U.S. Election Interference Comes of Age
The best way to knock out an adversary is to put its internal politics in disarray. Few things contribute to that effect as much as disbelief in the electoral process, a problem autocracies don’t have to deal with.
Campaigns and elections always have been vulnerable, and the opportunities for external foes and internal extremists to exploit gaps have evolved since they were first detected.
“We have built upon a strong foundation from 2016 to 2020 to now,” said Geoff Hale, director, Election Security Initiative, Cybersecurity and Infrastructure Security Agency (CISA). Hale explained how, in terms of hardware, gaps were plugged, and that it would be very hard to hack processes that could potentially alter vote tabulation.
“Prior to 2020, even 2018, most of America thought they went to a poll, cast their vote and it counted, and that was it,” said Debora Plunkett, cybersecurity leader and former director of information assurance at the National Security Agency.
She defined the risks in broad terms, both as a vulnerable electoral procedure as well as a means that can be used to undermine trust in institutions in the long term.
“Now, the focus of foreign adversaries, or adversaries period, whether they be foreign and domestic, is to take advantage of our vulnerabilities in the areas of not trusting our systems, not trusting our election apparatus, not trusting the processes, and using that to their advantage. That is their greatest advantage. That, and the disinformation,” Plunkett explained.
“In 2024, I think Vladimir Putin, should he still remain in power, will have every incentive, every single incentive, and almost no disincentive to get involved in our elections,” said Glenn Gerstell, senior advisor at the Center for Strategic and International Studies.
Gerstell and all panelists discussing election security at AFCEA’s Intelligence and National Security Summit on Friday pointed toward domestic fringe actors with Russia first, and China, Iran and North Korea as possible contributors as well.
Technology may have been strengthened with more layers of protection. Still, humans are the biggest risk, according to the panel.
One risk is among those working with systems who could be tricked into granting access to unauthorized actors.
“Over 90% of cybersecurity attacks still start with phishing,” said Grace Hoyt, account security partnerships executive at Google. Phishing is the fraudulent practice of sending emails purporting to be from reputable sources to induce individuals to reveal personal information, such as passwords and credit card numbers.
“For example, last year, [Google] blocked over 40,000 phishing attacks [against election officials],” Hoyt told the audience.
We as readers, and consumers, also have responsibility, for verifying what we’re reading.
A more sophisticated attack doesn’t involve systems. It exclusively focuses on citizens and exploits political divisions to sow public distrust in institutions, explained Plunkett.
“Americans are not used to the scale of disinformation in the coordinated sense that these two countries [Russia and China] establish in their campaigns, where they have tweets that are amplified by Facebook posts that are then reported by such entities as RT (Russia Today), which legitimatize and corroborate this, to make it look more real and more authentic. Americans are not used to that level of very integrated operations,” Gerstell illustrated.
Defending the country from these forms of manipulation will require news literacy and civic education.
“We as readers and consumers also have responsibility for verifying what we’re reading, particularly if we’re going to take some action based on it. Social media firms are certainly aware. They have been called up to [Capitol] Hill enough times now, and I believe they have certainly taken action. I believe there’s more to be done,” Plunkett said.
Prior to closing the event, comments went back to the basics. “We still have work to do to create that culture of security,” Hoyt explained and insisted on cybersecurity basics for everybody involved, using high-quality passwords and more than one authentication measure to access systems.