Election security took center stage at Black Hat, but not in the usual, who can hack a voting machine way. Hardware and software vulnerabilities still exist. But the COVID-19 pandemic, rampant disinformation campaigns, disenfranchisement, and impatient voters may pose far greater security risks.
“I’m a computer scientist who studies computer security, which is full of terribly hard problems. I don’t think I’ve ever encountered a problem that's harder than the security and integrity of civil elections,” said Matt Blaze, the McDevitt Chair in Computer Science and Law at Georgetown University who kicked off the annual security conference with an opening keynote. “It’s fundamentally orders of magnitude more difficult and more complex than almost anything else you can imagine, or that we do.”
‘Software Is Really Hard to Secure’If states proceed with in-person elections in November using electronic voting machines and ballot scanners, then software security becomes paramount to election integrity, Blaze said.
“Software ends up touching almost every component of a modern election,” he said. “So the correctness of any software you’re depending on for that purpose is critically important.” But, he added. “software is really hard to secure.”
Blaze highlighted a couple projects in the works that aim to improve election security. One of these, led by Ron Rivest, tackles “software independence” in voting systems, which ensures that software changes or flaws cannot alter the election outcome. Rivest is the “R” in RSA, and co-inventor of that cryptosystem.
The second, led by University of California, Berkeley professor Philip Stark, details “risk limiting audits” to ensure election integrity.
Election Security in the Time of COVID-19While software security flaws aren’t a new concern, the 2020 election added a twist to the bigger election security picture: a global pandemic.
Scaling up mail-in voting, which several states already use, is the simplest way to address health and safety concerns related to the pandemic, Blaze said. But this brings some of the other threats — like voter distrust and election integrity — into sharper focus, especially when President Donald Trump tweets about universal mail-in voting being fraudulent and inherently insecure despite the facts not supporting either of these claims.
Blaze pre-recorded his keynote, as did all the presenters at this year’s virtual Black Hat. Just days before the event, however, Blaze responded to Trump’s now-infamous tweet suggesting the election be postponed. “I recorded my Blackhat keynote before this tweet was sent out, but my talk specifically addresses the president’s (baseless) concerns,” Blaze tweeted. “Perhaps he should log in when it’s streamed next week."
Who Will Use the Russia Playbook?Chris Krebs, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), sounded a more optimistic note in his talk about securing elections. The federal government learned from Russia’s interference in the 2016 election, and since 2017 has been working with state and local governments, and the private sector, to share intelligence and prepare for the 2020 election.
The agency also deployed a signature-based intrusion detection system called Albert across all 50 states, he said. “And we can ensure the security of the 2020 election. That visibility gives us the confidence that 2020 will be the most protected, most secure election in modern history,” Krebs said.
Additionally, over the summer CISA rolled out “a pilot program across the country to introduce endpoint detection and response capabilities in a number of jurisdictions.”
But, he added, “there’s more to do. For one, we have to continue preparing for capable, disruptive actors.” In addition to Russia, China, Iran, and North Korea are using the Russian playbook from 2016 and targeting voting infrastructure.
“We also have to recognize the change is in the air — literally COVID — changing the way that elections happen across this country,” Krebs said. “Lastly, you come into play here. We have to have an informed, patient voter.” And this is easier said than done.
There is a good chance that Americans won’t find out who won the presidency on election night. Mail-in ballots take longer to count than in-person voting, and more Americans will likely vote by mail because of COVID-19 concerns this year.
Hacking Public OpinionAdditionally, while disinformation and using fake identities to influence public opinion is not a new phenomenon, social media makes it so much easier, cheaper, and faster to do.
“As early as 2004, state actors begin to realize that this infrastructure is at their disposal as well, and that they can turn the social web into a vast propaganda and disinformation machine,” said Renée DiResta, research manager at Stanford Internet Observatory, in her Black Hat keynote. “They can use fake accounts, so fake accounts are the kind of modern incarnation of agents of influence. They can game the algorithms. They can create front media properties that actively mislead the public, which is another very, very old tactic that suddenly become effortless to execute. They can do all of this quickly and cheaply, because they’re ultimately using the system as it was designed to be used.”
In 2020, this includes China’s fake news agency posts praising that country’s response to COVID-19 back in February, and Russia creating fake Black Lives Matter social media accounts and webpages to stoke civil unrest and racial tensions earlier this summer.
DiResta said, in the months leading up to the election, she expects to see more of this amplification of narratives by state-sponsored attackers. “What we’re starting to see more and more, is sophisticated information operation actors hiring locals, or paying unwitting locals to serve as conduits for their content,” she said. “Or, what they’ll do is they’ll simply amplify sensational narratives that are already trending on Twitter as political ideologues domestically use the same kind of gaming of algorithms to try to get their stuff trending. But ultimately the goal will be to undermine confidence in the legitimacy of the election.”
Human Factor Comes Into PlayThreat researchers and vendors agree that the election security issues in 2020 will likely stem from the human factor rather than voting technology itself. In virtual happy hours and video calls on the sidelines, disinformation campaigns and voter disenfranchisement regularly topped the list of election security threats.
Marc Rogers, executive director of cybersecurity at Okta, said threat researchers are starting to better understand how disinformation campaigns work. “What we’re realizing is that they’re actually not that dissimilar from things like malware campaigns and hacking campaigns,” he said, adding that they have a similar maturity curve. “We’re starting to recognize things like, in order to do a really good astroturfing campaign, the bad guys have to put in place significant amounts of infrastructure and they have to do it well in advance of the disinformation campaign.”
This includes creating a large number of bots on social networks as well as sock puppet accounts, and they have to be deployed long before the event itself — like the November election — so that they look legitimate.
“I don’t think that the major threats to the election are going to come from technical attacks,” like voting machine hacks, Rogers added. “I think they are absolutely a risk to be addressed. But I think, just like in 2016, the biggest issues are those that come from the human factor — manipulating people either with disinformation campaigns or doing things that inhibit people’s ability to vote. I’m still concerned about November. I think there’s still a lot of risk. And some of it we haven’t quite wrapped our arms around.”
But, he added, the strong focus on election security at Black Hat is a positive start.
Voter Disinfranchisement“I’m most concerned with voter disenfranchisement by manipulation of voter rolls, so that when a voter attempts to vote, whether by mail or in person, they cannot be authenticated,” said Tom Kellermann, head of Cybersecurity Strategy at VMware Carbon Black, during a virtual Black Hat happy hour. “That’s fairly easy to do across systems now because of the hodgepodge security standards that exist and the outdated systems that exist. That is my No. 1 concern right now. It’s not actually the manipulation of tally, but it’s actually the suppression of voters because you manipulated the integrity of records so that their votes don’t count.”
Dave Wolpoff, CTO and co-founder of Randori, said people typically ask him about hacking voting machines. He’s a “red team” hacker, and his company’s platform stages simulated attacks to test for vulnerabilities and help defenders assess their real-world security.
“Yeah, you can hack a voting machine,” he said. “It’s been proven time and time again. But a bunch of more systemic issues need to be addressed in order to secure an election. Ultimately, most systems in the U.S. are faith based in the sense that everybody has to believe in them for them to work. And so I worry most about disinformation, disenfranchisement, access, particularly with COVID going on. I think there’s a lot of great opportunities for folks to leverage the human psyche to help get them to do the optimally wrong thing for the outcome of an election overall.”
Information WarfareMax Vetter, chief cyber officer at Immersive Labs, called it “information warfare.” And, he said, the Western nations aren’t very good at it compared to our Eastern counterparts. “It is understanding that what goes on Facebook really makes a difference. It sounds trite, but people get their news through those mediums. Whether its real news or fake news, a lot of people get all their news from it.”
And even real news organizations aren’t immune from state-sponsored hackers, Kellermann added. “When a mainstream media outlet is compromised during the election, and then pushing out false information, that concerns me as well.” The “saving grace” in this scenario, he added, is that Russia and China disagree on who should be elected president.