On June 11, 2018, Deputy Assistant Attorney General Adam Hickey testified to the Senate Judiciary Committee about “foreign influence operations, which include cyber efforts to interfere in our elections. As stated by Hickey, “[f]oreign influence operations include covert actions by foreign governments intended to affect U.S. political sentiment and public discourse, sow divisions in our society, or undermine confidence in our democratic institutions to achieve strategic geopolitical objectives.”[i]
Most people are familiar with the charges that Russia-affiliated entities created and operated false U.S. personas on Internet sites designed to attract U.S. audiences and spread divisive messages.[ii] Although the delivery system has changed, I remember similar efforts from my own youth. I used to play in the yard of Robert “Scoop” Jackson, a staunch opponent of the Soviet Union in the U.S. Senate. In the 1970s the KGB spread forged documents about Jackson to undercut his political strength.[iii] That document never reached me in Senator Jackson’s front yard in Everett, Washington. Modern technology, however, can allow intelligence operatives to reach “unprecedented numbers of Americans covertly and without setting foot on U.S. soil.” With a digital war looming, where will the battles be fought?
Targeting election infrastructure
Foreign influence operations may be exploring how to weaken the integrity or access to election-related data. This could start at attempting to corrupt or wipe voter registration databases. For example, adversaries could employ cyber-enabled or other means to target election infrastructure, such as voter registration databases and voting machines. This would be an obvious data security issue for the entities maintaining those databases.
Operations aimed at removing otherwise eligible voters from the rolls or simply dumping voter roll data on the internet would also implicate the privacy rights of voters.[iv] Records of registered voters are maintained at a county level.[v] States often keep duplicates of those voter rolls at state-wide agencies. On the days of elections, much of this information has to be communicated to the polls. Each of those steps in the voter data flow provides a surface with which a digital attack could interact.
Beyond targeting political organizations, campaigns, and public officials
Utilizing now familiar techniques, intelligence operatives could target U.S. political organizations and campaigns to steal confidential information. That information could then be partially (or completely) altered to discredit or embarrass candidates, political organizations, or public officials. These potential operations should raise the data security and privacy antennae of any politically-affiliated person or organization. However, it is important to note that the targets of these operations need not be players in the political game. Innocents usually suffer the most in wartime.
Russia is reportedly currently heavily engaged in non-linear warfare. This has sometimes been referred to as the Gerasimov Doctrine.[vi] This doctrine is generally attributed to General Valery Gerasimov, the Chief of the General Staff of the Russian Armed Forces, and is often used to describe Russia’s deployment of 21st century technologies from multiple actors to achieve a new type of strategic goal: chaos for its own sake.[vii] The author who coined the doctrine stresses that the true Russia strategy is more opportunistic than doctrinaire[viii] but that opportunism and non-conventional approach is the true concern here.
If chaos is seen as a valid goal, opportunistic targets for these hacks could include: people with similar names to public officials, important but unrelated resources like the public transit that helps people reach the polls; apolitical organizations that help the everyday efficiency of a community; or services that may affect voter attendance, like seizing control of the power grid. Rather than merely raising the security concerns of a few individuals and organizations, national elections now raise national data security and privacy concerns.
A Path Forward
With such wide variety of potential targets, adequate security may seem impossible. This is untrue. First, having worked on these cases, I can tell you that even sophisticated actors in the digital space are opportunistic. Military grade digital tools are not the opponent here, unsophistication and inattentiveness is. This opportunistic approach is clear. The hack of Paul Podesta’s emails could (and maybe should) have failed.[ix] Although it is a challenge to improve security and training, it is a challenge worth taking.
With an eye toward addressing precisely these non-linear foreign influence operations, Google has introduced a Protect Your Information with Google initiative, which is made up of three primary parts. The first part is their Advanced Protection Program (API), which aims to protect the integrity of Google accounts of targeted individuals and teams by requiring a physical Security Key, in addition to a password, to gain access. API will also aim to protect the user’s privacy by limiting access to the data generated by your accounts. If successful, this would enhance the privacy controls on these accounts and also improve their data security. The second part of the initiative is Project Shield, which would protect websites from DDOS attacks. The third part of the initiative is Perspective API, which aims reduce harassment on online commenting platforms.
These challenges present an opportunity for people and organizations to address their data security and privacy weaknesses. Explore your free options to improve your data security and tighten your privacy controls. Since improved security will improve everyone’s life, it is worth investing in working with data security professionals to improve baseline security and to prepare a breach preparedness plan. Nothing focuses the mind like a deadline and the looming elections have given the United States a firm deadline to get our digital house in order.