Any internet-facing system is vulnerable to attack. The age of governmental systems and technology makes them particularly tempting targets.
WE are at war, and we are not winning. This war is not being waged on the battlefields of Iraq, Afghanistan or Syria. It is being fought on the open highway called the internet. Foreign governments, criminal gangs and terrorists are targeting everything that matters to America, and they have been phenomenally successful.
They have compromised troves of national-security records, have undermined innovation, jobs and the economy by stealing American trade secrets, and have infiltrated the banking systems to capture fortunes. Cybercrime now poses a real and potent threat to a chief pillar of our democracy: the next election.
Anyone who is not worried about the cyber threat is not paying attention. Using known vulnerabilities, there are at least four ways cybercrime could impact, or even alter, election results. One (or more) of these is possible, if not probable. The only question will be the scale and what can be prevented.
• Targeted hacking to steal confidential information and use it for political advantage or to “name and shame:”
This is a tried-and-true method used both by individuals and organized groups — including foreign governments, WikiLeaks and Anonymous. The Sony Pictures and Democratic National Committee cyberattacks show the effectiveness of targeted hacks. Salacious, embarrassing or even strategic emails can quickly go viral and cause damage. Or important polling or strategy information can just be quietly taken and used to undermine an organization.
Spying by campaigns is nothing new. But the ability to steal so much, so easily is new. Campaign workers are surprisingly easy targets. They surf free Wi-Fi, click on mobile memes and visit notoriously infected websites. They are virtual backdoors to a campaign’s crown jewels. Every campaign should be scrubbing their systems, limiting the dissemination of sensitive information and reviewing security and computer-hygiene practices. Then they should continually repeat the process.
• Malicious hacking to disrupt specific events or candidates:
We will almost certainly see this. The most modest version is the hijacking of a website, Twitter feed or Facebook account to embarrass a candidate. Attacks aimed to crash a site are also likely. But more serious attacks are possible and limited more by the creativity of the hacker than by existing cybersecurity.
In today’s connected world, candidate schedules are posted in advance, hotel and other venues are open books and technology is aging. Hackers could disrupt the ability to hold or broadcast an event. They could impair the security at a venue, disableair conditioning, hijackwireless connections or shut off power. Systems on campaign buses could even be hacked. Planning of any important event should include a full cybersecurity review of venues and travel routes, including a connectivity and redundancy review of key systems.
• Attempts to infiltrate voting systems and alter voting results:
Forget hanging chads. Hackers could target elections systems and offices, to alter or simply erase voting results. Individual voting locations and central state voting repositories are at risk. Any internet-facing system is vulnerable to attack. The age of governmental systems and technology makes them particularly tempting. Government computers throughout the country, for every level of government, have been successfully targeted and sensitive data compromised. Every state and county election office should be hardening the silos and employing “white hat” hackers to test their systems.
• Malicious or terror events intended to shape the election or would have that result because of their horrific nature:
The most extreme cyberattacks cannot be ruled out and range in scope and impact.
Imagine Chicago, New Orleans or another major city sweltering without power for weeks. With the loss of power, air-conditioning is lost, traffic and communications disrupted, stores closed, and hospitals, fire crews and police are spread thin.
Also, we have already seen terror groups use the internet to recruit soldiers and to plan and carry out attacks. The FBI director recently warned of an Islamic State diaspora, which could spread terror to America. The Islamic State and al-Qaida employ sophisticated hackers and understand both the impact of terror events and the national reactions they can cause. That is what they want.
Law enforcement must continue to increase its vigilance. Candidates and current officials should be honest about the possibility of such attacks, and as a nation we should discuss the best ways to respond. Otherwise, we could be baited into just the wrong response.