Cybersecurity: Election Hacking

In foreign affairs, external interference into the voting system of another country is not a new development. According to a study, it is estimated that US and Russia attempted to influence the national elections around the globe 117 times between 1946 to 2000 (Levin, 2016: 189; quoted in Shackelford et al, 2017: 636).

With the explosion of the internet, some countries have decided to incorporate digital technologies into their voting system as a cost-efficient and flexible solution. While such initiatives come with great benefits, they also come with substantial risks. In other words, in the same way, digital systems can be compromised, electronic voting systems can tamper as well. A recent CFR analysis suggests that none of the above group of counties did make any provisions to safeguard the voting process. Due to the elections cybersecurity not been listed as critical infrastructure¹, the voting system becomes more vulnerable to external interference.

On a positive note, international awareness on the vulnerability of digital elections has risen significantly over the last decade. However, current challenges such as recession and the rise of populism have diverted the attention of the governments into other internal challenges.

The way that cybercriminals can influence the voting result is multi-layered; from the deletion of voting entries from the electoral lists, the installation of malware to the electronic voting systems to the manipulation of the final results. Despite the success or failure of the hackers’ attempt, the main objective remains one; to break the public trust towards the integrity of the election system.  There are many examples of cyberattacks in foreign affairs literature trying to meddle with other countries’ elections. Here are some characteristic case studies:

  • 2016 US Presidential elections

The first suspicions report back to September 2015, when FBI alerted the Democratic National Committee help desk about a cyberattack attempt. Despite the warnings, no evidence was found. Within the following period, a chain of incidents unveiled – from email interception to leaking sensitive data online – targeting Hilary Clinton’s presidential campaign. All checks and findings that have been conducted by cybersecurity firms and the FBI, were pointing out towards one direction; that appointed hackers from the Russian government were targeting the Democrat party.

Over the course of the elections, the Russian government remained firm by denying such claims. On December 2016, an internal investigation of the CIA revealed that the reason behind the attacks was to boost Trump’s lead towards Clinton. Amid a climate of disagreement between FBI and CIA, Barack Obama announced the imposition of sanctions towards Russia on the 29th of December – leading to the exodus of Russian Diplomats from the US.

At the beginning of 2017, a declassified report of the US intelligence was released, showing that there was no breach of the voting machines, yet Russia had meddled with US elections via alternative routes – by promoting fake news on social media – which proved detrimental for Clinton’s campaign. Despite the attempts of the newly elected president Donald Trump to ease the Russian sanctions, the Senate managed to block them successfully, while Putin was threatening to oust US diplomats from Russia. From April to October 2019, more evidence came to the spotlight, when two reports of the Senate Intelligence Committee confirmed the previous findings.

  • The 2007 and 2013 attacks in Estonia

Another characteristic example is Estonia, the first country ever that introduced digital voting during its 2005 local elections and the 2007 national elections. As the DDoS attacks to the governmental sites weren’t enough in 2007, the country fell again a victim of cyberattacks in 2013 during its local elections.

  • The insecure voting systems in Germany

A third example comes from Germany when the country decided to integrate the DRE electronic voting machines into its 2005 voting system. After extensive research, it was proved that these machines were easy to manipulate. As a result, the government decided to ban them from further use.

  • The 2014 Ukrainian elections

At last, the Ukrainian case in 2014 shook the global community, when hackers managed to intercept sensitive data from its voting systems and leak them to the press. Amid fears of further chaos between pro-Russian and national voices, the government managed to restrict substantially hackers’ efforts.

A lesson yet to learn

To prevent similar phenomena from occurring in the future, some common practices can be implemented that will make it more difficult and less cost-efficient for hackers to interfere with the national election systems.

First of all, the deployment of new technologies and protocols will ensure that the latest security software has been installed on the voting systems. Secondly, the implementation of common strategies between states can play a vital role in the fight against social media disinformation, while safeguarding the human right to vote and democratic integrity. Finally, law enforcement can deter further interference by introducing serious countermeasures against trespassers, such as diplomatic obstacles and economic sanctions.

As cyberattacks pose an imminent threat to democratic values, the implementation of the above recommendations is quite critical – especially for the countries with upcoming elections. On December 12, the UK goes to the polls to elect a new government. These elections will be rather decisive for shaping the future relationship between the EU and the UK. As expected, the country will be on the media spotlight and – by extension – to hackers aiming to disrupt the elections.

A few days ago, security experts revealed that multiple hits attempted to flood the Labour’s digital platforms with traffic. Despite the reassurance of Labour for following all the security processes to protect its platforms, these techniques might not be sufficient for an organised, well-targeted attack. Suspicions that the hit was generated by experienced hackers explains why it is difficult to trace the source of the perpetrators, whether that be a party or a foreign state (Stubbs, 2019). In the meantime, a hacking pro-Brexit group – named Lizard Squad, also known for offering paid DDoS services – claimed responsibility for both attacks warning that it will hit again the Labour party, in case it wins the elections.

As a final note, the next US Presidential Elections are scheduled for 2020. Under the watch of the Election Assistance Commission, cybersecurity will be one of its top priorities during the election process, as the chances for a potential cyberattack are quite high. Although the US is a leader in cybersecurity, the lack of funding seems to weaken its effectiveness and readiness to respond to such risks. According to EAC’s Chairwoman, Christy McCormick, the cuts on the agency’s budget by 50% raise concerns that require an urgent response (Bing, 2019).


Photo: Marco Verch, Election Hacking (2019). Source: (twiter-trends.de 2.0) | (CC BY 2.0)


Footnotes

[1] Critical infrastructure:

By critical infrastructure, the term refers to national domains of high importance for national security. Any disruptions can destabilize the national order with dramatic consequences for the economy. For this reason, governments issue strict policies and laws to protect their critical infrastructure from any unwanted interference.


Bibliography

BBC (2019) General elections 2019: Labour Party hit by second cyber-attack, BBC News, 12 November, Available at: https://www.bbc.co.uk/news/election-2019-50388879 (Accessed 16th November 2019)

Bing C. (2019) U.S. election cybersecurity agency staff ‘strained to the breaking point’, Reuters, Available at: https://www.reuters.com/article/us-usa-cyber-election/us-election-cybersecurity-agency-staff-strained-to-the-breaking-point-idUSKCN1SS2XV (Accessed 23rd November 2019)

Clemente D (2013) Cyber Security and Global Interdependence: What is Critical? Royal Institute of International Affairs, Chatham House, Available at: https://www.chathamhouse.org/sites/default/files/public/Research/International%20Security/0213pr_cyber.pdf (Accessed 17 November 2019)

CNN (2019) 2016 Presidential Campaign Hacking Fast Facts, CNN Library, 31st October [updated], Available at: https://edition.cnn.com/2016/12/26/us/2016-presidential-campaign-hacking-fast-facts/index.html (Accessed 23rd November 2019)

Fidler D. (2017) Transformation Election Cybersecurity, Cyber Brief, Council on Foreign Relations, Available at: https://cdn.cfr.org/sites/default/files/report_pdf/CyberBrief_Fidler_Elections_OR_2.pdf?_ga=2.219700825.19195569.1574293848-414541985.1574293848 (Accessed 23rd November 2019)

Shackelford S., Schneier B., Sulmeyer M., Boustead A. and Buchanan B. (2017) Making Democracy Harder to Hack, University of Michigan Journal of Law Reform, 50 (3): 629-668, Available at: https://www.schneier.com/academic/paperfiles/Making_Democracy_Harder_to_Hack.pdf (Accessed 24th of November 2019)

Stubbs J. (2019) Hackers hit political parties with back-to-back cyberattacks, Reuters, 12th November, Available at: https://uk.reuters.com/article/uk-britain-election-labour-cyber/hackers-hit-political-parties-with-back-to-back-cyberattacks-idUKKBN1XM19G (Accessed 16th November 2019)

Sullivan J. (2018) Russian Cyber Operations: State-led Organised Crime, Royal United Services Institute (RUSI), Available at: https://rusi.org/commentary/russian-cyber-operations-state-led-organised-crime (Accessed 19th November 2019)

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *