What does the U.S. government need to do to respond to what happened in the 2016 presidential campaign and to protect our elections going forward?
It’s useful to think about attempts to influence the election as involving at least three parts. There’s the hacking of individuals’ email, in particular the DNC and John Podesta; there seems to be some scanning of election systems by Russian hackers in at least twenty-two states; and then there’s the influence operations online—the creation of fake accounts, trolls, and the use of disinformation to exacerbate political polarization in the U.S., at first to weaken the Hillary Clinton campaign and then to help Trump win. Each of those three things has a different set of solutions.
You’ve said you’re most concerned about the election systems. What is being done to protect them?
The Department of Homeland Security declared in early 2017 that election systems were critical infrastructure. That means that the federal government can share threat information with state and local officials, who run elections. The biggest problem is that, in part after the disaster of the hanging chads from Gore and Bush, there was a move away from paper to electronic voting systems. But in fact, paper is safer when you think about cyberattacks. You at least want a paper backup, so you can check the results. There are some things that all election systems can do to become safer: having a paper trail, making sure critical systems aren’t connected to the internet, and doing some type of after-election audit. The general feeling is that improvements are not happening fast enough. The midterm election is coming soon.
Is the focus on voting machines being vulnerable to hacking?
It’s not only the machines. You could mess with the voter rolls and create huge lines at polling places—lots of the systems use online registration. You could mess with the reporting of the results. If CNN announced the wrong results, that would have a damaging effect. There are so many systems involved that it’s very hard to defend, so we have to do all these things as quickly as possible.
We have tried to send a message to the Russians, by declaring that this is critical infrastructure, that we would respond in a more punitive way than we have in the past. After 2016, the U.S. government sanctioned some Russian entities, but that was really it. In the last year, though, the government has been much more vocal about calling out Russian hackers and the Department of Justice has indicted several. This is all an attempt to deter the Russians.
What do you think of Facebook’s efforts to combat disinformation?
I don’t think Facebook has done enough, but there are a lot of structural problems with social media that are hard to overcome—economic incentives to make information go viral as well as cognitive biases that amplify fake news. In his testimony to Congress, Mark Zuckerberg talked a lot about using artificial intelligence, but artificial intelligence is not very good at differentiating disinformation from real news, so we can’t rely on those systems yet. Those systems probably can be gamed as well.
Should government do more?
Part of the problem is that the president has not taken the influence operations seriously, because he sees any discussion of the Russian involvement in the election as undermining his legitimacy. Many of his uses of Twitter and social media parallel what the Russians have done: undermining the media, undermining basic democratic institutions. Congress is much stronger on it. One proposed law that I support is transparency on political ads—any ad on social media, you’d have to identify where it came from and who paid for it. It would be like an ad on TV: “I paid for this and I support these points.”
What should the response be to the third type of attacks, the leaking of private communications to damage candidates?
Partly that involves basic cyber hygiene, like two-factor authentication and greater reliance on encryption. The DNC and the RNC both hired new tech aides. Part of it also has to do with reporters and the reporting of breaches. There was a competitive pressure to report on the hacked emails, without putting them in the context of saying they’re hacked and this is part of an influence operation.
How widespread is cyber meddling in elections worldwide?
The Russians have been the most prolific actors. We’re fairly confident there were operations around Brexit and the German and French elections. The Chinese have mainly used it in territories that they consider internal or directed at dissidents, so Taiwan, Hong Kong, and Tibet, you’ll see trolls and Twitter bots and other things—we haven’t really seen it directed at the U.S. Iran also seems to have used it mostly locally, against dissidents. We’ve also seen Qatar and UAE hacking and doxing—releasing emails—trying to influence U.S. politics and increase support from the administration. We think that the UAE hackers put fake comments from the emir of Qatar on a website, which helped spark regional tensions.
At this point, we should expect it in elections everywhere.
And It Might Not Stop At Elections…
Meddling in elections is one way to undermine democratic systems, but Adam Segal believes politically-motivated hackers might not stop there. Consider the U.S. Census. “If you mess with that, it could cause massive political conflict,” Segal said. “If you manipulate the census, you manipulate the electoral system.” Then there’s the fact that federal funds are distributed based on population size and makeup. “So federal services could be disrupted. Budgeting, the sense of the ethnic identity
A recent Oxford University report identified “cyber troops” in 28 countries, targeting foreign and domestic populations with social media on behalf of government, military, or political groups.