It’s impossible to overstate the importance of tomorrow’s Keynote at the Black Hat security conference in Las Vegas – Democracy's Biggest Year: The Fight for Secure Elections Around the World.
As the session’s description relates, more than 2 billion voters will cast ballots to shape the future of their nation and the world. The challenges of protecting the democratic process have never been greater with increases in cyberattacks from enemy states, the outsize influence of social media, and the novel threats posed by Generative AI.
Reading the daily news headlines, just about every major organization has been breached. It compels us to ponder the timely question: If major corporations like AT&T, Microsoft, and United Healthcare can’t stop cybercriminals from breaching their networks, how can notoriously underfunded cybersecurity defenses at the organizations that manage our elections possibly stay safe?
For cybercriminals to succeed, they must have a motivation to attack and the means to succeed. Except at the very highest levels, there’s limited financial gain for cybercriminals to carry out a direct attack on our electoral systems. There’s no “un-stolen” data left to steal and no leverage to demand a ransom payment. More important, the nature of the process offers many built-in deterrents.
Keep in mind the U.S. electoral system, like many others, is highly decentralized. Elections and balloting are conducted at the state and local levels, not through a single nationwide system. Individual states have their own processes, rules, and systems. Our systems involve a remarkably manual process that relies on large numbers of people who are not integrated in a cohesive manner. This decentralized structure makes it nearly impossible for a single threat actor to influence outcomes across the entire country.
There are also strong cybersecurity physical security measures already in place. Election systems, particularly those involving voting machines and electronic tabulation, are regularly upgraded with improved security measures. This includes multifactor authentication, encryption, and stringent physical security measures.
There are also robust election integrity checks and paper trails. These include pre-election testing of voting machines, post-election audits, and chain of custody procedures for ballots and voting equipment. Most voting systems in the U.S. include a paper trail that allows verification of results and greater certainty to the accuracy. This was put to the test following the 2020 U.S. presidential election when 60 legal cases were filed in multiple states alleging fraud and/or irregularities in the election process. In the end, no evidence to substantiate claims of widespread fraud or actions that would impact the election results were found.
Other cyber risks to the electoral process
Disinformation against candidates and the electoral process will remain a significant risk of influencing elections. Federal investigations into the 2016 Presidential election revealed that Russian operatives conducted activities to influence the election. This included breaching and releasing emails from the Democratic National Committee.
There remains disagreement as to what extent this influenced the outcome of the election, but it’s clear they aimed to manipulate public opinion. The backdrop to this is the generational shift in how Americans source their news. Today, 62% of Americans get their news from social media, and 48% from TikTok alone.
While we must remain vigilant in protecting against the risk of cyberattacks, the most significant threat to our democratic process is the broad disengagement of voters. Consider that past claims of fraud and manipulation, true or not, involved remarkably small numbers of votes. At the same time, one-third or more of registered voters in the U.S. fail to vote in Presidential elections, enough to swing the outcome of any election.
With a panel that includes brilliant cybersecurity leaders such as Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), as well as cybersecurity leaders from around the world, I'm looking forward to an impactful and memorable session.
John Gunn, chief executive officer, Token
