The 2020 election season is officially upon us. But unlike years past, this year’s election cycle is fraught with fear, uncertainty, and doubt. And these lingering questions threaten to do more than deepen the apathy of a news-weary populace—they present an existential challenge to the foundation of our democratic institutions.
Between speculation about Russian meddling, voter fraud conspiracy theories, and concerns around voting machines being hacked, it’s easy to see why people might just throw up their hands in frustration and cry that the whole system is rigged.
Of course, this is likely the very motivation compelling a nation like Russia to pursue such a gambit: by sowing confusion and casting doubt on the foundation of our most democratic of institutions, they believe they are better positioned to advance their own political agenda.
Consequently, like a magician who tricks his audience using time-tested misdirection techniques, we, the electorate, are being overwhelmed with a broad spectrum of possible threats and distracted to the point that we are not paying close enough attention to the ones that are most likely to happen.
As someone who has spent their career at the crossroads of information technology, cybersecurity, and government policy, the basic principles of triage are highly pertinent: You have to boil down the ocean of potential vulnerabilities to a subset of the most probable and important risks and then prioritize accordingly.
So given the wide range of potential threats to free and fair elections, which ones pack more bite than bark?
1. Voting registration systems, not voting machines
While the concerns around voting machine vulnerabilities are certainly valid and obviously need to be addressed, it’s highly unlikely that any nation-state would find them to be a worthwhile target. Threat actors—be they nation-states or lone wolf hacktivists—are seeking the greatest return on their investment of time and resources.
One of the reasons why fixing our electoral system is particularly challenging is due to its inherent decentralized structure—every state operates according to their own process and equipment. Some states employ paper ballots or vote by mail while others use one or any number of digital voting machines.
Ironically, this is also the reason why they make for such unattractive targets: Unless you are targeting a specific county and a particular machine with a known vulnerability, it’s a crapshoot.
Just like water streaming through a riverbed, threat actors will always follow the path of least resistance and statewide voting registration databases are much lower hanging fruit as they represent a single point of failure. Because many individuals have access to these systems, they can be targeted with sophisticated spearphishing attacks that would enable a attacker to potentially gain access and modify these registries. You only need to compromise just one of any number of individual accounts to secure the proverbial “keys to the castle.”
A 2018 ProPublica survey published just before the 2018 midterm election found that more than a third of counties overseeing toss-up congressional elections have email systems connected to voting registration databases that could be vulnerable to hacking. Following a 2016 attack on the Illinois voter registration system that exposed the personal information of thousands of voters, a spokesperson for their state board of elections neatly summed it up: “This wasn’t about stealing votes, but rather creating havoc. If you can steal a voter database, and then go in and mess up the poll books that election judges rely on to check off voters, that’s going to be the story: that the United States can’t run a competent election.”
2. Automated bots that distribute disinformation at scale
Bots have become a fixture in the internet economy, both as a legitimate tool to automate data gathering and as a vehicle by threat actors to automate their attacks at scale. Airlines use them to continuously scrape pricing and flight data, e-commerce companies employ them to collect inventory information, and, of course, criminals utilize bots for every manner of malicious activity.
That said, when it comes to elections and voting registration databases, there are few if any legitimate cases for bots. Says one secretary of state customer of ours, “The voter registration pages are the most sensitive area of our web infrastructure, and there is no legitimate reason to allow any form of automation or bots on those pages.”
Bots are also being employed to orchestrate disinformation campaigns at scale. So-called “cyborg bots” combine elements of human operation with software to automatically tweet responses to certain triggers. Following a tightly contested special gubernatorial election in Louisiana this past November, a social media analytics company called VineSight mapped out how these bots are being utilized to accelerate disinformation with speed and precision.
According to VineSight’s CTO, “What we’ve seen in Louisiana is similar to what we saw in Kentucky and Mississippi—a coordinated campaign by bots to push viral disinformation about supposedly rigged governor elections . . . It’s likely a preview for what is to come in 2020.”
3. A lack of accountability into the electoral system
In 1968, the American biologist Garrett Hardin coined the phrase “the tragedy of the commons” to describe a situation in which a shared resource is exploited contrary to the common good of its constituents. While this concept is usually applied to physical resources such as the world’s oceans and the perils of overconsumption, it also speaks to the lack of accountability that is an all too common by-product of any large, collective system.
Because our electoral systems are distributed across 50 states and administered in a siloed manner with few centralized enforcement controls, there is an obvious gap of accountability. We’re left to ask: Where exactly does the buck stop and who ultimately is responsible for ensuring the integrity of the ballot? At the moment, Congress continues to haggle over funding for election security. More stories of voting machine vulnerabilities and disinformation campaigns will surely emerge. However, without some mechanism to support accountability across all levels of government, the resilience of our electoral system will be put to the test.
Confidence and trust. These are the pillars of our market economy and democratic establishments. Without it, our money has no intrinsic value, our institutions deteriorate. As we’ve come to appreciate since the 2016 election, democracy is a fragile thing. With so much at stake in this year’s election, it’s imperative that we as citizens, legislators, and security leaders focus our collective energies and clearly prioritize what the most likely threats will be so that we can maintain trust in our most cherished right—voting.
Tiffany Olson Kleemann is the senior vice president of bot mitigation for Imperva and the former CEO of Distil Networks. With more than 20 years of business and operations experience within the information technology industry, the White House, government, and U.S. military, Tiffany previously served as a vice president at FireEye, leading global strategic partnerships and alliance operations.