The past two years have seen electoral contests taking place in several countries long regarded as key players on the global stage. However, the elections raised a whole host of questions, among which the most pressing was whether a cyberattack could influence an electoral process to the extent of causing a shift in the political course of a nation?
To venture a definitive answer to such a question would be a daunting task for anyone, regardless of whether sitting in the chair of a political scientist or cybersecurity researcher. Nonetheless, it has become apparent that the scenario in which we currently find ourselves poses a number of challenges. There is substantial evidence that the implementation of electronic voting has yielded results that are far from secure, as we will demonstrate here.
Moreover, there are two other crucial factors to which we must draw attention. Firstly, the influence of social networks on public opinion, especially in respect to pushing a political agenda, particularly the way in which they support hacktivism; and lastly, the need to include national cybersecurity issues as part of the political agenda.
Insecure electronic voting systems
It was only a matter of time before information technology would be incorporated into the electoral process, especially given the reasons why certain countries (such as Argentina, Brazil, Germany and the United States) decided to introduce a limited implementation of electronic voting, to some extent: to put an end to fraud, to standardize and speed up the counting process, and to supplement rather than replace the paper ballot system.
We can all agree that technology advances inexorably, but perhaps efforts should be aimed toward implementing more control mechanisms rather than favoring an approach that actually adds new points of failure without removing any of the risks.
Just as unscrupulous campaign officials, activists and other key players have found ways to commit fraud over the years by exploiting the electoral system itself, soon cybercriminals will discover ways to capitalize on the digital system, particularly if they are armed with sponsorship of some kind.
Back in 2006, Finnish computer programmer and co-founder of ROMmon, Harri Hursti had already demonstrated in the well-known documentary Hacking Democracy, how the Diebold voting system in Leon County, Florida, could be easily and completely compromised just by using a memory card.
Just like that, he was able to change all of the votes without being detected. Nonetheless, this same software – that with just a few adjustments, a new name and a change of ownership – continues to be used in the United States to record and count tally votes.
Fast forward 10 years and very little has changed, other than the fact that additional evidence has been revealed. Brazil’s electronic ballot box has been mired in controversy since 2012, when it was discovered that it was possible to crack voting secrecy completely. After years of substantiated allegations of vulnerabilities, the Superior Electoral Court will go back to implementing paper ballots (in a hybrid format) for just 5% of ballot boxes to be used for elections in 2018. Meanwhile, electronic ballot procedures in both Argentina and Germany have been shown to be flawed as well.
The preponderance of evidence to date strongly suggests that we cannot rely solely on technology for something as significant to our lives as the electoral process; it must only be used as a complementary tool. If the idea is to mitigate any and all forms of fraud, thus boosting faith in both the results and our democracies, we must consider hybrid systems with both paper and electronic ballot records.
Hacktivism that can change public opinion
Social media has become the new frontier of the political stage and is used by political campaigns to reach increasingly large numbers of people. As we now know, these same networks have also been used to undermine electoral campaigns by spewing falsehoods, and promoting fake news reports, not to mention widespread attacks on reputation aimed at public figures.
A number of these attacks use computer threats such as bots or other form of malware, which could be mitigated with adequate security management protocols in place. Otherwise, what might appear to be the indication of a trend may actually be the manifestation of a group of attackers.
While such an attack might help to manipulate or skew popular opinion, it does not signal doomsday for democracy. It does, however, pose some critical cybersecurity challenges in order to ensure that the voice of the populace is truly represented in the elections.
The “Defending Digital Democracy” program, announced earlier in July, is backed and endorsed by companies like Facebook and Google, which suggests how highly they rate the importance of securing these types of mechanisms.
If the parties involved don’t take matters into their own hands, these kinds of incidents will continue to happen well into the future.
National cybersecurity
If technology is a major part of our lives, then the governments must be tasked with the responsibility of ensuring that users interact with technology as safely as possible, by implementing national cybersecurity programs engaging with key players, such as CISOs and auditors.
And if public officers, such as court authorities or voting commission officials, must make decisions regarding the implementation of certain technologies, then they should undergo cybersecurity training appropriate to the situation, to help them make the most suitable choices.
There is no doubt that new risks come with every new advancement, but if we want to use technology to improve our lives, then we must prevent it from creating greater problems overall than benefits. All aspects of an electoral system must be regarded as part of every country’s critical infrastructure (and be safeguarded as such).
The challenges are laid out before us. Now is the time to engage in preventive measures that focus on the digital security of information, and all those involved must contribute to solutions that guarantee the proper implementation of democratic processes.