Midterm elections have huge stakes, not only for the future of immigration, taxes, but also the future of security, social media and technology, how it all plays in to the election process. I spoke with Dan Patterson, Senior Producer with CNET and CBS News, about the cyberthreats facing United States voting systems. The following is an edited transcript of the interview.
Karen Roby: You have been immersed in the election coverage here for us, and some of the things we want to break down here are the talking points, starting off with hacking. You’ve written so much about this, looked into this so much, what are the biggest vulnerabilities, as you see, right now?
Dan Patterson: Well, the cybersecurity space, when it overlaps with the election security space, is fascinating. There are almost as many vulnerabilities as there are hackers. Through the course of the last 10 weeks, in the run-up to the 2018 midterm election, we’ve covered everything from election and voting machine flaws, to critical infrastructure, the dark web, and different types of malware that’s being deployed in states, ahead of the election. One thing we have not found, however, is evidence of clear interference, so it’s fascinating to see all of the potential threats and not a ton of evidence of actual implemented attacks.
Campaign 2018: Election Hacking is a weekly series from TechRepublic sibling sites, CBS News & CNET, about the cyber-threats and vulnerabilities of the 2018 midterm election.
Karen Roby: And when it comes to this, in preparation, of course everyone is scrambling to do what they can to be out in front of this, and some states, it seems, are doing better than others?
Dan Patterson: Well, states everywhere are shifting from mechanical voting machines to different forms of digital voting machines, and with that, of course, comes a number of security flaws and vulnerabilities. Of course, TechRepublic’s Alison DeNisco Rayome has covered the flaws and vulnerabilities that exist in various states, and we see the federal government working with various state, not just governments, but voting precincts, to make sure that election vulnerabilities are taken care of before we go to the polls.
SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)
Karen Roby: It’s been fascinating, Dan, to see how social media, kind of flipping the script here, how that has played into elections and with candidates. What are seeing this time around here, with the midterms, how social media is playing into things?
Dan Patterson: Well, social media may play the largest role when it comes to election hacking. Once again, if it can be hacked, it probably will be hacked. However, the most vulnerable system might be our brains. We call this cognitive hacking, and what happened in 2016 were a series of what we refer to as influence campaigns. This is using social media to spread propaganda, misinformation, and what we called at the time fake news. These influence campaigns can have a profound impact on inflaming, or at least motivating, some voting blocs, while tamping down or dampening the interests of other voting blocs.
We know that Russia’s IRA and the GRU, in 2016, phished Hillary Clinton, Chairman John Podesta’s email, as well as almost 100 other Clinton campaign staffers. They exfiltrated data, fed that data to WikiLeaks and other organizations, and used that to not just attack the campaign, the Clinton campaign directly, but to power their influence campaign. So this uses bots and trolls on sites like Twitter, Instagram, and Facebook, and it also helps actual users become more impassioned about the issues that may motivate them to, what we call GOTV, get out and vote.
Karen Roby: All right, certainly have to… the election employees and those that are on the campaigns certainly have to stay on their toes. As we’re looking forward here, to wrap up, going to the next two years, with the election cycle, what do you see will be on the forefront, in terms of what we’re going to be talking about, some of the issues?
Dan Patterson: We’ll certainly talk about machine learning and artificial intelligence, however that will probably be in the context of automation, meaning the types of cyberattacks that we experience today will likely be automated and deployed at larger scale. So this could be anything from malware to DDoS attacks, to phishing, deployed, not just crafted phishing accounts that we call spear phishing, but phishing at mass scale, so using automation and AI to send hundreds, thousands of emails, with the intent of hacking accounts and exfiltrating in… or downloading sensitive data that is inside your email account.
We’ll also see technologies like the Internet of Things play a role, not only in the data produced by IoT but likely in voting machines. These machines are essentially computers, and once again, if it can be hacked, it probably will be hacked. As more and more voting systems come online, they will of course be more and more vulnerable. It is undoubtable that we will continue to see influence operations, not just here in the United States, but around the world. Of course, we know that Saudi Arabia now has a history of paying people pretty good money, about $3,000 a person, to create fake accounts on Twitter. We know that China deploys influence operations in regional political adversaries. So it’s undeniable that social media will also play a big impact.