not only is the disruption of Twitter by still unknown actors disturbing, but the manner of the disruption - the apparent hijacking of administrator account privileges - points to the impact of social media administrative practices on the public. If the accounts of senior politicians, their supporters, and their campaigns can be so easily suborned - what does that do to the ability of campaigns to defend themselves against disinformation delivered from “trusted” sources? And the timing of discovery vs. mitigation is also significant - when was this situation identified, and by whom? What transparency exists on how the incident is being managed? And what are the protocols for involving law enforcement in the case?
What do you think are the top digital risks facing the US elections?
I think the risks of concern this year fall into three buckets: resort to digital voting technologies because of perceived risks from in person voting; poor systems administration in legacy systems; and finally, undetected adversary breakthroughs in social media manipulation and behavioural suppression.
Digital Voting Technologies at Risk
Proposals for Internet or smartphone voting have emerged since 2016 and may appear attractive to those focused on avoiding COVID-19 risks. The decentralization of US elections means that states and counties, rather than the federal government, may make decisions to adopt unsafe technologies without adequate oversight or investigation. Contrarily, digital systems can protect voter registration, and check outcomes for fraud. Their use is similarly limited by cost, jurisdiction, and timing. So, technology is used to address a problem, but in different ways - thereby introducing additional attack surface exploitable by disruptive opponents.
Election Systems Administration in Transition
Legacy voting systems are being replaced by newer, more defensible technologies. Since 2016 a number of DRE (Direct Record - Electronic) voting systems have been replaced with optical scan and paper-based voting platforms. On its own this is an improvement. That said, commercial operating systems (Microsoft Windows 10, Linux, etc.) still lie at the base of these applications. Vulnerabilities still exist, but their impact may be hidden by the still quite low level of technical acumen possessed by election officials and politicians.
Undetected Adversary Activity
The July twitter account hack revelations raise the last major concern - that of hidden adversary activity that has long - lead time impacts on the content and frequency of message manipulation suffered by the public. Absent detection, such attacks could have strategic impacts. Reinforced by appeals to bigoted or sectarian opinion, and uncertainties on existential threats (e.g., COVID-19) - disinformation campaigns can be made more effective - and engrained in the operations of social media. This poisoning of platforms where millions of voters interact constitutes an integrity threat to democracy.