Another day, another hacking. At least, that’s what it seemed at first.
In August, two election databases in Arizona and Illinois were hacked. Arizona responded by shutting down voter registration for nearly a week, and in Illinois, the breach resulted in the compromise of more than 200,000 voter records. Hackers breaching databases has become so commonplace that the loss of personal information barely raises an eyebrow for most Americans. This hack, like so many others, received little attention at first.
Fast-forward two months and these breaches have taken on new significance. Russia is now credited not only with these voter database hacks, but also with attacks on numerous Democratic National Committee members and key current and former U.S. government officials. Election-related hacking coincides ominously with presidential candidate Donald Trump’s unsubstantiated claims that “the election is rigged” and his threats to not accept the election’s results if he were to lose. Americans, he suggests, can’t trust the outcome because of its manipulation and inauthenticity.
While these breaches have helped sow the seeds of distrust, in reality, hacking the election remains technically challenging, even for state actors like Russia. But in this election, perceptions may overtake reality, and even if Russia fails in its attempts to hack the election, the doubt it raises can still bring them a strategic victory over their American rivals.
Deceptively Simple Hacks
Everyone who has investigated hacking activity—including the U.S. Department of Homeland Security, the Office of the Director of National Intelligence, and private cyber security companies such as CrowdStrike—has concluded that Russia is behind the latest efforts to hack U.S. officials and government offices.
Contemporary depictions of hackers often revolve around young computer whizzes cloaked in hoodies who perpetrate complex hacks against sinister targets out of their basements or neighborhood coffee shops. But as the Russian hacking of email accounts and the election databases has shown, the reality is far less glamorous. In the recent cases, an organized cadre of Russian hackers likely carried out these breaches using advanced malware specifically designed for taking down a target.
Russian hacking has relied heavily on three basic and intertwined methods that have been widely used by organized criminal hackers for more than a decade. One, social engineering, involves attackers who use social skills and a false identity to compromise a victim. It is, and has been, the foundation of Russian operations. By impersonating individuals and organizations known to the target, hackers can then deploy a spear phishing attack to access accounts. These attacks induce targets to click on a compromised link or email attachment, which are highly tailored to the individual.
Russian spear phishing links have then directed targets to watering hole sites, which are false web pages that impersonate a real site. These can include bogus email login pages where victims unwittingly type their usernames and passwords, giving hackers access to their email accounts and databases. By impersonating an individual or organization known to the target, Russian hackers have spear phished DNC staffers, Clinton campaign members, and former Secretary of State Colin Powell.
All Americans are highly vulnerable to these attacks, including everyone from former heads of state and local election officials in Illinois. Even more sophisticated internet users ultimately fall prey to these basic techniques. Probability is on the hackers’ side: The target of spear phishing attacks must detect and avoid every single attack, whereas a sophisticated and persistent hacker needs only compromise a target with one successful click of the mouse.
Why Russia Is Hacking U.S. Officials and Offices
To understand Russia’s recent attacks on American democracy, one simply needs to look back to the country’s Cold War tactics.
Outpaced by American military spending and military innovation—and challenged by the North Atlantic Treaty Organization (NATO)—the Soviet Union sought an alternative approach to counter the U.S. Rather than match America on the battlefield, the U.S.S.R. sought to erode the U.S. from the inside out—using the “force of politics” rather than the “politics of force” to break democracy, fracturing the unity of the American populace and degrading trust in U.S. institutions. In a program known as “Active Measures,” the Soviet Union would deploy agents and provocateurs to spread propaganda amongst American dissident groups and communist causes throughout the Western world.
Cold War efforts to use propaganda to shatter the U.S. democratic system largely failed, but the internet and particularly social media have provided Russia’s “Active Measures” a renewed opportunity to foment American dissent. In contrast to the Soviet era, social media and the wealth of information available through the internet provides Russia the ability to access and disrupt American political figures and democratic institutions without setting foot in the U.S. Plus, the costs associated with hacking and social media manipulation are far lower for Russia—both in terms of money and risk—than deploying actual humans to influence U.S. elections.
The goal is simple: break American confidence in democracy by either directly disrupting the democratic process or eroding its integrity. By sowing doubt among voters and raising questions about the authenticity of a candidate’s appointment, Russia can create internal American dissent that distracts U.S. policymakers, permitting Russia to move more aggressively towards its foreign policy goals.
Even when U.S. policymakers might challenge Russian aggression, domestic support for their policies will be weaker and less cohesive. Any coordinated action against Russia will then be slowed or disjointed.
Could It Happen?
Aside from simply sowing doubt among the electorate, Russia may also seek to disrupt the election directly. Hacks might occur in two different ways, each seeking different objectives. First, hackers could seek to affect voter turnout by destroying, manipulating, or denying the availability of voter records on Election Day. In addition to suppressing turnout, it also could be manipulated in favor of one candidate or another. Destroying voter rolls would make it difficult for a municipality to hold a vote, since officials will be uncertain as to who is authorized to vote. Manipulating the voter rolls would be an even more sinister tactic. By inserting voters into the rolls multiple times or adding unregistered imposters, a hacker could sew mistrust in election results.
In those locations now using electronic voting, a successful hack might destroy the results from a precinct, alter them to support a particular candidate, or prevent the voting machines from functioning properly. In each of these scenarios, the effect would seriously undermine the integrity of an election and by extension democracy as a whole. Americans would lose trust in the voting results and in the viability of a democratic system.
If it didn’t cause immediate pandemonium and disarray in the U.S., the failure of an electoral process would likely erode democratic participation in the long term. What American would want to vote in an election, observe law and order, participate in citizen duties like the military draft or jury duty, or even pay their taxes if they believed their participation held no value?
What Is the Potential Fallout?
Today’s concerns over elections can be largely traced back to 2000, when paper ballot counting complications due to “hanging chads” resulted in exhaustive recounts and legal battles involving the Supreme Court. In that case, both political parties claimed victory and it was weeks before Vice President Al Gore conceded defeat.
Crisis was averted because there was physical evidence for a recount and vote complications were limited to only one state and a few precincts. Still, the debate over who won this election and conspiracies about vote manipulation continue 16 years later.
Now, if Russian hackers were able to disable voting machines—an unlikely but possible scenario—compromise voter rolls, or alter the integrity of the results on a wide scale, the highly polarized U.S. electorate might well break into destabilizing bickering. It’s possible that violence could break out. Donald Trump, the Republican nominee, has for months ominously echoed Russian media in suggesting that the election is rigged against him, that voter rolls are fraudulently filled with illegal voters, and that, should he lose, second amendment supporters might take matters into their own hands.
For Russia, whether they disable election systems or compromise voter rolls, they’ve already partially achieved their goal. Limited hacking of voter databases have cast doubt amongst some Americans before the election occurs. If, on Election Day, Russian hackers impact voting booths, only temporarily, they’ll leave the impression that election results cannot be trusted or the outcome is inauthentic, playing into the idea that the election is “rigged.”
Based on the recent trend of Russian hacking activity, the U.S. government faces myriad challenges in the run up to Election Day. They’ve already been forced to take steps to restore American confidence in the election process.
First, current and former U.S. officials have noted that election booths do not connect to the internet, and that they utilize a variety of vote counting mechanisms from paper ballots to digital. That diversity would make a large-scale hacking extraordinarily difficult. Even for digital voting systems, their archaic technology largely protects them from hacking.
Second, officials have tried to assure the public that voter fraud is extremely uncommon. According to Justin Levitt of Loyola University, there have been only 31 cases of voter fraud in one billion U.S. votes between 2000 and 2014. These calming efforts have made little difference as Donald Trump continues casting doubt on the election’s authenticity.
This Election Day, federal, state, and local governments must prepare in unprecedented ways. Each precinct and polling station will need a cyber crisis response plan in the event of a hack or perceived hacking-related polling failure. Beyond that, election officials will need to ensure public confidence in the integrity of their local vote casting by being prepared to answer questions with regards to hacking and voter roll manipulation. Election officials caught flatfooted by inquiries about voter fraud and hacking will only further perpetuate Russian efforts to erode confidence in the election process. Between concerns over perceived Russian hacking and Trump’s calls for “watching” who is voting, officials will also need to mitigate interference from vigilante polling monitors that believe its their duty to protect the integrity of the electoral process.
The longer-term challenges of election hacking outweigh the current crisis. The U.S. must commit to securing the integrity of and faith in the electoral process. This will require both technical and non-technical solutions. On the technical side, current cyber protection across the 50 states is uneven and substandard. Minimum mandatory cybersecurity protections must be issued and enforced by the federal government for protecting voter registration processes and local polls. On the non-technical side, the U.S. government should consider a wide-ranging cyber education program for election officials.
Russia’s approach—social engineering, spear phishing, and watering holes—will likely be effective moving forward regardless of technical protections. Preventing the current election or future elections from being hacked requires election officials to be aware of these basic techniques and equipped to defend against them.
America, its electorate, and their democracy will be best served by recognizing that, in the modern interconnected world, this will not be the last foreign interference in elections, but instead just the first.