In the month leading up to the 2016 US presidential elections, Wikileaks published 58,000 emails and messages hacked from John Podesta, the chairman of Hillary Clinton’s campaign. It was the most high-profile in a series of cyber attacks that cast a shadow over the entire election.
Four years later, the next US election took place in the middle of a global pandemic – and attitudes to cyber risk, and indeed the nature of the risk to the democratic process, have changed.
There are few examples of the disaster scenario of an attempt to “steal” an election. More often, attacks are now about undermining public trust in the system, rather than trying to change election results. But it is difficult to measure the impact of disinformation, for example, on votes.
Maggie MacAlpine is a US expert in testing and auditing election systems. In 2016, she says, out of concern for the security of elections, some hackers in the US were testing electoral systems and trying to alert authorities about potential weaknesses. They found it difficult to be heard, however. “If you rolled up somewhere and said ‘your cyber security needs shoring up because it’s a potential vector of attack’ you would get a lot more pushback, or even confusion,” MacAlpine told Spotlight.
Read more: How AI changed cyber security
This attitude has largely shifted over the past four years, she says, but it still lingers in places where officials insist they do not need outside help to identify vulnerabilities. One of those places, the state of Georgia, is now at the centre of disputes about the conduct of the 2020 elections. President Donald Trump’s campaign requested a recount of the vote in the state after Joe Biden was declared the winner.
When we spoke, before the election on 3 November, Georgia had just appealed a ruling by a judge that would have required election officials to have a paper back-up in case there were issues with technology used to “check in” voters, including cyber attacks.
Outside the US, some countries have stepped up their efforts to protect elections and democratic institutions from cyber interference. Sam van der Staak has been working on this for five years at International IDEA, an intergovernmental organisation based in Sweden, which has run workshops in Europe to get a sense of cyber security challenges to electoral processes in different countries.
There was an initial “cyber scare” following the US election in 2016, the hacking of the German Bundestag in 2015, and the French presidential elections, when President Macron’s campaign was targeted by hackers in 2017, he says. The issue has gone quiet in the past two years, however. “The old ways have continued, but in addition to that it’s broadened, it’s diversified and the aims have shifted,” he added.
People assume when they see a headline that says “election hacked” that it is about changing the results, MacAlpine explains. But if your goal is about undermining the credibility and trust in elections, attacks can take many forms. That includes direct attacks on campaign security, such as hacking and releasing emails, or election infrastructure, such as the websites used to register to vote. They can be launched independently by hackers or be sponsored by a state, with Russia frequently accused of being behind such disruption campaigns.
However, simple attacks on vulnerable targets can be carried out by anyone with basic technical knowledge, and disinformation can be created and spread by anyone with a social media account. In the US, MacAlpine notes, it would not necessarily be against the law if a citizen spread false information, given free speech protections. “It’s not illegal to be an idiot,” she says.
Read more: How to work from home safely during a cisis
MacAlpine’s biggest concern in the run-up to this set of US elections was that Trump would amplify disinformation about the integrity of the vote. Her concerns were indeed borne out during and since polling day. Trump recently fired the head of the US cyber security agency for refuting the president’s claims of electoral fraud.
Worldwide, electoral commissions have invested in different systems and turned to the security services for support in response to the threat of cyber attacks, according to van der Staak. “Every electoral commission is vulnerable,” he explains. Those who use electronic voting and counting are at greatest risk, but even countries with little use of electronic systems are at risk. They will likely still use email to communicate and have a website to announce results, even if their votes are cast and counted by hand.
Some countries have made efforts to educate citizens about these dangers. In 2018 in Sweden, for instance, information packs were posted to each household about the risks of election hacking. A high school programme was launched to teach young people about propaganda.
The coronavirus pandemic also means some electoral commissions have had to shift more of their services, like candidate registration, from in person to online. But this has happened rapidly, without the preparation and time to secure those systems. Staff are working at a distance and dealing with more postal votes, so capacity to do cyber security is lower.
In the US, says MacAlpine, the money for states to adapt their elections to Covid-19 came too late to make a big difference in moving services online for the presidential election.
Political parties and civil society organisations are among the most vulnerable parts of an electoral system. There are hundreds, potentially thousands of political parties and organisations in each country, often lacking the money to invest in cyber security and reliant on volunteers.
“The risk is potentially enormous,” explains van der Staak. In some cases, electoral commissions have asked the security services to train political parties in how to help protect themselves online. In countries with a recent history of totalitarianism and dictatorship, where these types of organisations may have rigged elections in the past, this has been controversial.
Read more: Is electronic voting a political risk?
Cyber attacks and disruption more broadly give people who are already sceptical about democracy, elections, or “the quality of their politicians,” another argument to say, “this system isn’t working for us,” explains van der Staak. This is much easier to achieve and only takes small attacks that anyone could do, for example a distributed denial of service (DDoS) attack on a political party’s website.
This is what happened to the UK Labour Party during the 2019 election. In Latvia’s 2018 elections a popular social network, Draugiem.lv, was targeted and its homepage filled with pro-Russia content. All of this contributes to a general environment of suspicion and doubt. “It’s all about trust,” said van der Staak.
This article originally appeared in the Spotligh report on cyber security. Click here for the full edition.