When people hear the term “cyberwarfare,” there are a few things that come to mind. The things people visualize tend to be the high-impact, “scare the pants off you” scenarios such as those one might read about in a thriller novel or see on television. For example, a rival nation disrupts a country’s power grid, purposefully bringing about industrial accidents to cause harm, interrupting communications, interfering with public services (e.g., opening dams to cause floods) and so forth.
These are, of course, very real things that could happen. In fact, they have occurred in actual practice. Stuxnet, for example, is widely believed to be a cyberweapon created for the specific purpose of disrupting the Iranian nuclear program. Another example is the (Not)Petya outbreak that caused so much disruption in the Ukraine. It is widely theorized that this attack was a cyberwarfare campaign designed around that specific purpose. Since nations are notoriously tight-lipped about their offensive cybersecurity capabilities, it is unlikely that there will ever be irrefutable proof that either of those examples was, in fact, cyberwarfare—but Occam’s Razor1 tends to lead to the conclusion that they probably were.
Despite the images that the term “cyberwarfare” tends to invoke, however, there are techniques that, while equally disruptive over the long term as the examples above, operate with more subtlety and are much less directly visible to those they impact. For example, consider the possibility of systematic and targeted attacks against the democratic process—in particular, subverting or influencing a specific election outcome.
Now, in some places, this is a loaded topic. For example, there are discussions currently underway in the United States political realm about whether or not this was a factor in the most recent US presidential election. Despite that, though, most everyone can agree that having a secure, accurate and reliable result from an election is important to any democracy. And, regardless of where one stands on any given example of election tampering, most everyone can agree that the stakes are high enough to warrant candid discussion about the possibility as elections become more automated and technology is more frequently used to directly support them.
State of the Community: Election Security
It was with this in mind that ISACA, as part of a broader investigation about secure government (in particular, smart cities), surveyed its members related to their confidence in governments to ensure accuracy, reliability and security in the election process. Respondents were varied across disciplines, including those from the audit, security, risk, governance and compliance fields. The one thing they have in common: They all share a commitment to “trust in information and information systems.” Who better to ask?
The specific questions asked were in the abstract, without attention or focus on any specific region, individual election or set of elections. Two questions were asked, related to:
- Whether practitioners had confidence in the ability of governments to ensure secure, reliable and accurate outcomes from the election process
- The level of government that should have accountability for ensuring the security, accuracy and reliability of the election process
Approximately 2,000 people were surveyed (1,954, to be exact) and what they said was striking. First, the overwhelming majority of respondents lack confidence in the ability of government to ensure the security of the election process (figure 1). Eighty-four percent were at least somewhat concerned about the ability of the public sector (i.e., government) to conduct secure, reliable and accurate elections.
Respondents were also asked about who in government should be responsible for ensuring the security of the election process. Respondents were asked to select the areas of government where responsibility lay for securing the election process; multiple selections were allowed (as one can imagine multiple levels of government having a role to play here) (figure 2). Results here were more split, with most (71 percent) believing that the national government should have responsibility. State (51 percent), county (40 percent), city (41 percent), and regional (23 percent) government were seen as having a role, but by a much smaller factor (20 percentage points). In addition, 14 percent of respondents also saw nongovernment institutions (e.g., the media or private enterprise) having a responsibility as well.
Implications
Given the impact that elections have for any democratic nation, the importance that members place on ensuring that outcomes are fair and reliable should, perhaps, not be surprising. Likewise, given that election outcomes are of national significance, readers should, perhaps, also not be surprised that most view the national government as being the most accountable entity to ensure it. That said, the fact that these results are what they are has a few implications for the industry and, perhaps, for society at large.
First and foremost, this should serve as both an area of opportunity and potential warning—both for government and the industry. Specifically, it is a fact that elections are becoming more automated, with increasing levels of support from technology. It is important that systems are built that can bolster confidence in the outcomes of the elections they support. This is why it is both an area of opportunity, but also concern. On one hand, automated systems appropriately designed and hardened can help underpin confidence in a secure and trusted election process while increasing voter convenience at the same time. By contrast, when those systems leave something to be desired from a security point of view, the opposite can be the case.
Additionally, for jurisdictions where the national government has a minimal role in the security of the election process—for example, in the United States where the state and local government have the most direct oversight—the fact that citizens see the national government as being the entity that should play the most active role is an issue and food for thought for policy makers.
Endnotes
1 Gibbs, P.; “What Is Occam’s Razor?” Physics FAQ, University of California, Riverside, USA, 1996, www.math.ucr.edu/home/baez/physics/General/occam.html
Ed Moyle
Is a founding partner of the analyst firm Security Curve. Prior that, Moyle was director of thought leadership and research at ISACA. In his nearly 20 years in information security, he has held numerous positions including senior strategist with Savvis, senior manager with CTG’s global security practice, vice president and information security officer for Merrill Lynch Investment Managers. Moyle is coauthor of Cryptographic Libraries for Developers and a frequent contributor to the information security industry as an author, public speaker and analyst.