Two very dangerous words figured prominently in the lexicon of democracy this year — election hacking.
On one level, the solution to this problem is quite straight forward.
In his recent Quora Session, Mikko Hypponen — F-Secure’s Chief Research Officer — offered some simple advice to help democratic countries protect their elections systems form the rising threats from hackers.
“The way to protect elections it to keep them on pen & paper. Seriously,” he wrote. “I’m a big fan of digitalization, but I’m not a fan of electronic voting.”
Simple, right? Perhaps in a country like Finland where citizens tend to only vote for one candidate at a time.
“Then again, voting in countries like USA is hard to do with purely pen & paper, as they tend to vote on such a wide variety of topics – including voting for the local district attorneys or sheriffs,” Mikko noted.
In addition to voting for various federal and local candidates, voters in California were asked to weigh in on 17 different ballot propositions on issues ranging from legalizing marijuana to rules for actors who star in adult movies.
So if a complicated ballot makes digitalization necessary, Mikko recommends a “voter-verifiable paper trail.” This would give officials the ability to verify “weird” results.
But even strict adherence to pen and paper would not prevent the sort “hacking” the United States experienced in 2016 because — as Erka Koivunen, F-Secure’s Chief Information Security Officer, explains — there are several ways to “hack” an election.
He puts election hacking in terms of Olympic medals:
gold = dictate the result
silver = guess the result
bronze = question the election process and/or result
Based on this model he notes that “the Russians undoubtedly got at least bronze” in the 2016 presidential election, if you believe the analysis of top intelligence agencies and cyber investigators.
And this sort of “hacking” already seems to be taking place in Germany, which will hold federal elections in 2017, with Wikileaks’ release of documents that seem to reveal a secret relationship between Chancellor Angela Merkel’s government and the U.S.’s National Security Agency.
Both Germany and France, which also holds federal elections in 2017, have parties that have aligned with Russian president Vladimir Putin. Nationalists aligned with Russia seemed to have carried out a failed attempt to disrupt an election Montenegro earlier this year, possibly in hopes of dissuading the nation with aligning with NATO.
While a bronze medal in election “hacking” may not alter the course of an election, it helps undermine democracy itself. The prospect of a vaguely “hacked” election presents numerous dangers for the peaceful transfer of power. Losing candidates tend to search for any reason to cling to their office, as in the case of defeated Gambian president Yahya Jammeh.
“If there are underlying procedural and maybe even legal weaknesses in key democratic process, they will be exploited by 3rd parties that are hostile to democracy,” Erka tells me. “Leaving doors open for cybersecurity threats and massive disinformation operations only makes things worse.”
What’s especially alarming is how easy it can be to “hack” democracy.
The emails Wikileaks released from Hillary Clinton’s campaign chairman were exposed — and helped alter the course of American history by degrees no one can exactly quantify– by relatively a simple phishing scam.
“The poorly secured private email accounts and cell phones of the D.C. political class are America’s cybersecurity soft underbelly,” Christopher Soghoian, formerly of the American Civil Liberties Union tweeted.
“Too many policy insiders use a mixed array of BYOD devices, consumer grade cloud services and act in pretty reckless fashion by paying little attention to the security aspects of the configuration of their devices,” Erka told me.
Officials inside governments are obligated by law to follow rules of handling classified information. But the Podesta hacks revealed that any sort of communications by those connected to the highest echelons of power can be used to “hack” an election.
“The political aides and non-governing party officials however are exempt of those rules but they still participate in discussion about potentially sensitive or even classified discussions,” Erka tells me. “The same ‘soft underbelly” Mr. Soghoian describes is evident in practically all governmental affairs around the world.”
Actual election systems are much harder to hack than people– mostly because there are so many in of them in so many varieties. And it would almost impossible if you stick with Mikko’s pen and paper suggestion.
But actual votes are one part of the election system, Erka points out.
“The whole _system_ must be designed and implemented in a manner that is ‘tamper evident’ so that attempts to commit fraud, hack into or just falsely claim victory would be successfully detected and pushed back,” he says.
Even then foreign or domestic hackers could still win a silver or bronze medal by focusing on the variety of ways election results are conveyed to the public.
Sean Sullivan — F-Secure Security Advisor — noted before the U.S. election, it would be relatively easy to hack the Associated Press, the news service that calls the races in real-time. But there was no election night hacking in the U.S. that we know of, this time.
Who knows what’s coming next?
[Image by Robert Palmer | Flickr]
This is a guest post by F-Secure trainee Mari Mäkinen. The cyber security market is…
July 19, 2017
On a recent trip to the Finnish Archipelago, F-Secure security advisor Sean Sullivan scanned the…
July 13, 2017