Election Security: Defending Democracy in Today’s Dynamic Cyber Threat Landscape
With over 50 countries heading to the polls this year, including major economies like the U.S., India and the U.K., 2024, one way or another, will be a defining year with over 4 billion voters – around half the world’s population – participating in the democratic process. However, amid this global exercise in democracy lurks a growing threat landscape fueled by ongoing geopolitical tensions, evolving technology and the ever-present risk of malinformation that can sway the election outcomes.
In recent years, misinformation and disinformation campaigns have influenced public opinion. In the 2019 U.K. election, several political advertisements and social media campaigns deceived voters with false claims and hidden agendas. In 2016, we witnessed how foreign adversaries’ potential involvement led to a breach and a leak of confidential data to influence the public and the outcome of the U.S. presidential race. Recognizing this, federal law enforcement and cybersecurity officials have warned state election officials about the impending threats ahead of the November 2024 U.S. Presidential elections.
With lots of cyber drama undoubtedly around the corner, let’s look at what’s at stake.
Geopolitical Risks and Nation-state Attacks
The intersection of global armed conflicts and cyber warfare significantly amplifies the risk to critical infrastructure, which is pivotal in supporting election machinery across countries on the verge of upcoming elections. Elections officials and their security teams will be highly vigilant. They are planning robust security strategies in a game to checkmate their aggressors who aim to disrupt the networks of government agencies and their technology partners.
According to the Election Cyber Interference Threat Research Report 2024, the U.S., U.K., South Korea and India are the riskiest countries concerning election cyber interference from geopolitical adversaries like China and Russia. We have seen a rise in state-sponsored cyberthreats recently, with the most recent infiltration by APT29 into the Microsoft and HPE networks to spy on executives’ emails. While initial reports from Microsoft and HPE indicated limited damage, after further investigation, Microsoft reported that APT29 gained access to the company’s source code repositories and internal systems. There’s no doubt that this is a warning sign that bad actors are quietly and strategically placed in the backyards of the technology vendors who provide critical infrastructure to many governments worldwide. Similarly, in February 2024, Volt Typhoon, a Chinese group, breached vital network systems from a widely used supplier by U.S. government agencies. These are known instances of cyberthreats from foreign adversaries in the first two months of 2024 alone. Throughout the year, it’s expected that these foreign adversaries – intent on wreaking havoc – will relentlessly try to penetrate inside the walls of every sovereign democracy. While we know what we know, I’m certain we’re unaware of plenty of bad actor activity.
The Age of AI, Misinformation and Disinformation – The Run-up to Election Day
As any country approaches election day, a new battleground emerges – one where artificial intelligence (AI), misinformation and disinformation collide. The rise of phishing and vishing attacks threatens to exploit voter identities, potentially leading to election fraud. Covert influence campaigns, meticulously orchestrated, can sway voter mindsets and election outcomes. The recently published Annual Threat Assessment of the U.S. Intelligence Community, released by the Office of the Director of National Intelligence, confirmed potential international interference via social media during the 2022 U.S. midterm election cycle. And now, with the advent of AI, strategic targeting of individuals or groups of individuals via impersonation attacks will be on the rise and increasingly difficult to identify as legitimate. For example, in January, voters in New Hampshire received a robocall seemingly from U.S. President Joe Biden asking them not to vote in the state’s primary. Upon investigation, state officials determined it was an AI-enabled vishing attack intended to manipulate the elections.
In an attempt to pre-empt similar attacks, South Korea’s National Police Agency (KNPA) has implemented a tool to detect deep fakes. These sophisticated algorithms aim to identify manipulated videos and prevent their spread during the elections. The issue we must recognize here is not limited to the spread of misinformation but the human tendency to readily believe the messages they see or read regularly.
In our increasingly digital world, many voters depend on social media as their primary source of news and information despite the general knowledge that it’s a breeding ground for rampant misinformation and disinformation. Safeguarding elections is a combined responsibility – of the people and by the people – in any democracy. As such, all stakeholders, including political parties, election officials, social media websites and voters, must work together and adopt best practices and measures to protect the electoral process.
Election Infrastructure is an Expanded Threat Vector
The shift from analog to digital and physical to virtual impacts not only the workforce in the digital era but also voters worldwide. In this sea of change, nations must secure and protect every aspect of their election machinery. These are the critical aspects that require special attention to ensure a successful democratic election exercise:
- Voter registration databases store the personal information of millions of voters in each country and decide who can vote where. These databases hold highly sensitive personal information, such as names, government I.D. numbers, dates of birth and the addresses of millions of voters in each country. Voter fraud is a real threat if voter identity and credentials are stolen and misused to cast unauthorized votes. If exposed, this information can be used to swing election results by various methods where bad actors can persuade (via social engineering) voters to vote a particular way.
- Electronic poll books (EPBs) are endpoint devices or kiosks designed to partially automate the voter check-in process, detect ineligible voters, assign correct ballots and keep tabs on voters who have issued a ballot. EPBs can be targeted in many ways, including DDoS, malware attacks, data breaches and system vulnerabilities.
- Electronic voting machines (EVMs) are terminals where voters can cast ballots in-person or scan mail-in votes. The threat vectors for EVMs are like EPBs. Outdated EVMs are at high risk. For example, the EVMs used in India were designed in 1989. They can run the risk of dated software with potential vulnerabilities that can cause irreparable harm to the election results if exploited by bad actors.
- Tabulation is the process of counting the ballots cast at the polling places. Bad actors can hack into voter tabulation systems to disrupt an election and its results.
- Websites that provide voters with information on election processes can be disabled by bad actors and cause inconvenience and confusion for voters.
Defend the Democratic Exercise with Defense-in-depth
In the high-stakes world of election security, trusting a single line of defense is not enough. That’s where the concepts of defense-in-depth and Zero Trust come in, offering a layered approach to protecting critical election machinery. The following multi-layered approach is crucial for protecting all access points to election systems, from voter registration databases to voting machines:
- Defense-in-depth strategy uses multiple, independent security controls, such as firewalls, intrusion detection systems and network segmentation, to protect election systems from different angles. Even if one layer is compromised, the others can prevent or slow down the attackers, buying valuable time to respond and contain the threat. This is a non-negotiable consideration in fortifying every aspect of the election machinery.
- Zero Trust is a principle that assumes no trust within the system and requires continuous verification of every user and device, regardless of their level of access. Users and systems should be verified continuously and given minimum access to perform their duties while always assuming breach. Our research indicates that most organizations believe identity and endpoint are the top two considerations for a successful Zero Trust implementation. This means IAM capabilities (i.e., phishing-resistant MFA, SSO and PAM) and endpoint protection are critical to ensuring fine-grained control over who accesses which data where and for how long.
- Identity Threat Detection and Response (ITDR) is a relatively new capability that detects and responds to identity-based threats, such as credential theft, privilege misuse and misconfiguration across the complex IAM landscape spanning hybrid and multi-cloud environments. ITDR can help analyze, report and remediate unprotected access paths and adversarial behaviors.
- Endpoint protection incorporates antivirus software, removing admin rights and patch and change management.
- Data security is bolstered by encryption, access controls, backups, monitoring and data classification to ensure data confidentiality and integrity.
Don’t Forget Basic Cyber Hygiene
As we battle the rising cyber risks during this election year by enabling security practices and processes to help safeguard the democratic exercise, it is equally important to brush up on the basic cybersecurity hygiene practices that have been around for years. Remember, even though national elections around the world happen on a cadence of four to five years, these cybersecurity hygiene practices have to be done more frequently for them to become second nature for every individual, whether it is election year or not.
- Poll worker training should include methods to recognize and report suspicious behavior, identify EVM errors or glitches and safeguard voter data.
- Voter training and awareness must include best practices for identifying legitimate sources of news and information and incorporating practices to protect against potential AI-generate deep fakes, phishing and vishing attacks.
- Audit and monitor the security posture and threat landscape frequently across all aspects of the election machinery in the run-up to the elections and after that.
- Equipment testing should include user-centric design, ballot secrecy, security (such as software updates and change management), language options, consistency in user experience and general accessibility.
- Contingency planning must cover backup and disaster recovery strategies in the event of a cybersecurity incident to avoid disruptions and unexpected outages.
The Election Process is a Collective Responsibility
As a CIO, I recognize that securing our election processes is not an isolated task but a collective responsibility, and we cannot do this alone. It requires partnerships between government agencies, technology vendors, election officials and, most importantly – voters. The 2024 elections, encompassing over half the global population, face unprecedented threats from cyberattacks, misinformation and outdated technology. Defense-in-depth does not start with products; it begins with us. It’s time we all do our part as individual voters, election officials, politicians – and, yes, technology providers – the time to act is NOW.
Omer Grossman is the global chief information officer at CyberArk. You can check out more content from Omer on CyberArk’s Security Matters | CIO Connections page.