Patrick Knight, Senior Director of Cyber Strategy and Technology at Veriato, spent 12 years in the U.S. Intelligence Community in the fields of Signals Intelligence and Cryptanalysis and, since 2001, has worked in the commercial online security sector developing technologies including encryption,
When election interference is discussed, you probably think of “fake news” social media plots or hacked voting machines that manipulated outcomes. The truth is much more complicated. Election interference can come in many forms and have consequences that last long after an election cycle. Fortunately there are security measures elected officials, campaigns, and anyone with access to voter information can – and should – take to defend against election interference.
Not all election interference efforts are coordinated by foreign or outside entities. In fact, insider threats constitute a massive security concern for any voter or campaign group.
Unprotected Voter Information
In August of this year, more than 14 million voter records in Texas were found on an unprotected server. While much of that information was available publicly, not all of it was. This is just one example of inadequate cyber security measures plaguing campaign groups and officials. Voter information should be placed under proper cyber security and anyone with access to it should be educated on security protocols to keep that information private.
Currently, anyone with access to a state’s voter registration, including those at the U.S. Election Assistance Commission, has the ability to change information or remove it entirely. This information should be much more rigorously restricted to limit its risk of exposure. Any voter database should have controlled access and those permissions should be thoughtfully considered and only granted if absolutely necessary. When it comes to cyber security, the fewer routes of access to information, the safer the information is.
Unfortunately, all organizations are at risk of malicious insiders – employees who seek to use their inside access to undermine the organization or use its information for harmful purposes. To protect from these threats, employee monitoring software can be deployed, which detects suspicious user activity. IT teams can then act to protect data before the malicious actor carries out any harmful acts.
Insufficient Security for Employees
Employee education is key for a strong cyber defense. Employees with weak passwords or who don’t use multi-factor identification aren’t just a risk to themselves; they are a risk to the organization and every person whose information they can access. Weak user security creates opportunities for hackers to penetrate organizations and manipulate or use voter information.
Far-Reaching Consequences Of Election Interference
Of course the obvious concern with election interference is manipulated results and changed election outcomes. However, the consequences can be even darker and have long-lasting effects on our democratic system.
If voters suspect their information isn’t protected or that officials don’t value their privacy, people could lose faith in the electoral system. Even with an isolated event, election interference and voter fraud creates a panic where voters worry about the extent of the interference and the validity of the entire campaign process and election. If people start to distrust the power of their vote, then they might lose motivation to participate in public elections.
Change Campaign Efforts
If voter information becomes available to competing parties or candidates, those campaigns are going to adjust their messages. Voters could receive targeted ads, or ads with false messages put out to damage a competing candidate. While this messaging happens to some extent today, it could worsen if election interference leads to voter information hacks.
Security Measures To Implement To Combat Election Interference
Implement a Cyber Security Framework
All elected officials and campaigns should have a strong cyber defense established. Treat your information as sensitively as you would healthcare or banking information –because it is.
Deploy Employee Monitoring Software
Consider investing in this software to protect your information from insider threats. As we’ve discussed, voter information and systems are at risk of employees who have access to them – whether malicious or accidental. Employee monitoring software tracks user activity and alerts you to potentially dangerous behavior so you can stop election interference from escalating.
Utilize NIST resources
The National Institute of Standards and Technology has great resources on how to set up a cyber security framework. The President has also asked the NIST to establish guidelines for small and medium businesses, so those security practices will be forthcoming. Prioritize cyber security and use the resources that are out there to help you protect your information and your voters.
Establish a breach protocol
Set up a plan for if – and when – election interference happens. Plan steps to contain the leak and minimize exposure. Make sure to include transparency in your protocol. The best voters are informed voters. If your system was compromised, tell them. Explain that they may receive communications that appear to be from you, but are from a malicious party. Voters don’t appreciate being kept in the dark. Then tell them what you’re doing to fix the problem and keep their information safe.
Election interference can come in many forms – and the variety of attacks is what makes it so formidable. Campaigns and officials should start by securing their systems from the inside. Doing so will protect our voters and the democratic process they believe in.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.