This election year, the health of the Union depends in part on how we safeguard our information 

Cybersecurity does not exist in a vacuum and current socio-economic pressures make the United States more vulnerable to cyberattacks of all kinds. With the U.S. presidential election underway, Americans need to take practical steps to defend our democratic processes, online and off. This essay outlines some of the issues facing the United States in advance of the election, shares insights from AttackIQ's recent podcast with leaders of Harvard's Defending Digital Democracy project, and offers specific steps to manage the cybersecurity challenges of this moment. Read More

By Jonathan Reiber and Chris Kennedy

With the U.S. presidential election underway in some states, Americans need to reevaluate our relationship to information and take practical steps to defend our democratic processes, online and off. There are three main areas that require change: how we digest information and communicate with one another; how we manage the cybersecurity and digital aspects of our election process; and how we manage the cybersecurity of our companies and organizations. As we head into a tense period, these three areas are vital for our election integrity and for the stability of the country as a whole.

The reasons are clear. It is broadly known that in 2016, on the express direction of Russian premier Vladimir Putin, the Russian government ran a social media-enabled influence campaign that disseminated disinformation with the express purpose of swaying the American electorate. It included a “hack/leak” operation; the Russian government hacked into the Democratic National Committee and a senior campaign official’s Gmail, stole data, and leaked it through WikiLeaks and Russian government cut out websites. The Russian government concurrently used social media platforms to spread propaganda and disinformation about American civic and political issues. Finally, according to a study by the U.S. Senate, the Russian government targeted election machines in all 50 states (with no evidence of successful vote manipulation). Whether the Russian government’s campaign changed the outcome of the election is unclear; it certainly undercut Americans’ faith in our democratic institutions and political processes and placed social media companies under a microscope. 

Some now speculate that Russia may have been holding back in 2016. Indeed, bad actors are already sowing mistrust in the democratic process today. A few weeks ago, Microsoft reported that it had taken actions against a number of Russian government-affiliated actors that were seeking to break into political campaign organizations and others involved in the 2020 election. The U.S. intelligence community is watching hostile governments closely, and the U.S. military’s Cyber Command is conducting operations to defend the United States against Russian interference, according to reports.

None of this is really news. What is news is that tensions within the United States have increased significantly since 2016. Over the last nine months since the novel coronavirus began, the U.S. unemployment rate has escalated and over 31 million Americans are currently out of work. Concurrent with the onset of the coronavirus, police brutality and the movement for Black Lives thrust racial issues front and center into the American political discourse. An attendant increase in violent domestic extremism soon followed. Then, in late summer this year, the fire season placed the entire West Coast of the United States under a thick cloud of smoke that negatively affected air quality across the country.

Cybersecurity does not exist in a vacuum. These socio-economic pressures make the United States more vulnerable to cyberattacks of all kinds. Hostile actors are using social media right now to spread disinformation about fractious issues in American society.  “Their interest is not necessarily promoting a political agenda like different parties or interest groups in the U.S. are,” said Robby Mook of Harvard’s Defending Digital Democracy project. “They’re trying to strategically advance a given set of things.” Some adversaries “just want the U.S. to kind of turn on itself.” Disinformation operations, but also destructive cyberattacks, are an attractive option for any adversary seeking to gain an advantage. 

Individuals, state and local government officials, and privately managed organizations each have a role to play in helping to protect the digital integrity of our democracy and electoral process. We at AttackIQ recently hosted three leaders from Harvard’s Defending Digital Democracy project on our Think Bad, Do Good podcast to discuss the election and findings from Harvard’s new Elections Influence Operations Playbook. We were joined by Siobhan Gorman, a Partner at the strategic advisory firm The Brunswick Group and a Senior Advisor to the Defending Digital Democracy project; Robby Mook, Senior Fellow at Defending Digital Democracy and a nationally recognized campaign manager and strategist who ran the 2016 presidential campaign for Hillary Clinton; and Maria Barsallo Lynch, a civic leader and Executive Director of Harvard’s Defending Digital Democracy project. This essay outlines some of the issues facing the United States in advance of the election, shares insights from the Harvard team, and offers practical steps to help manage the cybersecurity challenges of this acute moment. 

Watch the podcast here. 

 

The state of mis/disinformation today 

Propaganda and manipulation of information have always existed, but never have misinformation and  disinformation campaigns so quickly and effectively reached so many people with such limited investments. The Internet grew from zero users at its founding in 1983 to over 4.1 billion users today, making it almost the same age as the Australian actor Chris Hemsworth but much larger. In the Internet’s rapid expansion, social media made it easy for adversaries to adopt a fake persona and spread messages, disseminate falsehood, and stir up socio-political tensions.

State-sponsored actors disrupt and destabilize politics in other countries by taking advantage of our Achilles’ heel as a species: our psychology. Humans tend to trust the information put before us; we also tend to be biased towards information that supports our preconceived notions. Hostile actors engaged in information operations see an unlimited opportunity in social media to exploit users who struggle to verify the veracity of what they read, watch, or hear online.

The situation grows more complicated for the United States given its current socio-economic landscape. A society in tension holds within it the preconditions for effective influence operations, and the Russian government knows that well. Citing a U.S. Justice Department indictment of Russian government operatives, the Harvard playbook highlights that the Russian government has traditionally focused on exploiting emotions around racial issues, immigration, gun control, and the Confederate flag, among others. They want to find and exploit fissures in American society. “‘Where are people going to get angry with each other? And how can we sow distrust in key institutions?’ If they can create chaos, it weakens us and strengthens their hand or gives them more space to do the things that they want to do,” said Mook. 

Citizenship, Civility, and Cybersecurity

How can individual American citizens help address this problem? Citizens can start to help ensure the integrity of the election by fostering deliberate, thoughtful discourse in their online and offline communications. In practical terms, being a good citizen online means adopting communication practices best suited to our day and age. Everyone needs to be skeptical of information flowing toward them, even if (or perhaps especially) if it ratifies pre-existing perspectives. Siobhan Gorman, a Partner at the strategic advisory firm The Brunswick Group, and one of the authors of the Harvard study, says that when sharing information, individuals should follow a new twist on an old aphorism: rather than following the proverb of trust but verify, it is better to “don’t trust and verify.” She argues that we should all start with suspicion. “If it is in a major media publication, you should still try to verify it. People can, quite inadvertently, become part of the problem very quickly.” 

Operating with deliberation, citizens can share verified, factual information that helps quell the specter of mistrust that adversaries are working so diligently to spin up. Verified, factual information can help Americans build consensus and unite around a shared understanding of the issues facing the country. Civic unity is not just a feel-good sentiment, as the political scientist Danielle Allen outlined in The Atlantic magazine last summer. Unity facilitates better inter-group relations and better governance, including for complex problems like the coronavirus. In her historical review of the role of unity in American history, Allen notes how unity has helped the United States achieve landmark policy decisions on difficult issues, from Social Security and Medicare to Civil Rights legislation. This election season, citizens should focus on sharing verified, factual information that fosters unity and enables compromise. 

State and Local Government

How can state and local government officials best prepare for influence operations? The Harvard report was written with them in mind. Maria Barsallo Lynch, Executive Director of Harvard’s Defending Digital Democracy project, says there are two categories of disinformation incidents that election officials might see in the coming weeks. There is the broad category of influence operations that are intended to stoke division, amplify political discord, and “take advantage of a lot of the conversations we’re already having as Americans. Then there are disinformation incidents and misinformation incidents…that are specific to the election process itself.”

What are some key lessons? “Not all disinformation is created equal,” says Gorman. “So, the first thing that you need to do is assess whether or not this is really likely to have an impact on the stakeholders that you care about, which are probably the voters. And if the answer is yes, there are a couple of other questions around it: Is it gaining momentum? Is it high volume?  It is okay just to say, ‘No we’re just going to watch and wait.’ You do not necessarily need to jump into action, because there is a risk that you could make it a bigger deal than it is.”  

There are clearly times when a response is required. “If you think that there is a chance that it is going to grow, you should probably dive in and respond with the facts as quickly as possible and dial back if needed. It is a very tough judgment call there.”

Election officials should also assure the public that every vote will be counted. States across the country have focused on increasing vote-by-mail to ensure electoral integrity under the coronavirus, and have been investing in cybersecurity since 2016. Disinformation campaigns are already working to undermine the legitimacy of the upcoming election, however, claiming that fraud will be widespread. State election officials should work now to communicate their focus on ensuring a free and fair election. They can prepare by reading the Harvard handbook, and by engaging the Harvard team, other states’ government officials, and the federal government for assistance. (See links on this page for resources.)

The Immediate Election Aftermath

Importantly, the country may not know the outcome of the election for some time given the increase of vote-by-mail under the coronavirus. Gorman recommends patience. “The likelihood that we will know that night or even the next morning feels incredibly low to me. I think it is success, frankly, if we know during the first week after the election who has won. I think that the premium is really placed on having an accurate vote count.”  

The Harvard team sees a potential increase in disinformation operations in the post-election period. Gorman says that hostile actors will try to “insert various types of disinformation/misinformation warfare techniques to further explode that situation and just sow chaos. Because if they sow chaos, they’ve won.” 

The country should prepare now for a fractious post-vote period. Leaders can start by urging calm; some already have. “We’re all going to need to take a deep breath and be patient this year because, you know, there’s a substantial chance we are not going to know on election night what the results are, possibly for the presidency, but maybe for many other races that are important to people, and that’s okay,” Federal Election Commissioner Ellen Weintraub told CNN in August

Outside of the electoral process itself, in the period before the election, critical infrastructure owners and operators should also be on guard. Adversaries may try to strike the United States from multiple angles to cause disruption before November 3 and in the election aftermath. 

Cybersecurity Best Practices

Security, like democracy, demands constant vigilance if it is to work in the way intended. For cybersecurity professionals responsible for managing the integrity of large networks and data, the “don’t trust and verify” aphorism holds true as well. Cybersecurity teams may perform a security audit once a year, but such a sporadic effort provides no real validation that defenses can stave off cyberattacks consistently. 

Security teams need to batten down the hatches and make sure everything works as it should. Rather than deploy new security technologies now, which could introduce vulnerabilities in the final weeks before the election, the right step is to exercise existing security capabilities to ensure that they perform. Teams can use the MITRE ATT&CK framework to validate security program performance. As a next step, state and local governments can deploy automated testing to maximize the security effectiveness of the electoral system safely and at scale. 

Good security planning also means preparing for the unexpected. Before Russia launched its social media campaign to undercut the 2016 U.S. presidential election, Russian government organizations deployed malware onto different parts of the U.S. electric grid; the U.S. national security community worked hard to protect the nation’s power infrastructure. While the security community was looking in one direction, however, Russian government operatives flew under the radar to initiate a coordinated and sustained influence campaign.

This year, every security leader should ask themself: Where might an adversary try to attack in a way they have not before? What are our weaknesses? Large companies, federal agencies, and political campaigns will face elevated risk because they are obvious targets for anyone aiming to sow distrust. Businesses should be on high alert; hostile actors will try to strike while the country is distracted. Validation through ongoing testing can help rebuild trust in a world of confusion; it can provide real performance data to ensure that teams operate at their best. 

Good Citizens, Online and Offline 

Today the United States faces a period of acute tension as the coronavirus, socio-political instability, and elevated cyberthreats bear down on the population in advance of the election. These pressures make us susceptible to a wide range of digital attacks and influence operations. 

The election demands something from each of us as citizens. Fortunately, the path towards good citizenship remains as clear today as it has in the past. In his second inaugural address, as the Civil War came to a close, Abraham Lincoln called the nation to act “with malice towards none, with charity for all.” By putting this sentiment into practice, Americans have overcome disunity to affect positive change for the good of the whole throughout our history. Today hostile actors use cyberspace to turn Americans away from that course and to distract our country. To move forward “with malice towards none, with charity for all” may be our first defense against online discord. This year, and for many years to come, the health of our Union depends in part on how we share and protect our information.