Defending the Digital Election Infrastructure
Someday we’ll conduct elections fully online, but to do that we’ll require a more secure digital election infrastructure. As the U.S. 2020 election process ramps up, technology plays an increasing role. Organizations engaged in the political process must strengthen cybersecurity to prevent chaos and disorder from carrying the day.
The Promise of Online Elections
“Democracy is the worst form of government, except for all the others,” Winston Churchill famously said.
But just for a moment, let’s dream of a brighter future: What if online elections not only could make voting more efficient, but also make democracy better?
You can consider our issues with representative democracy, read about the history of direct democracy on Wikipedia and have some reasonable doubts. But suppose we had better tools for deliberating, debating, and voting online concerning issues as large as “Who’ will be the next President?” Or as small as “What color should we repaint the county public library?” Imagine people learned in school, and throughout life, that being a good citizen means keeping oneself open-minded and well-informed? What if most of us lived up to that?
Though we can’t take the success of online democracy for granted, and though it is still far from reality today, we can accept it is possible.
A Target Rich Environment
The path to a brighter future with fully online democracy for the information age leads through protecting an increasingly digital election infrastructure that – today – seems unready. But ready or not, many election-related process are going digital:
- Voter registration and identification increasingly require electronic identity proofing or verification, and computerized voter databases.
- Government agencies administering or adjudicating the election process depend on their IT systems. Votes are counted electronically.
- Software vendors and service providers furnish tools for registration and election management.
- Political campaign organizations run on digital applications, databases, and collaboration tools. They use social media to get out the vote.
Threats to the Election
Those who predicted cyberwar on the financial system, or the power grid, have hopefully got it wrong. It seems our nation state adversaries discerned that a direct attack on America risked rousing a sleeping giant with great military and economic power. Better to launch attacks on the giant’s political system. To weaken citizens’ faith in their own institutions and democracy. Get them blaming and distrusting each other!
In this our adversaries found fertile soil due to increased partisan divisions we’d created all by ourselves. And its debatable whether disinformation efforts by foreign powers materially affected the 2016 election. But if not it wasn’t for lack of trying. According to a New York Times article citing U.S. Intelligence sources, state-sponsored disinformation efforts continue to this day. If history repeats itself, we will again see cyberattacks on U.S. voting software suppliers and spear-phishing attempts against local election officials as the 2020 election approaches.
Cybercriminals pivoted months ago to exploit pandemic fears, lockdowns, and business process disruption. The election too will provide excellent air cover for deceptive phishing messages as criminals take advantage of voter distraction and confusion.
Last but not least, the nation has a sordid history of voter suppression efforts by partisan forces. In 2016 and 2018 text messages, social media disinformation, robocalls, and other deceptions were used to discourage, intimidate, or misdirect would-be voters.
Social media has proven highly vulnerable to disinformation campaigns; in fact, some speculate platforms like Facebook can’t be fixed due to business models that thrive on perverse algorithms rewarding provocative and toxic content.
Cybersecurity for Democracy
Law enforcement, national defense, and intelligence agencies play a key role in protecting the digital election process. Organizations like the NSA, Department of Homeland Security, and the Department of Justice have the mandate, authority, resources, and capabilities to confront nation states, cybercriminals, and illegal partisan activities. Only government organizations can legally conduct offensive or counter-offensive cyber-operations and in some cases take down malicious web sites or domains used in cyberattacks. They can also coordinate security information sharing across civilian government agencies concerned with the election, and with the private sector.
But it is individual cybersecurity leaders – from the Chief Information Security Officer (CISO) in a large agency or corporation down to the manager of a staff of one in a small non-profit – that hold the defensive lines. And as I’ve described in my recently-published book Rational Cybersecurity for Business the security organization typically comprises less than 1% of an organization’s staff and does not control all access to data or business processes. It governs cybersecurity only with the consent of the governed and must align with the business to be successful.
And that really brings the discussion down to the level of the individual security staffer, IT person, or business employee in a digital election infrastructure organization. Security is everybody’s business. We must build cybersecurity muscle and promote cyber-literacy to protect democracy or we just could lose it. This is our way of life that’s at stake.
A Resilient Citizenry is the Last Line of Defense
In the final analysis, the health of the democratic system depends on the citizens themselves. If we choose to focus on what divides or scares us, we will find more of it. Someday I hope we’ll look back on 2016 and 2020 and laugh gently. How could we have believed all that fake news, all the partisan propaganda? What on earth possessed us to spend hours every week using social media monopolies with self-serving and manipulative algorithms spewing disinformation like toxic exhaust?
In the darkest days of the Depression, President Roosevelt told an anxious and divided nation: “We have nothing to fear but fear itself.” When feeling overwhelmed by the media’s constantly negative news or social media’s fake news, one can just take a deep breath. Remind yourself who you are, what is your dream, and focus on your goals. Is one of those to be a good citizen, open minded, practical, and/or compassionate to others?
How can we practice critical thinking? Easy. From the more relaxed state of conscious breathing, do a belief examination exercise. Decide for yourself if a new fear or unsettling belief is real and resourceful for you. Ask: Who gave it to me, what was their agenda? Are they believable on the topic? What would accepting this and allowing it to grow in my mind get me into? What would it get me out of? Is it useful? In what context?
Cybersecurity leaders can directly deploy basic security hygiene tools, such as network security, software updating, and access controls. In organizations concerned with elections, its also vital to engage with the business (i.e., non-security) leaders and users on rational cybersecurity programs. Promote cyber-literacy through security awareness campaigns. Align cybersecurity to business and IT through clarified, mutually-supportive roles and responsibilities that protect election data and business processes.
Citizens ultimately hold the key. Each of us can decide not be intimidated or discouraged from voting, and to vote from a resourceful state of mind. If we do this, all the efforts of our adversaries will be in vain. Democracy can continue improving the human condition.