With Election Day over, Americans await the final vote counts. As this contentious race coming to a close, securing digital data is now more critical to the democratic process than ever before. With nation-state actors seeking to undermine Americans’ trust in their time-honored process, ransomware attacks on local governments and disinformation campaigns will likely continue to rise. As Americans, we owe it to ourselves and our process to understand these threats and their actual impact on our electoral process. Cyberattacks undermine our democratic process when they reinforce disinformation campaigns because we fail to understand the attack type and its effects.
Understanding the data security triad
Data security protections focus on three elements:
- Confidentiality: ensuring that no one gains unauthorized access to non-public or sensitive information
- Availability: ensuring that the people who need access to data have it at all times
- Integrity: ensuring that no one makes unauthorized changes to data
In protecting election results, the two most important aspects of this triad are availability and integrity. Confidentiality matters to the individuals but not necessarily the overarching results. For example, I may not want anyone to know the candidate I chose, but if the information is released publicly, it won’t change how my vote is counted.
Availability can impact election results but only temporarily. For example, if a cloud database containing election information is unavailable, officials cannot access the information. However, most organizations, public and private, protect against this. Any service outages can be overcome.
Integrity, however, is where we need to focus our attention. Attacks that give cybercriminals the ability to manipulate data can change the outcome of an election. However, even local governments should have the ability to trace an attack, locate impacted data, and quantify the impact. The forensic process takes time, but it can be done.
Remain calm in the presence of ransomware announcements
Ransomware attacks generally do two things: they encrypt data so no one can read it and steal private information to sell on the internet. As we hear about these attacks, we need to think about what that means and what protections local governments likely have in place.
A ransomware attack that encrypts data to make it unusable was devastating during early iterations. Organizations – private and public – caught off guard lacked appropriate backup and recovery solutions. Today, cybercriminals evolved ransomware attacks to steal data because organizations enhanced their backup and recovery processes.
What does this mean to our election results? In this case, likely very little. First, even budget-strapped local governments have robust backup and recovery solutions today because they need to meet business continuity and disaster recovery regulatory compliance requirements. Thus, even if encrypted, the data will most likely be available.
Stolen data poses a different problem but not one that would impact the election results themselves. Cybercriminals sell stolen data, but its value lies in the ability to steal identities and commit fraud. While socially and economically problematic, stealing non-public personal data in voter records likely has little to no impact on the actual election results.
In short, even as we hear about cyber attacks against local governments, we need to think about what the attacks do to information, how they use information, and whether the attack type impacts election data integrity.
Guard against disinformation
More than anything else, malicious nation-state actors want to undermine Americans’ belief in the democratic process. Over the next few days or weeks, many Americans will find themselves anxiously glued to their screens – mobile, television, computer – reading news and following social media intensely. Disinformation campaigns, unlike other cyber attacks, have no impact on election data confidentiality, integrity, and availability. They act more like phishing attacks, preying on people’s psychological weaknesses.
Disinformation attacks are different from misinformation. Misinformation is generally defined as false or inaccurate information shared inadvertently without the intention of harm.
Disinformation is more insidious. A March 2019 report titled “Weapons of Mass Distraction: Foreign State-Sponsored Disinformation in the Digital Age” that can be found on the US State Department’s website defines disinformation as “purposeful dissemination of false information intended to mislead or harm.” The report continues to explain that disinformation can include “authentic material used in a deliberately wrong context to make a false connection, such as an authentic picture displayed with a fake caption.” In other words, many of the memes shared over the next few days, weeks, or even months are likely to be part of disinformation campaigns.
As Americans, we need to protect our democracy from these campaigns, which are more insidious than a ransomware attack. Additionally, unlike a ransomware attack, we have the power to stop disinformation campaigns from being successful. How?
- If it looks too good to be true, it probably is. That meme that you love and feel so perfectly fits into your political beliefs may have been created by malicious actors.
- If it seems too surreal to be real, it might be. That tweet that appears to show just how broken the process is may be fake.
As Americans and voters, we need to do our due diligence online. A few weeks ago, for example, one of my Facebook friends shared a post that was a tweet about protestors trapped in a church. I did my due diligence, looked up the name of the alleged person posting, looked for the Twitter account, and found nothing.
This is what disinformation looks like. This is what we, as Americans, owe our democratic process. We need to be vigilant. We need to stay focused. We need to make sure that we are not helping disinformation campaigns.
Working to protect digital democracy
As Americans, we need to do the work that protects digital democracy. We need to think and research. We need to remain calm amid the information hurricane.
Frankly, any attacks that would undermine election data integrity are probably already in place. The types of attacks that we should worry about are called “advanced persistent threats” or APTs. These attacks infiltrate networks and systems using malware or stolen credentials, then sit there undetected for long periods of time. In short, by the time security teams discover these attacks, we may have passed the inauguration and be far into the next Congressional session.
Moreover, coordinating APTs on the scale necessary to undermine the election results would be difficult. Cybercriminals would need to have targeted specific systems and networks, successfully gained entry, and remain undetected. They would need to have done this in enough cities and towns across a wide swath of states to truly impact the integrity of enough voter data to undermine the election results.
The majority of cyberattacks arise from criminals casting a wide net across the internet looking for small holes in organizations’ security. In other words, they throw as much bad mojo into the internet as possible and hope to get lucky. A coordinated, targeted attack large enough to invalidate election data nationwide is unlikely.
However, news of cyberattacks can be used as part of disinformation campaigns that undermine the democratic process. As Americans, we need to prevent being used as pawns in disinformation campaigns. We need to pause, reflect, and review the information before sharing.
Will we see cyberattacks in the next few days and weeks? Of course. Cyber Attackers never stop. Cyberattacks happen every day, even if most of them never make the news headlines. However, we need to focus on one question: Did the attack impact the data’s integrity? In most cases, the answer will be “no.” Election data integrity will be the key to the integrity of our democratic process.
- The Cybersecurity Executive Order: Why CMMC May Be the One Standard to Rule Them All - May 26, 2021
- Protecting Digital Democracy - November 12, 2020