www.expel.io The Election Supply Chain: Where and how elections can be compromised (and what we can do about it) 52K VO @ TE BALLOT BOX www.expel.io When you think about elections, most people think about that moment when you show up and cast your ballot. Think about election security and you’re probably wondering just how secure that voting machine is. But the system is more complex than There are six distinct parts of the election that—election security isn’t about supply chain (see below) and each has the securing a single machine. Consider potential to be compromised at different voter registration efforts and election times (and in different ways) during the rolls or all of the information voters have election cycle. digested leading up to voting day that have influenced their decisions. And don’t The potential for election compromise forget what happens after you cast your starts long before Election Day. We’re vote and how the results are tallied. going to look at potential points of compromise and how a crafty attacker To really understand election security could “hack” each piece along the chain. you’ve got to consider the entire supply We also offer up ideas about how public chain. There are plenty of opportunities and private sector organizations—even for bad actors to influence votes and individual, well-informed citizens who are voters. And the adversary can be lurking planning to vote—can better protect our almost anywhere, whether that’s at a elections from attacks. polling place or behind a Twitter account. THE SIX PARTS OF THE ELECTION SUPPLY CHAIN The election supply chain: Where and how elections can be compromised Contents Election information distribution channels ..................4 Candidate campaigns .................................. 6 Voter registration process .............................. 8 Pollster ratings ........................................10 Voting infrastructure ...................................12 Results reporting ......................................14 What happens next? ...................................16 www.expel.io Election information 1 distribution channels AT A GLANCE Why it matters Say “election security” and the ballot box is probably the first thing that comes Attackers become to mind. But long before a voter drops their ballot in the box, attackers are trying influencers using to hack their brains by compromising the information they consume to make social media bots, their decisions. fake photos and videos, and paid ads. Information about candidates, campaigns and issues is available everywhere you turn—from Twitter to the nightly news to your Facebook feed. The problem? Publishing and promoting content is so easy to do these days that anyone can be an influencer whether they’re qualified to be one or not. In fact, political misinformation is so rampant that The New York Times asked its readers to send in examples of it…and they received over 4,000 submissions! WHEN IT HAPPENS ELECTION CYCLE BEGINS HOW COMPROMISE HAPPENS ELECTION DAY ATTACKER OBJECTIVE Push false information to influence voters AND BEYOND... HOW IT COULD HAPPEN AND REAL-WORLD EXAMPLES 52K Social media bots Fake photos and Paid advertising (or lots of people) videos The IRA not only used bot As much as we call them A video of U.S. House accounts to push specific “bots” they’re actually Speaker Nancy Pelosi was narratives, they also used real people actively doctored to make it seem ads to target certain working to push specific as though she was drunk individuals. Facebook messages. The Internet and slurring her speech. released hundreds of ads Research Agency has been The manipulated video that were paid for by outside implicated in extensive was shared by thousands interests to push different election meddling in the on social media. agendas around the time of 2016 election. the 2016 election. 4 The election supply chain: Where and how elections can be compromised The impact Why it’s hard to fix Whether it’s deceptive claims about candidates The same reasons why people love to use or poorly labeled ads, all the election-related social media are the reasons that make it so misinformation that’s floating around out there hard to fix. It’s cheap, anonymous and easy makes it tough for voters to separate fact from to reach hundreds of thousands of people. fiction. The onus is on each voter to figure out Information (real or fake) can travel like wildfire the truth about candidates, campaigns and the and it’s highly dispersed. issues they care about, and to be their own fact checker. HOW WE CAN PROTECT THE PROCESS VOTERS CAMPAIGNS FEDERAL GOVERNMENT BEFORE Fact check information before Actively call out misinformation, Enforce laws that require NOV 2020 you believe it using sites like potentially through your own campaigns to disclose when they snopes.com (and definitely advertising campaigns. buy ads on social media sites. before you share it). BEFORE Ask social media companies Work with social media Consider updating the 2024 to actively supply information companies to get misinformation Communications Act of 1934 to to help with the fact checking campaigns taken down before empower all media companies process rather than relying on they spread. to address information third-party sites. operations in political ads. All the election-related misinformation that’s floating around out there makes it tough for voters to separate fact from fiction. 5 www.expel.io 2 Candidate campaigns AT A GLANCE Why it matters Political campaigns are fast-moving, dynamic organizations. Campaign strategy, When outside voter targeting information, canvassing, polling, you name it—they’re constantly parties gain access creating and communicating information about their strategies, messages to campaign and prospects for victory or defeat. When outside parties gain access to this strategy and information and use it for nefarious purposes, though, they can potentially sway voter targeting voters by sharing their discoveries in an unfavorable light. Attackers could also information, they focus disinformation campaigns on core voter segments for a given candidate, can sway voters increasing the apparent credibility of their attacks by adding specifics or inside by sharing their information about the candidate, their positions and strategies. discoveries in an Campaigns are highly invested in data and technologies associated with unfavorable light. communications, voter targeting and outreach. What they don’t consistently invest in are effective measures for protecting their communications and data… and the results can be devastating. WHEN IT HAPPENS HOW COMPROMISE HAPPENS ELECTION CYCLE BEGINS ATTACKER OBJECTIVES... REAL-WORLD EXAMPLES AND HOW IT COULD HAPPEN ELECTION DAY Disclose sensitive communications In March 2016, the personal information to discredit candidates Gmail account of John Podesta, a AND BEYOND... former White House chief of staff Compromising a candidate or campaign official’s and the chair of Hillary Clinton’s email account is easy if they don’t use multi-factor 2016 U.S. presidential campaign, authentication. Phishing is a low-tech, highly effective was compromised. The spear- method. Once you compromise an individual, attackers phishing attack exposed some of can use their email account to more effectively target his emails, many of which were others, rapidly increasing the scope of a breach. related to the campaign. Impersonate a candidate or political In the 2016 election, a group claiming its efforts were paid organization to discredit them for by Hilary Clinton’s campaign Beyond phishing, attackers use look-alike campaign or targeted Democratic voters with political social media or email accounts – something social media ads urging them to with a name close to an authentic account that appears “skip the lines” and vote by text credible–to spread disinformation. message…which isn’t possible. 6 The election supply chain: Where and how elections can be compromised The impact Why it’s hard to fix Disclosure of sensitive communications can Political campaigns focus most of their people directly impact voter views of a candidate. power and dollars directly on activities to get Knowing which voters the candidate views their candidate elected. There frequently aren’t as potential supporters allows an attacker to sufficient funds for security protections, and focus and potentially customize disinformation there isn’t sufficient knowledge to provide efforts, increasing their effectiveness. Directly awareness and training to campaign staff— impersonating a candidate, campaign or which makes them vulnerable and ripe for organization sows confusion, destroys voter an attack. Once an attack is successful, it’s trust and chips away at public confidence in challenging if not impossible for a voter to be the election process. able to discern truth from lies or understand relevant context in the case of a sensitive information disclosure. Once an attack is successful, it’s challenging if not impossible for a voter to be able to discern truth from lies or understand relevant context in the case of a sensitive information disclosure. HOW WE CAN PROTECT THE PROCESS VOTERS CAMPAIGNS BEFORE Fact check information before you believe it using sites Make staff aware of the risk their technology poses. NOV 2020 like snopes.com (and definitely before you share it). Consider getting help with security basics for everyone Sound familiar? on staff. (pro tip: Use Multi-Factor Authentication). BEFORE Ask social media companies to actively