Cyberwarfare / Nation-State Attacks , Election Security , Fraud Management & Cybercrime
ISMG Editors: 2024 Election Security, Tackling Global Threats
Examining Cyberthreats, Foreign Tactics Aimed at 2024 U.S. Election Anna Delaney (annamadeline) • October 25, 2024In the latest weekly update, election security expert Annie Fixler joined ISMG editors to discuss the urgent challenges of safeguarding U.S. election infrastructure, countering cyberthreats and preventing foreign interference as Election Day approaches.
See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare
The panelists - Anna Delaney, director, productions; Annie Fixler, director, Foundation for Defense of Democracies, Center on Cyber and Tech; Michael Novinson, managing editor, ISMG business; and Tom Field, senior vice president of editorial - discussed:
- What sets the 2024 election apart from 2020 and 2016;
- The influence tactics Russia, China and Iran are employing to sway U.S. voters;
- The protective measures in place for voter registration databases, voting machines and reporting systems.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Oct. 11 edition on how Chinese hackers raise stakes in cyberespionage and the Oct. 18 edition on how DSPM and DLP converge to reshape data security.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Hello and welcome to the ISMG Editors' election security special. I'm Anna Delaney. With the U.S. election just days away, we're focusing on one of the most urgent topics - election security. From protecting our infrastructure to defending against cyberthreats and foreign interference, the stakes couldn't be high. Today, we'll explore the current state of election security as we head into election day and the challenges that may follow. To help us unpack these pressing issues, we're joined by Annie Fixler, director of The Foundation For Defense of Democracies' Center on Cyber and Technology Innovation, who will share her expert insights on the measures being taken to safeguard the integrity of this election. Annie, it's a pleasure and honor to have you join us today.
Annie Fixler: Thanks so much for having me. I'm excited for this conversation. Very important topic.
Delaney: Absolutely. And also joining the discussion are ISMG panel regulars: Tom Field, senior vice president of editorial, and Michael Novinson, managing editor of ISMG business. Very good to see you both.
Tom Field: Thanks for inviting us.
Michael Novinson: Thanks for having us.
Delaney: So Annie, as we approach the election, the landscape feels increasingly complex, certainly from my perspective here in London, sifting through as many podcasts and articles as I can on the issue, especially when it comes to distinguishing between real threats and misinformation. So, to set the stage, what are you most focused on in your day to day in the run-up to November 5th?
Fixler: You're right. The threat landscape is challenging to understand, and that is where we're focused, trying to understand what's a real threat and what's a real influence operation threat and a disinformation threat. What's a real cyberthreat, like the integrity of the election threat? Where do those intersect? Because what we're seeing a lot of right now is not actual compromises of election infrastructure itself but claims of compromise of election infrastructure and claims of vast influence campaigns. And a lot of what that does is have the psychological impact that our adversaries are trying to impose, that is, in general, the purpose of their campaign is the psychological impact. The purpose of interfering with the elections is not necessarily to dictate who wins or loses but to make Americans question whether or not their vote matters. So, we're focused on trying to understand and talk with the right amount of seriousness and severity but not overamplify what is actually not as impactful as we might fear.
Delaney: Thanks Annie. I'm going to handover this conversation to Tom.
Field: Annie, along those lines, I'd ask you, what you find is unique about the 2024 U.S. election, as opposed to 2020 and 2016? From my perspective, along your lines, it seems more so this year that just because someone says something than something is. I haven't seen that level of susceptibility so much as I have this year. But, I welcome your perspective. What's unique about this year's election?
Fixler: What we're seeing is the metastasizing of the influence operation threat. So yes, you're seeing a lot more discussion about influence campaigns. You're seeing a lot more actual influence campaign attempts, because adversaries, particularly Russia, China and Iran - the foreign adversaries, are seeing the effects in 2016 and 2020 of what that meant for the U.S. population, what it meant for civil society, and what it meant for the ability of the U.S. government to get stuff done when there is hyper-partisanship. It makes it more challenging for the U.S. government to be effective on the world stage. So, the more our adversaries can undermine that and throw sand in the gears, the more weakened we are. We are seeing several influence operations because they see that that is successful, whether or not any individual campaign is successful; the effort as a whole is to sort of drive the American population apart.
Field: Thank you. Anna, back to you.
Delaney: Great. That sets the scene very nicely. So currently, what are the vulnerabilities that concern you the most regarding the security of this election? Are these those influence operations that you mentioned? And I also want to ask, with so much misinformation circulating, is there any false narrative or misconception that you feel is particularly important to address right now?
Fixler: Generally speaking, when you're talking about those three adversaries, they each have a sort of a theme to their campaigns. Iran, in general, is more anti-Trump and pro-Harris. Russia is the opposite, sort of propping up Trump and denigrating Harris. China is sort of a chaos actor and is sort of denigrating both candidates alike because they want to cause chaos, in the context of the election. All of that is what we're seeing, and all of that is challenging. The piece that is most concerning to me is the effort that undermines Americans' belief in the integrity of the election and belief in the power of elections and the importance of elections. So, whether a country is pushing one candidate or another, I'm more concerned about the efforts being made to make Americans think that the election isn't secure and that their vote doesn't matter.
Delaney: Excellent. Michael, over to you.
Novinson: Absolutely, and I know you've already mentioned some of the primary nation-state adversaries a couple of times here - Russia, China and Iran. Why don't you double-click on this and get into those TTPs - those tactics, techniques and procedures? I specifically want to get a sense of what techniques have you seen Russia, China and Iran deploy to try to influence U.S. voters in this presidential election.
Fixler: I don't think we're seeing much that's new. We're seeing AI-generated content, but that is not necessarily so different than taking a picture out of context and claiming it is one thing versus another. If you generate a picture using AI, it's a fake picture. Yes, it's concerning, and yes, we should be talking about it. But, it's not necessarily those that are new techniques that I'm concerned about. One of the things that we've discovered as of late, maybe it's not a new discovery, is the proliferation of inauthentic personalities and identities on social media, and that's how a lot of these influence campaigns happen. You create an account that looks like it's an American account. It generates a bunch of followings. It pushes out propaganda and disinformation and influences operations. So, some of what we've been trying to understand is how do our adversaries set up those networks of fake accounts. And if we can get to the bottom of that, what are the services they're using? And we're seeing some of that come to light. There are black hat marketing companies that will set up a series of accounts, and then adversaries, can we assume, sort of buy them off the shelf, and that sort of enables activity. So, if we can get sort of upstream of these activities, that may sort of be a better way to get at those and to sort of combat those GTPs that we're seeing.
Novinson: I want to look at the flip side of the coin here. Talk a little bit about defense. I want to get a sense of the measures that are being taken to protect those hard targets such as voter registration databases, voting machines and reporting systems, as well as measures that have been taken to protect softer election-related targets. What are you seeing?
Fixler: We're seeing efforts both at the FBI and CISA, which is the Cybersecurity and Infrastructure Security Agency. Both of those agencies, in particular, are out front talking about their efforts on bolstering election security, sort of working with state attorney generals to work on election security and of the actual infrastructure itself, and that is moving a pace. I worry about the security of that infrastructure, because, frankly, all infrastructure is vulnerable. And so, why would I think that our election infrastructure is any more secure than our electricity grid and water system? So, if I know that those systems have vulnerabilities, I am confident that our election infrastructure has vulnerabilities, but people are rightly focused on that and working on ways to strengthen that. We need to keep doing that. Our adversaries are less focused there because they don't need to do that hard work of hacking the election to have the effect. So, it's more in the information space that we're seeing operations because it's easier. So, why do the hard thing when the easy thing works?
Novinson: Fair enough. Tom, over to you.
Field: One thing that strikes me through all this is that influence campaigns need not be limited to political discussions. We have a lot of private sector security and technology leaders that follow us. What's the takeaway for them? Because it seems to me that influence campaigns very easily can be aimed at businesses as well.
Fixler: They absolutely can. There's sort of two pieces of that that the private companies need to be aware of, one of which is solely a business concern and one of which becomes a national security concern. So, businesses are rightfully concerned about their reputation, and so there can be influence campaigns that are launched for a variety of reasons that degrade their reputation, and that is a business risk that they should be focused on because it's part of their business. There's a national security component though when it comes to influence campaigns that attack the reputation or the reliability of companies, industries and strategic areas. So, if you all remember, there was a period of time when Russia was launching influence operations against fracking in the United States, and that was a lot about we shouldn't be doing this and we shouldn't be pursuing this technology because it was bad for valid reasons; that is for strategic effects. So, it may impact an individual company and their bottom line and their reputation, but from a federal government perspective, it's a national security concern, or it's an economic security concern, and so it sort of shifts back to something that goes beyond just a business interest.
Field: Very good. Anna, back to you.
Delaney: All right. Annie, this has been excellent education for all of us. Before we wrap, we have one final question for everyone, and feel free to be as creative or as serious as you like. If you could invent one piece of futuristic tech to improve election security, what would it be? Annie, you take a moment, you take a pause. We'll come back to you. Tom, do you want to tackle this first?
Field: Oh, I've got this immediately. The first thing that came to mind was ChatBFL - Big Fat Liar. Someone goes out there and announces that they're eating dogs and cats. I want ChatBFL to say, "No, that is false."
Delaney: Excellent. Michael, top that.
Novinson: I'm definitely not going to be topping that. So, I was thinking about the identity verification process. I know there's been so much discussion around voter ID and the burden of that in place and undocumented immigrants, etc. So, there needs to be other ways to verify identities without a card, biometrics, retinal scans, etc., which certainly raises some privacy issues. But, I was wondering whether there is a way to give people confidence that the people who are voting are people who are eligible to vote without forcing everybody to carry around and show a physical identification card.
Delaney: Mine is a sort of cross between that and something fun. So, one of the big challenges of democracy is voter apathy, and I'd love to create a sort of secure but fun voting platform. So, something that re-energizes and incentivizes indifferent voters. So, maybe you would use your phone or the equivalent, verify your identity with biometric data, and then you could cast your vote in a virtual world, futuristic cities, enchanted forests or wherever it is. And then, to combat the apathy, each time you vote, you unlock rewards and features making the process hopefully both secure and fun and engaging. Annie, what have you got?
Fixler: So, I don't think mine are nearly as fun or perhaps even as innovative. So, election security is one of the pieces of the work we do. We do a lot of work on other critical infrastructure sectors as well, and the constant refrain I hear from operational technology security experts is the lack of visibility into those systems. So, unlike IT systems, there's just not the same kind of visibility, and there isn't the kind of tools that give them the visibility. There are lots of different bespoke products, but nothing that's interoperable. So, that's where we need to be focused on. It's not futuristic. It's a now problem, but I want to fix that.
Field: I'm hosting a discussion on exactly that topic tonight, Annie.
Fixler: Excellent.
Delaney: That's the most intelligent answer. So, thank you, Annie. Hopefully, that won't be an issue. Any of these issues next week, and we'll get through them. But, wish you all the best during this very busy time, and thank you so much for sharing your wealth of knowledge and expertise with us today.
Field: Thank you, Annie.
Novinson: Thank you, Annie.
Fixler: Thank you.
Delaney: And Annie, hope you'll be back with us again soon.
Fixler: Be my pleasure.
Delaney: Thanks Tom and Michael. And thank you so much for watching. Until next time.