The mention of "election security" among cybersecurity practitioners typically conjures up concerns about voting machine tampering, vulnerabilities, and the possibility of data breaches. But there's more to it than hardware, software, and process. Misinformation and disinformation are extremely pressing problems that are commingled with traditional cybersecurity — a multilayered attack technique that took center stage in 2020 and has only grown more endemic since.
Time may be running out as the midterms approach, but security teams on the front lines — those that work with voting equipment manufacturers, businesses that supply component parts, and those within government agencies responsible for ensuring the integrity of election equipment — can still take integral steps to combat this very dangerous threat.
As far as misinformation and disinformation are concerned, neither is a new concept. The practice of spreading mis- and disinformation (aka "fake news") can be traced back as far as circa 27 BC, when then Roman emperor Caesar Augustus spread lies about his nemesis, Mark Antony, to gain public favor.
"Misinformation" is the unintentional spread of disinformation. "Disinformation" is the intentional spread of false information that is purposely meant to mislead and influence public opinion. This may contain tiny snippets of factual information that have been highly manipulated, helping to create confusion and casting doubt on what's fact and what's not.
In just the past few weeks, a clerk in Mesa County, Colorado, entered a not guilty plea for charges relating to her alleged involvement with election equipment tampering. She, alongside a colleague, are being held accountable for providing access to an unauthorized individual who copied hard drives and accessed passwords for a software security update (the passwords were later distributed online). The accused clerks publicly spread disinformation about election security prior to the incident.
In Georgia, election officials recently decided to replace voting equipment after forensic experts hired by a pro-Trump group were caught copying numerous components of the equipment, including software and data. It has not been found that the outcome of the election was impacted, but the fact of compromise sows the seeds of doubt and begs the question: How and where could the stolen data be used again to influence elections?
And back in February 2022, election officials in Washington state decided to remove intrusion detection software from voting machines, claiming that the devices were part of a left-wing conspiracy theory to spy on voters.
And unfortunately, the preponderance of public platforms on which anyone can voice an opinion on a topic — even if it's without a shred of factual information — makes it simple for that voice to be heard. The result is constant public questioning about the veracity of any information and data.
The amount of dis- and misinformation that can be spread grows proportionally alongside the cyberattack surface. Reasonably, the more places people can post, share, like, and comment on information (of any ilk), the wider and farther it will spread, making identification and containment more challenging.
Be Proactive When Fighting Back Against Disinformation
Needless to say, it's best to be proactive when building systems, deploying tools, and implementing cybersecurity controls. But attacks are also inevitable, some of which will be successful. To maintain trust, it's imperative to institute fast, reliable identification and remediation mechanisms that reduce mean time to detect and respond.
Recommended practices that will work to slow this impending threat include:
- Continuously monitor infrastructure: Identify all relevant systems in use, who/what is using those systems, and how those systems are used. Set baselines for usual and expected activity, and then monitor for anomalous activity. For example, look for unusually high levels of activity from system or user accounts. This may be indicative that a malicious user has taken over an account, or that bots are being used to disrupt systems or send disinformation.
- Test all systems: Whether the software/hardware used in voting machines or the people who have/need authorized access, test for vulnerabilities and weaknesses, apply remediation where possible, and triage any identified issues along the way.
- Verify who has access to systems: Apply multifactor authentication to prevent account takeover and verify human versus bot activity to help prevent the malicious use of bots in spreading disinformation.
- Profile: Understand the most likely targets/subjects of election-related mis-/disinformation. These are often high-profile individuals or organizations with strong political stances (and, of course, the candidates themselves). It may be necessary to place greater security controls on those individuals' accounts to protect against data leakage, account takeover, smear campaigns, etc. Use the same methods for protecting systems/tools/technologies threat actors use to create and disseminate false information.
- Apply machine learning: Study digital personas, bot activity, and AI-generated campaigns. Use baselines for "normal" behavior to contrast with anomalous behavior. Machine learning can also be used for keyword targeting — identifying certain words or phrases used by people propagating disinformation and misinformation. When problematic language is used — or language is found that indicates an attack may be in the planning — flag activity or automate security controls to have it analyzed and removed or quarantined.
It is unfortunately the case that humans will continue to manipulate machines for their own benefit. And in today's society, machines are used to influence human thinking. When it comes to elections and election security, we need to be focused just as heavily on how machines are used to influence the voting public. When this "influence" comes in the form of misinformation and disinformation, cybersecurity professionals can be a huge help in stopping the spread.