Why you should care
If you want to disrupt democracy with a cyberattack, forget the voting machines and go after everything else.
Since the 2016 U.S. presidential election, we have been focused on the vulnerabilities of voting machines and databases. And while there’s wide agreement that both need to be secure against physical hacking, ransomware attacks or other infiltration, adversaries don’t need to go after these machines at all. What we really need to be ready for is a broad range of potential cyberattacks.
Confusion and Chaos: The Impact of Ransomware
There’s no hard proof that the recent ransomware attack on New Orleans, the previous attack against 23 Texas government agencies or the countless unreported cyberattacks against municipalities over the past year were motivated by anything more than financial gain. But even if nation-states weren’t behind these attacks, such adversaries are undoubtedly watching and analyzing the attacks’ impact — both the direct toll on communities and the psychological one on the population. Ransomware attacks cause disorder, frustration and chaos. They are also the perfect tool to augment or conduct in tandem with an influence operation.
Imagine a threat actor launches a large-scale ransomware attack in the days or weeks before the election. They would likely use intelligent targeting, choosing states based on size and status as swing states, or because they are core to the base of a specific candidate. The disorder caused by the attack could provide an incumbent with the justification to declare a national state of emergency and delay a vote. This would provide additional breathing room while the incident could potentially deliver an image boost to an incumbent, given their “strength and leadership” in the face of a national disaster.
Alternatively, the attack could create enough confusion that a losing candidate could call into suspicion the election result. Despite a total of only four documented cases of voter fraud in 2016, claims of voter fraud continue to receive coverage. With thousands of citizens and government services affected, a successful ransomware attack could lend significantly more credibility to a completely false accusation of voter machine hacking and vote manipulation.
Trains, Traffic Lights and Tolls
Citizens need to be able to vote to provide the government with an effective and legitimate mandate. A cyberattacker could undermine this mandate by affecting citizens’ ability to physically vote — targeting transportation infrastructure and preventing people from getting to the polls. Causing even minor delays or disruption by targeting public transit, traffic lights and other transportation infrastructure could alter the voter turnout in a city or state, potentially changing national election results.
Swing states will likely be the first place attackers target. Pennsylvania is anticipated to be a key swing state in 2020, given its 20 electoral votes and the fact that President Donald Trump won the state by just 44,292 votes in 2016. An advanced threat actor could strategically target the transportation infrastructure of specific cities or competitive counties within this key swing state.
The Philadelphia metro area has more than 4 million residents, and 24 percent of the workforce uses public transit each day. Given the convergence of occupational technology and information technology in transportation, public transit is a particularly vulnerable target. It’s also one that nation-state actors have targeted before, with North Korea allegedly attempting to take South Korean transit offline at the height of the 2016 tension between the two nations. And unfortunately, our nation’s transit infrastructure is more vulnerable than we’d like to imagine, making it a compelling target. San Francisco’s transit system, for example, was hit by a successful ransomware attack in 2016 that disrupted commutes for the entire day. An attack against Philadelphia’s public transit on Nov. 3, 2020, could grind transit operations to a halt and prevent hundreds of thousands from reaching the polls.
Alternatively, an attacker could infiltrate the system controlling traffic lights, dramatically affecting the flow of traffic in a city or region and reducing roads to gridlock. A group of researchers at the University of Michigan was able to control more than 100 traffic light signals in Michigan City with just a laptop and an off-the-shelf radio transmitter. Imagine what an attacker backed by the resources of a nation-state could accomplish.
It’s impossible to know how many people these types of attacks would stop from getting to the polls, but in a swing state, even a small change would likely affect results. Even if the threat was able to be traced to an adversary, the resulting chaos, uncertainty and conspiracy theories would have devastating impacts on the perceived legitimacy of election results and, ultimately, citizens’ overall faith in democracy.
Funding & Force Multipliers
With less than a year to go before the 2020 U.S. presidential election, we need to be discussing solutions that can still have a real impact on the security of the election. And although there is no silver bullet when it comes to cybersecurity, there are strategies that states and municipalities around the country can — and need to — enact now.
To start, states should dedicate any available funding to two key areas: personnel and process, and tools and augmentation. While building out a well-staffed team is a critical element of a strong security posture, with the election fast approaching it may be too late to throw people at the problem. With the right tools, governments can both detect threats to election systems and augment existing security teams. Technology like artificial intelligence can serve as a force multiplier, detecting threats early, intelligently triaging threats, quickly integrating into current workflows and autonomously responding if staff isn’t in office.
Over the next year, all cyberattacks against smaller government entities should also be evaluated with a keen eye. Whether it is adversaries testing the waters for Election Day, or an isolated incident, these attacks erode citizens’ trust in government organizations, services and processes. Armed with the knowledge that our elections won’t be targeted in the same way in 2020, we need to use the next 11 months to prepare for the unexpected.