Nov 7, 2019 - Politics & Policy

Why all infrastructure systems are election systems

 Illustration of anonymous person in a hoodie with a “I voted” sticker.

Illustration: Eniola Odetunde/Axios

Protecting elections from hacking threats means a lot more than protecting election systems from being hacked. Malicious hackers can find plenty of other ways to interfere with elections — notably by discouraging voting through election-day attacks on municipal systems.

Driving the news: Security firm Cybereason has been exploring that kind of election tampering in a series of tabletop simulations over the last year. Tuesday, at the third exercise — essentially a Dungeons and Dragons-style game for law enforcement, government employees and security researchers — a "red team" pretended to attack a city, while a "blue team" defended it.

How it works: Imagine a strategically placed traffic jam outside a polling place in a heavily Republican district. A hacker tampering with traffic lights is just one way someone could sway an election by influencing which voters can show up, all without touching the systems most associated with voting.

  • With so much focus on voting machines, we may be missing the threat of these kinds of attacks.

Here are additional lessons from Cybereason's games:

1. Everything is a weapon. The red team has used transportation, energy and gas, telecommunications, and government and emergency services networks in attacks. And it's easy to see how any aspect of infrastructure could be weaponized on Election Day, from causing a run on banks or a fire in a strategically chosen factory.

2. A key term to know: asymmetry. The main goal of local law enforcement, the first people who would respond to this type of attack, is to protect public safety. The main goal of someone disrupting an election is to, well, disrupt an election. The goals are asymmetrical — they don't require one group to lose for the other one to win.

  • That's something that could be exploited by the attacker. A fire at a factory near a polling place might mean city officials reroute voters to a different polling place. The city wins because people stay safe, yet the attacker wins because casual voters won't put in the extra effort to figure out where they need to go to vote.

3. It's good to have friends. Teams, often composed of law enforcement officials, have struggled to quickly call in federal agencies to handle the problems only federal agencies are equipped to solve or to request state resources when the local police are overburdened.

4. Worry about more than social media: Since 2016, the public has come to realize that social media disinformation is cheap and requires little technical background to launch. But it's not necessarily the most effective way for a sophisticated attacker to shape an election.

  • Social media meddling is "low-hanging fruit," said Sam Curry, chief security officer at Cybereason.
  • But it's a limited tool for affecting votes in terms of reach, effectiveness and time before being identified. For someone with technical skill, the traffic jam may cause more chaos and affect more votes.

The bottom line: The frightening truth is that all critical infrastructure is election infrastructure. Weak links anywhere can be exploited to shape how voters act.

Go deeper