By Zac Amos, Features Editor, ReHack
Cybersecurity oversights are making infrastructure in the U.S. the most fragile it has been in history. Hackers are constantly developing new strategies to topple critical societal systems, including voting. Election season is here, and experts are analyzing the most prominent threats to design suitable defenses. What does this look like, and do these trends indicate a new future of cybersecure voting practices?
The Election Infrastructure Landscape
Cyberattacks are not uncommon in voting spaces. However, their increasing severity and frequency require more regulatory collaboration and action. Disruptions used to include ransomware, phishing variants and distributed denial-of-service (DDoS) threats.
Hackers still employ these strategies but are evolving in robustness and intricacy. Innovations make it harder for analysts to execute incident response and isolate threats. Novel techniques arise yearly, determined to compromise public trust and dismantle democratic systems.
Historically destructive attacks motivated the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to act. The organization was formed after the Russian-catalyzed decommissioning of voting servers in 2016, which released confidential candidate communications and instigated spear-phishing emails meant to sway results.
The group presented an election strengthening program to the National Association of State Election Directors and the National Association of Secretaries of State to decrease digital risks. It onboarded new hires with election expertise and distributed them nationwide. It will conduct reviews of state-specific election processes and machinery.
AI and Deepfakes
AI phone calls became rampant in New Hampshire as the state approached its primary election window. The robocalls sounded like President Joe Biden and caller IDs falsely showed Kathy Sullivan’s name, a former party chair. The impersonation delivered a message to discourage people from voting. Remediation demanded FCC involvement, investigators and multiple cease-and-desist orders to the guilty telecoms company.
The event signified a shift, demonstrating how threat actors will leverage AI capabilities to spread disinformation and dismantle voting rights. Generative AI, deepfakes and chatbots deepen the issue because AI’s versatility keeps expanding. For example, hackers may use data poisoning in a machine learning database to fix outputs, leading to falsely informed determinations.
Solving these unprecedented attack variants needs a multipronged plan. New Hampshire prepared by establishing a voter suppression law, but more action is necessary to expound upon AI-specific rules at a federal level. The Biden administration issued an executive order in 2023 to construct policies for dual-use foundation models because of how much data they train and their accelerating development.
CISA recommendations and up-and-coming compliance framework suggestions from organizations like NIST, ISO and OWASP are outlining AI security opportunities applicable to voting systems.
Phishing
Phishing has always been a problem for election officials. The COVID-19 pandemic increased the amount of absentee ballots and online voting registrations, causing the number of digital communications related to elections to skyrocket.
The number of emails, chatbot conversations, instant messages and other forms of communication expands the surface area for hackers to corrupt attachments and pose as reliable individuals. The aforementioned clone voice calls are a form of quishing, or voice phishing.
Actions to prevent this include setting up online forms for gathering data and submitting applications instead of relying exclusively on email. Other initiatives, like the Elections Infrastructure Sharing and Analysis Center (EI-IASC), provide free detection tools for voting centers and city operators. The Election Assistance Commission also recommended these strategies for defending secure voting management systems:
- Employing air-gapping networks
- Using multifactor authentication
- Incorporating physical security measures
- Relying on independent software
- Enhancing voter privacy features
- Encouraging interoperability
Social Engineering
Social manipulation has been a hacking staple for decades but is potent during election season. Cybercriminal outfits bribe, blackmail or persuade election officials, candidates and voters to aid in systemic attacks. These are surefire ways to obtain insider access and information under the radar — even across borders.
Preventing social engineering is a nuanced effort because it often involves mental, emotional and physical motivations unique to individuals with varying degrees of influence. Voting centers and state offices can mitigate social engineering potential by using strict hiring processes with thorough background checks, interviews and references to verify trustworthiness.
Data Breaches
Hackers work endlessly to uncover the many vulnerabilities and backdoors of legacy voting technologies. Websites and voting consoles need updates to withstand new hacking attempts to protect personally identifiable data. Washington, D.C., experienced the vitriol of 600,000 voters in 2023 after a hacking of the city’s web host.
Myriad strategies could withstand breach attempts. Filling out workforces with white hat hackers and penetration testers will expediently identify oversights in critical voting infrastructure before cybercriminals make headway. The experts play the role of a threat actor, determining the most valuable opportunity for cybersecurity enhancements.
Another solution is immutable storage. Local voting outfits store countless bytes of citizen information, and preserving it in untouchable, uneditable backup hardware could soften a potential breach’s devastation.
Protecting Election Security
Cybersecurity professionals must anticipate new attack attempts and styles to prepare adequately. Disruptive technologies like AI will revise antiquated hacking techniques, delivering the stealthiest and most destructive attacks on election infrastructure. Industry professionals and governments must cooperate in developing bipartisan strategies to oppose blows to voting integrity.
About the Author
Zac Amos is the Features Editor at ReHack, where he covers cybersecurity and the tech industry. For more of his content, follow him on Twitter or LinkedIn.
