What the DNC Breach tells us about election hacking

The breach of the Democratic National Committee’s networks and the disclosure of nearly 20 000 internal Emails on the online publishing platform WikiLeaks raises many questions about the integrity of democracy in the digital age.

From a cyber security standpoint, the issues currently being discussed most widely are who is behind the attack and how the US government should respond. Intelligence officials reportedly have ‘high confidence’ that Russian intelligence agencies are responsible, echoing analyses of cyber security firms and experts.

Focusing public attention on the accusation that Russia hacked the DNC for Trump’s benefit might be a welcome tactic by Hillary Clinton’s campaign to divert attention from the actual content of the leaks — mainly that the ‘Democratic’ party’s leadership has been failing to apply democratic principles themselves by intentionally undermining their candidate Bernie Sanders’ election campaign.

But regardless of who was behind the attack and whom it served, the hack itself raises issues about how to protect the security of electoral processes. As our institutions and infrastructures become completely digitalized, actors are obtaining new ways to influence elections. Governments need to think about how to better secure their electoral networks and systems and improve the security practices of the people having access to it.

Intelligence agencies have exfiltrated information to influence elections in other countries throughout history, and both Russia and the US have done so in the past. Yet, the possibility that a foreign power may hack into the networks of a political party and publish stolen information on an online platform with millions of followers worldwide to influence an election process adds a new dimension to the issue.

Such acts can be part of targeted information operations — spreading chaos to potentially interfere with the decision-making of institutions and societies in adversary countries. An example are the Ukrainian elections in 2014, when three days before the country headed to polls, a group of pro-Russia hackers called CyberBerkut rendered the vote-tallying system inoperative and published a “report of the hack”, including a map of the ‘Central Election Commission’s’ computer network to prove the breach.

Threat actors can choose from a range of tactics to undermine elections, including large scale doxing of candidates or parties. Importantly, in the process of obtaining the targets’ secrets and private information, intruders can manipulate the information before publishing it online and thereby deceive the documents’ readers. Other possibilities are to hack voting machines, for example by targeting the network the machines are run on or the employees responsible for the machines’ maintenance, to shut down entire voting systems by disrupting their electronic infrastructure, or to delete or change election records.

Many of these risks are amplified in online voting systems. As a case in point, security researcher J. Alex Halderman found ‘staggering gaps’ in the procedural and operational security as well as the architecture of Estonia’s online voting system. Hence, before entering the age of online voting governments should get security right.

The DNC breach is also a lesson in organizational security. Like many nonprofit organizations, the DNC will probably not have spent many resources to enhance the technical security of systems or to train their employees in digital security. Moreover, it seems to have been unaware of cyber security threats or unwilling to secure its networks. After all, hackers were able to stay on the network for roughly one year, despite the FBI’s warning in 2015 that the DNC’s networks might be targeted by a foreign power at around the same time when the US government networks at the State Department and the White House were breached. Political parties need to have IT security on their radar and be sufficiently funded to invest time and money in respective measures.

It could well be that additional documents from the DNC breach will be disclosed during the remaining US electoral campaign. But considering the possibilities that exist to manipulate elections by hacking, the recent leak of documents which brought to light some of the Democratic Party leaders’ rather undemocratic practices seems harmless.

written as an incident monitor for DSI: https://www.esmt.org/faculty-research/centers-chairs-and-institutes/digital-society-institute-dsi/dsi-incident-monitor