App Tiers Affected:
In July 2018, the FBI charged 12 Russian military intelligence officers with interfering with the 2016 United States presidential election by hacking into DNC’s computers and selectively releasing stolen emails timed to slant the news cycle.1 In response to this, the FBI is now working to bolster the cybersecurity for local, state, and federal political campaigns across the U.S. In recent news, Microsoft is reporting that hackers originating from Iran are targeting the 2020 presidential campaign with email breach attempts.2 This leads us to ask: how much of a risk is election hacking?
We measure cyber threats in terms of risk, which is composed of the likelihood of a threat manifesting coupled with the potential impact. Most of this article is devoted to the threat likelihood, but for now, let’s focus on impact. Normally, impact in cybersecurity for businesses is measured in dollars. For elections, we could use votes. So, for an election, how many votes need to be manipulated to change an election outcome? This comes down to the specific race being run. The state representative who won a hotly contested election in my home district in 2018 won his race by only 140 votes, a nudge of about 1% of the votes cast.3 On a larger scale, in the aforementioned 2016 presidential election, there were 120 million votes cast but effectively, only 107,000 votes in three states decided the election.4 That’s nine hundredths of one percent (0.0009) of the votes cast, roughly the same size as the population of West Covina, California. So a hack that changed even a small percentage of votes could have significant impact, if the venue were right.
Statistics from the U.S. Election Assistance Commission show that across the United States, a polling station sees, on average, 1,547 voters.5 So for a local race, a hack of a machine or two (average in New York State is around 400 voters per touch screen voting machine6) at a single polling station would be enough to swing a close race. Although a single polling location with disparate results from other locations would surely stand out. A savvy attacker would want to spread out their manipulation to make the outcome look natural and therefore, acceptable. As we’ll see, some methods of cyber election tampering are easier to hide than others. And for this article, we are interested only in the cyber-enabled attacks because information technology can magnify the efficiency and impact of older tried-and-true methods. Overall, there are three places to attack an election: the voter registration process, the voting process, and the voter.
Attacks on the Voter Registration Process
One way to easily tamper with vote count is to simply add fake voters or invalidate legitimate voters who you suspect would vote against your desired outcome. False voter registration and voter suppression are nothing new in American politics;7 we are particularly interested in cyber-enabled attacks. Last year, we reported how public sector organizations (also known as governments) were the most concerned of all industry sectors about tampering with their applications. One reason, we postulated, was online voter registration, as 37% of states allow online voter registration.8
In 2016, the Russian GRU hacked voting registration databases in two Florida counties in 20169 as well as other unnamed states.10 Just this year, we’ve already seen an attack against a voter registration website in California.11 Because these are websites, we know they could be vulnerable to all the usual web application attacks, denial of service attacks, and network interception. So far, there hasn’t been much focus or attention given to the danger of falsified voter registration coming in online, just leakage of voting registration records. It’s likely that registering fake voters does involve more work than just compromising a website, and there are other checks and audit trails in place for detection and remediation.12
Attacks on Voting Machines
Hacking voting machines is arguably getting some of the most sensational press,13 some of this thanks to the DEF CON Hacking Conference’s voting village,14 which publicized numerous methods to gain control of a voting machine. Although voting machine hacking has been a known issue for over 15 years,15 it resurged into a credible threat in Robert Mueller’s Report on the Investigation into Russian Interference in the 2016 Presidential Election, which noted that the Russia GRU targeted state election offices and voting machine makers.16 But what does an attack on a voting machine look like? Since voting machines are not normally networked devices, with some occasional exceptions,17 attacks must be carried out against either the supply chain or directly against the machine itself. In fact, voting machine attack models are remarkably similar to attack methods against air gap computers.
Most attacks require an attacker to have unobserved physical access for a minute or three, depending on the model of the machine. From there, the attacker may need to pick a lock or use a copied key to gain access to data ports or the computer within. From there, malware can be loaded, either riding on a wide variety of vulnerabilities, including software holes, default passwords, or weak cryptographic secrets. There are also documented attacks that involve swapping chips, memory cards, or smart cards.18 Some voting machines are so old that they still use PCMCIA cards, a nearly thirty-year-old technology, that can be easily subverted. Most voting machine malware manipulates either the individual votes or the final vote tally and then erases itself to destroy the evidence of tampering. In some cases, voting machine malware can be self-replicating, riding from machine to machine on infected memory sticks. There are also malware attacks against computerized Ballot Marking Device (BMD) tabulation machines, which tally optical ballot cards.
Just like everything else in cyber security, it’s a safe bet that if an attacker can gain physical access to an unlocked computer, they can pwn it in minutes.19 And it’s also safe to assume that the tampering will be nigh undetectable, although some voting machines do run anti-virus software.20
One the key defenses against these attacks is obviously to lock down physical access at polling places. Like all other cyber security systems, electronic voting and polling locations should be audited and vulnerability tested. Another recommended defense is for machines to have paper trails that provide physical verification of what a voter actually voted for in case the electronic tally is altered. Three states, Colorado, Oregon, and Washington, also do all their voting via mail which greatly reduces the attack surface of voting machine hacking. The lead agency for protecting voting is the Department of Homeland Security,21 and they are working with states on defending the voting processes. Another good resource is Verified Voting, a non-partisan non-profit organization that advocates for regulation to promotes accuracy, transparency, and verifiability of elections.22
Use of Cyber Deception to Influence Voters
Rather than directly manipulate votes, cyber attackers are now finding success in misleading the voters themselves. Once again, social engineering triumphs over technology. The key to this tactic is simple, and cyberwarfare researcher The Grugq said it best, “People will believe what their computers tell them is reality.” But how these attackers methods differs is based on their goals.
The FBI has identified the three top threat actors to U.S. interests with regards to election security: China, Russia, and now, Iran,23 Each threat actor has different goals and operates differently based on those goals, although their basic technical methods are similar.
China, for the most part, follows a more traditional model of influence. It tries to persuade key influencers (sometimes called shills), both individuals and companies, with economic levers to portray China in a positive manner. Influencers are also encouraged to oppose negative news about China by downplaying it, not mentioning it at all, or criticizing those who promote it. Sometimes these influence campaigns are about China in general, such as “China is a technological leader,” and other times, they are about current inflammatory political causes.24 Their campaigns tend to be low and slow, risk averse, subtle, and meticulous.
Iran, a recent player in this game, tends to similarly target influencers, and it’s attention focuses mostly on its own reputation and other regional players. There have been indications that Iran has tried to influence the U.S. elections, both for the 2018 midterms25 and the 2020 presidential election.26
Russia, however, is an outlier. Instead of targeting influential individuals or organizations, which will then be used to alter elections, it targets its efforts to affect the general U.S. population. It also does not necessarily promote a particular cause, candidate, or agenda, but rather seeks to sow chaos and discontent among voters. In this process, it uses particular political or ethnic groups to play off each other. For example, the Senate Intelligence Committee’s Russia investigation of the 2016 election found that Russian influence efforts heavily targeted African-Americans, noting that, "By far, race and related issues were the preferred target of the information warfare campaign designed to divide the country in 2016.”27 There are newer tools, primarily Internet-based, to help citizens navigate news bias and disinformation such as Snopes28 and AllSides,29 but these do require additional effort and Internet media skills that many older voters lack.30
If there is any central theme to their influence efforts, it is “America is terrible.” Russia is also the most well-funded, aggressive, and experienced of all the major threat actors targeting elections. According the FBI, the four major goals of Russian election influence efforts are:
- Divide and demoralize
- Muddy the public discourse
- Discredit and undermine
Divide and Demoralize
Russia seeks to stir up both sides of a debate and stoke up fights. If a particular political issue is trending, they use targeted social media advertisements and false online identities to intensify the extremists on both sides of the issue. For example, if there is a police shooting of a African-American youth, they target both white supremacists and black activist groups with distorted messages about the issue.31 The goal is to create chaos as well as discourage any meaningful resolution of the problem.
Muddy the Public Discourse
Russian operatives are also known for injecting fake news into the public discourse to confuse the issue and obscure the truth. People become overwhelmed by the torrent of conflicting stories and fall back to cognitive shortcuts, which means trusting sources that affirm what they already know. In this way, filter bubbles are formed and political positions are cemented. Historically, Americans have been conditioned to expect professional journalism, where news media (even if biased in analysis) has historically still based their reports on solid facts. In recent years, this has shifted as news channels began to “brand” themselves for particular audiences and began cherry-picking news stories and adding more commentary to reporting.32 On the Internet, especially on social media, the responsibility for verifying facts shifts from the publisher to the consumer. Many Americans, especially ones raised before the Internet was ubiquitous, are unaccustomed and untrained in investigating Internet news. The result has been called the rise of the “low information voter.”33
Discredit and Undermine
Similarly to fake news, this tactic involves impersonated trusted organizations and individuals online to send false news to discredit them. For example, impersonating election officials on social media or email to provide false information about registration. This tactic is meant to supress voter turnout and manipulate voter perceptions about the integrity of the election.
When hot-button issues and large debates are underway, Russian operatives fans the flames of argument via retweeting, sharing, and repackaging messages to amplify and prolong the disputes. Many of the messages that finally reach voters have already been relayed and amplified many times over, making it difficult to trace back to the originator. All of these methods work synergistically to build upon each other for maximum effect.
What specific technical methods do Russian influencers use? Well, the easiest is to use legitimate tools such as purchasing advertising34 and open source intelligence data35 just like online marketing firms do. In many cases, influencers were not directly buying these ads with a check written from the Kremlin bank, but instead used false front companies to misrepresent themselves.36
According to the U.S. House of Representatives Permanent Select Committee on Intelligence, one of the Russian false front companies, the Internet Research Agency (IRA), purchased 3,393 advertisements on Facebook that were shown to over 11.4 million Americans. They also created 470 Facebook pages with 80,000 pieces of organic content, which were shown to more than 126 million Americans.37 Remember that only 120 million votes were cast in the entire 2016 Presidential election.
Another technique that is even more dishonest is to use bots as “sock puppets”38 or “Non-Player Characters (NPCs)”39 to create false followers and influencer armies online in what is called “astroturfing.” This technique involves using bots to impersonate humans on social media accounts to create and amplify social media messages. Sock puppets are a common tool for advanced attackers, both state-sponsored and large hacktivist groups. Both the Russian40 and Chinese41 governments have been accused of using these kinds of bots to pump false information out into social media. F5 Labs has profiled Russian efforts to compromise and exploit home IoT devices, which could easily be used for both surveillance and creating sock puppet bots. In some cases, these bots are using entirely fake identities with made-up names and, in other cases, stolen identities are used to create the bots.
Another powerful technique is leaking and doxing, which we discussed on F5 Labs as a common hacktivism tool: Doxing (dox being short for documents, or docs) involves the publicizing of private or personal information on the Internet about someone to intimidate or embarrass them. On a broader scale, leaking is the publication of carefully curated and incriminating emails or confidential documents, which can be used effectively against organizations or public figures. The most famous expression of this was the hack of DNC email in 2016 and selective leaking of embarrassing emails to WikiLeaks.42 Recently, Iran was accused of attempting to do the same thing for the 2020 presidential election but they were thwarted by Microsoft security.43
Blocking Deceptive Influencers
In response to this threat, the FBI has launched its Protected Voices campaign, working directly with campaign officials across the country to bolster their cyberdefenses.44 Since we live in a country that values free speech, the FBI is not in a position to censor or stifle political messages, especially since it is too hard to discern an American citizen from a bot at scale. However, social media platforms are in a better position to do this and are within their purview to scrape and deny bots on their platforms. The FBI believes that exposing these bots is a key strategy, as it’s one thing to hold an opinion but it’s another to know that you’re repeating an opinion that originated in Russia.
Modeling Election Attacks
Another aspect to consider is what kinds of attacks we should expect, and therefore defend against in the future. To do this, we need to look at which attack methods are most cost-effective, and thus scalable and repeatable. Attacks need to be scalable and reliably repeatable because a U.S. presidential election involves manipulating hundreds of different venues across the nation.
In the simple table below, we outline the three primary attack methods: voter registration, voting machines, and deceptive voter influence. Attack effectiveness considers target availability, attack success likelihood, and attack impact or how many votes affected. Attack cost takes into consideration resources expended, both money and time in isolating the correct targets, weaponizing exploits to use on them, and managing the attacks. It also is a rough measure of personal risk to the attacker in looking at their exposure to getting exposed and arrested. By looking at both these dimensions, an overall attack value can be derived.
|Attack Method||Attack Effectiveness (Low – Very high)||Attack Cost||Attack Value|
|Target availability||Attack success likelihood||Attack impact|
|Hack voter registration||Low—Need to find registration sites that are hackable in useful manner||Low—As far as we know, has not happened yet||High—Adding new voters to vote for preferred candidate is highly effective||Very High—Must create fake voters and accompanying fake identification, place fake voters at risk of physical capture||Low—Attacks are effective when they work but are hard to reliably reproduce at scale|
|Hack voting machines||Low—Must target the voting machines in specific polling places in specific swing districts, which may not be known until the election is imminent||Low—If attacker can get physical access, attacks are likely to succeed, but physical access can be difficult||High—Untraceably altering votes to preferred candidate is highly effective||Very High—Must create specialized malware and physically put it on voting machines in specific swing district polling places while placing malware infectors at risk of physical capture||Low—Attacks are effective when they work but are hard to reliably reproduce at scale|
|Deceptive Influence: Leaking & Doxing||High—Many campaigns with systems to target and most emails contain embarrassing details||Medium—Gaining unauthorized access to political campaign has proven not difficult||High—Has proven to effectively sway significant percentage of voters on key issues||Medium—Requires hacking into protected email and document repositories||High—Attacks are easy to attempt, reasonably effective, and low cost, low risk|
|Deceptive Influence: Use of social media bots||High—Many voters on social media who are easily identifiable and profiled||High—Many resources available for social ad spending and bot impersonation||High—Has proven to effectively sway significant percentage of voters on key issues||Low—Bots are cheap and easy to weaponize in this manner||High—Bots and social media are very easy to use, low cost, and have proven effective|
From this, we can see that deceptive cyber influence methods are more attractive, especially if the goal is to cause election chaos and not necessarily to elect a particular candidate.
When the subject of “election hacking” comes up, the first response that many people have is to spare no expense as this is vital to protecting democracy. However, in reality, the U.S. government appears to expend no more in cyber defense protecting voting than most organizations do to protect our hospitals, emergency alert systems, first responders, financial system, power grid, or privacy. In other words, we put some effort into it but many attacks still slip through. And, like everything else in cybersecurity, we seem to focus more on technical attacks and defenses, while ignoring the more devastating social engineering attacks. So how much do we care? The U.S. government has put forth a noticeable effort to combat election hacking.45 However, it is about on par with what it does to counter most other cyber threats, that is, not a huge effort but a significant one.46 In our personal lives, most Americans have gotten desensitized to the breach-of-the-week and ransomware shutting down hundreds of schools and municipalities. Perhaps this isn’t seen as that big of a threat?
Given that the 2020 election is already underway, voters need to be aware of these kinds of deceptive tactics used to influence their votes towards foreign agendas. Security awareness at the consumer level has never been more important and begins with spotting media bias, which often mixes drama and opinion with real facts.47 Even though most of the major social media platforms are working to eliminate bots and fake news,48 identifying bots on social media is still going to be a vital skill for news consumers. One key giveaway for fake news stories are social media pushes of screenshots of media news stories, often without any context, instead of sharing actual links to the real media site.49 Politicians are working to secure their campaigns, although the efforts are mixed. Elizabeth Warren, Cory Booker, and Bernie Sanders are receiving high marks for their site security while others are lagging.50
In the end, if a nation-state attacker's goal is to undermine the confidence of the election results, they may not even need to succeed in hacking voting machines. If just enough credible news about a potential election hack can take root in citizenry's mindsets, cyber-influence efforts could amplify this to question the election results and cause chaos.
In terms of cyberwarfare, we often think of hacking power grids,51 but hacking an election to create a political climate favorable to a nation-state seems to be a much more powerful technique. It would be a nation-state’s ultimate cyberwar victory to bend an opponent nation to their will without firing a single shot—and making it seem like they did it to themselves. We need to take care to ensure that doesn’t happen.