Critical Infrastructure

What cyberthreats could wreak havoc on elections this year and how worried should we as voters be about the integrity of our voting systems?

Election cybersecurity: Protecting the ballot box and building trust in election integrity

This year, billions of people will go to the polls to decide their next political leaders. From India to the US, the outcomes of these and other elections could shape geopolitics for the coming years. With so much at stake, concerns are mounting about election interference.

So what cyberthreats are real and present – beside the deepfake disinformation threat? What kinds of safeguards exist to prove the integrity of voting systems? And how concerned should we as voters be?

What’s at stake?

In 2024 there will be national or regional elections in the US, EU, UK, India, Taiwan, South Africa, Mexico and many other countries. On paper, nation states, hacktivists or even financially motivated criminals could target online election infrastructure to change votes, or interfere with voter registration databases to disenfranchise individuals en masse. Or they could look to disrupt election day activity by targeting online machines, or other pieces of infrastructure that may make it harder for people to get out and vote. One other scenario is attacks targeting reporting of results, in order to cast doubt on the result.

There’s plenty at stake, therefore, in terms of outside forces potentially changing or influencing election results in order to get the candidate elected that they want. But there’s also good news.

The good news

Despite some assertions that the 2020 election in the US was ‘stolen’, there is no evidence to back this up. In fact, the US Cybersecurity and Infrastructure Security Agency (CISA) published a long list of rebuttals to some of the most common rumors about election interference. They include assertions that:

  • election officials regularly update voter registration lists to ensure they’re as accurate and currant as possible
  • various security measures exist to protect the integrity of mail-in ballots, including voter identity checks
  • there are robust safeguards to protect against tampering, with ballots returned via drop box
  • federal, state, and/or local election authorities rigorously test and certify voting machines and equipment for vulnerabilities
  • signature matching, information checks and other measures are designed to protect against voter impersonation and ineligible voters casting a ballot

There’s another reason to feel confident in the integrity of elections: in countries like the US, different types of voting machines and registration technologies exist. These handle activities at all stages of the election cycle including:

  • pre-election activities: think voter registration and the handling of absentee voting.
  • election day: includes Direct Record Electronic (DRE) voting machines (where users cast a vote directly) and Optical Scan Voting where paper ballots are scanned and votes tallied. Results are then submitted and centralized electronically.
  • post-election activities: includes post-election audits and publication of unofficial election night results, on public-facing websites.

There is some concern over DRE machines if they could be remotely compromised. On the other hand, in the US, like in many other countries, this is not the main way in which ballots are cast. And the use of technology in general is so decentralized and diverse across the country that it would be extremely difficult for a single entity to hack and change enough results to influence an election effectively.

Where are the main threats?

However, there are still valid concerns that bad actors could single out a district or city in several swing states. Even if they can’t change the results, they could theoretically undermine confidence in the results by making it difficult for individuals to cast their votes, or interfering with the reporting of results.

CISA identifies three key cyberthreats:

  • Ransomware: This could be used to steal and leak voter registration data, or deny access to sensitive voter and election results information. It could also be used to disrupt key operational processes like registration and candidate filing.
  • Phishing: This is a particular threat for election officials, who need to open email attachments during their day-to-day work. Threat actors could easily disguise malicious payloads with social engineering lures which leverage election themes. The result could be a covert download of ransomware, information-stealing malware or other malicious code.
  • Denial-of-Service (DoS): Distributed Denial-of-Service (DDoS) attacks could block voters from accessing key information that would help them to vote, such as the location of their closest polling station, or information on the main candidates. Indonesia’s General Elections Commission said it recently experienced an “extraordinary” number of such attacks on its own and other sites during national elections.

Keeping elections safe

The good news is that the topic of election security is now very much in the mainstream, with CISA offering numerous resources to election bodies, which administrators in other countries could benefit from. The most secure form of voting, of course, is by paper. And that is the way most ballots are cast in many countries including the UK, EU and US. But as long as the voter registration and election infrastructure are targeted, concerns will persist.

Best practices for mitigating the threat of phishing, ransomware and DoS will still be valid in this context. They include regular penetration testing and vulnerability/patch management programs, multi-factor authentication (MFA) and network segmentation. Fortunately, there are also plenty of providers on the market that offer cloud-based DDoS mitigation, phishing detection and rapid response to ransomware.

In many ways, the biggest threat to election integrity will be from disinformation campaigns, including deepfakes. And “hack-and-leak” attempts to influence opinion in the run-up to voting day, as happened before the 2016 US presidential election. Many of us will hope that, wherever we’re voting and whatever happens, the result is not in any question.