Around the world, democracy is facing a moment of crisis. Whether from the rise of oligarchs and strongmen leaders, or the decline of civil society in the West. But there’s also a new threat that free societies never had to face until recently: hacking. Why? Because countries aim to attack their enemies by harming the basis of their civil societies. In other words, enemies are attacking the fabric of their enemies’ nations. For free countries, this means they spread doubt about voting and elections. It’s a powerful tool against the public trust. If people are out there hacking elections, how do you know that your vote even counts?
To keep democracy alive, we need to bring it to the 21st century and use modern tech to protect voting rights. We’re going to look at real attacks against elections. This will help us know the hacking threats that face voting systems today. Then, we’ll try to give you tools to defend votes from online attacks.
How govs are hacking elections
The actual hacking is simple. Famed DEFCON event hosts an entire ballot hacking village. Hackers find such machines riddled with vulns. The US has struggled to address bad machines because each state chooses what machines to use. In the end, out of date Linux boxes give hackers easy access to view and change every vote. In the US, Congress reports that hacking attempts occurred in all 50 states during the 2016 vote. We have to say “attempted” because Congress likely wouldn’t admit successful attacks.
It’s everywhere around the world!
And since then, hacks have only become more common. Most reports focus on the US, but smaller countries report the same problem. For example, Mexico notes signs of hacking in vote records in a few key states. Check out this striking quote from a Central American NGO:
We found evidence of tampering in 20% of voting records in Guatemala. Contrary to the fixed narrative peddled by Western intelligence agencies, the hacks seem to come from a broad variety of nation-state sources. All countries are hacking eachother and trying to use elections to their own benefit. This represents a deep threat to trust in democracy, if not the viability of democracy itself.Quote from Noah David, head of electoral security at CNG International
Scary times, for sure! The report goes on to explain the attacks. Against media expectations, voting machines weren’t even the target of the attack. Rather, attackers hacked into the database where the votes were sent in and added up.
So the problems are just typical cyber security issues. Who makes and controls the computers that track voting? And how can small, poor countries hope to control their entire voting tech ecosystem? The entire supply chain is vulnerable, because these small nations depend on the bigger countries for tech. The lack of national independency in tech deeply undermines whether democracy can work in a global, capitalist economy.
Defense: how to prevent hacking elections
The first and most obvious way to prevent hacking, is to remove tech that isn’t needed to run an election. In other words, just don’t use e-voting machines. If you must use them, keep a paper ballot trail with which you can audit the electronic results. Of course, leaving everything in the hands of human workers still leaves the vote open to corruption. But that’s equally a problem either way, and one that’s existed for millennia.
The tech you do rely on must follow a certain structure. To be precise, states should set up vertical integration. Don’t feel intimidated, it’s just a fancy term that means something simple. You need to own every layer of your tech stack. The machines themselves should be a national product. All software written in house, or at least audited by national intelligence agents. Vertical integration involves a lot of work, making it unfeasible for some smaller countries. But the closer you can get to it, the better.
The French case
When Marine Le Pen courted Russian favor during the French 2017 election, voting officials worked hard to defend the vote against hackers. They did this with deception. Creating fake email accounts, fake servers, fake voting machine IPs, and so on. The attackers went after these easy (but fake!) targets making them easier to detect and defend against. Who knows, maybe these same officials manipulated things so Le Pen would lose. But at least they were able to prevent a foreign nation from controlling the outcome.
The French Case shines as an example of a country using novel means to fight election hacking. New firms are coming around, and they use tactics like these to help fight election hacking.
Who is behind for e-voting hacks?
When you think of election hacking, what country comes to your mind? If you’re like most people, the answer is almost certainly one nation: Russia. NATO and Western agencies have hugely invested in showing Russia as the main threat to democracy around the world.
Yet this picture is dishonest. Every nation is doing this, and no one wants to admit it. Just like the 20th century, when countries overthrew eachother’s democratically elected leaders with guns and bombs. Except now days, it happens with hacks and troll farms. If liberal nations survived the uprisings and revolutions of the long 20th century, maybe they can outlive cyber war. Or maybe not.
The biggest single actor known to hack in this space, though, is definitely Fancy Bear. This hacking group works under the Russian army to attack foreign targets, often working with cybercrime elements. Ransomware, DDoS, nothing is off limits, and democratic and liberal countries are their prime targets. So they mostly innovated this space. However, things have changed since 2016. The rest of the world has caught up, and I don’t mean by defending themselves. Rather, the other countries have also learned that voting is fragile and easy to abuse.
So who’s responsible? Today, NATO and Russia, along with their allies, are all working on election hacks convenient to their own interests.