Hacking our Democratic voting process

Wake up everybody, it’s 2019 and everything we’ve even known about democratic elections is wrong. Growing up in the post-cold war era (yes, I’m that old) we used to pride ourselves as having free, democratic elections. I remember when Saddam Hussein was “elected” as president 1995 (he was the only candidate, and won 99.96% of some 8.4 million valid votes cast) – it was obvious to anyone that the elections were rigged. It never downed upon us that such manipulations could be played on modern, democratic countries.

Well, we need to think again. 

Our growing connectivity and reliance on technology has made us extremely vulnerable to external manipulation of our elections process. It is now obvious that elections are targeted by foreign powers and that this trend will only escalate. Jeremy Hunt, British Foreign Secretary, said earlier this month :"a worst-case scenario, elections could become tainted exercises, robbing the governments they produce of legitimacy”, and Indonesian official said last week that:” Election Under Attack From Chinese, Russian Hackers”. 

Within this wide of cyber operations against elections, which also includes social media and pcy-op operations, targeted ads and influence, I’d like to focus on the topic actual cyber attacks sabotaging the democratic process (it is worth mentioning that new technologies are being developed to mitigate such threats, such as Cyabra social media monitoring and counter fake-news tools). 

The perpetrators adapt their methods of operations according to the steps of the election process. They commence with attempting to hack the politicians, move to hack the political parties and conclude with hacking the voting systems. Hacking politicians seems to be the easiest to accomplish. An individual can be hacked via regular phishing or waterhole attack (which will mainly target its phone- as seen in the recent case of hackers penetrating an Israeli politician phone). But in spite of the ease, the benefits of hacking a politician are mainly for defamation purposes.

Political parties are usually not experienced in cybersecurity (and certainly lack the necessary manpower), it is no wonder that they are the next step for hackers. Months before the actual voting, perpetrators can and do hack the political parties to obtain information and utilize it later for sowing fake news and panic. Recent examples of such activities is foreign (presumably Chinese) hacking of Australia’s three largest political parties, which can be utilized to fuel fake news and intimidate or coerce potential voters. This data breach, as well as the famous DNC data breach, were likely the result of spear phishing campaign, that led to the compromise of the party’s database. Other cyber-attacks can target party’s websites, like the attack on India’s BJP (the largest political party in the world) which was allegedly took down by Pakistani hackers and has not yet recovered.

Parties should do a better job at securing their data, as well as their own internal voting process, as demonstrated in a recent vulnerabilities detected in Israel’s Likud party Primary, where an open web-interface has allowed (potently) anyone to alter the voting results.

Maybe the good old ballot box is what we now need?

Moving from the party level to the national level, hackers need to step up their game in order to be able to penetrate and interfere (or manipulate) the voting results. Luckily for them, voting machines all around the world: Voting machines Switzerland were found to have vulnerabilities, as well as voting machines in the state of Georgia. The issues is so sever that a bill was proposed to the senate to secure such machines. Obviously, connecting voting machines to the internet opens them to multiple threats and the proper security measures must be deployed in order to mitigate these.

Summary:

Looking forward, it is clear that elections must be see secured, both by the political parties and bodies involved, and by the administration. Looking forward to 2019 elections, Spain and the Ukraine announced they will ramp up their national security efforts to safeguard the elections. As for the 2020 presidential elections, the Department of Homeland Security’s top cyber official said that he will focus on ensuring election officials are using basic cybersecurity techniques to counter cyber threats, and DARPA announced it will invest 10 million US$ in developing a hack-proof, voting system.

Hopefully, with the right combination of awareness, improved procedures and security technologies we will be able to fend off the risk and continue to enjoy the democratic process we cherish so much.

Keep Safe!

Dotan