Where hackers haven't directly influenced polls, they've undermined our faith in democracy

It's worse than we feared and the worst may yet be to come

voting

What a difference a year makes. This time last year, Twitter pooh-poohed any suggestion that Russian agents ran accounts on its platform for purposes of subverting the US election.

A month ago, it was forced to eat its words, owning up to maybe just a few paltry 201. Last week, in the course of a Congressional grilling, that estimate ticked upward a magnitude to more than 2,700.

Facebook, too, upped the ante, admitting that Russian-backed content may have reached not 10 million users, as previously claimed, but 126 million. Some of this, as analysis of the @TEN_GOP Twitter account suggests, was influential. But did it influence the election? That is the $64,000 question. Or, given how much Donald Trump appears to be profiting from his election as US president, perhaps the $64m question.

Not to be outdone, the UK may, finally, be asking some of the same questions. A petition politely asking the UK government to "investigate covert foreign interference in the EU referendum" was cancelled earlier this year when the general election was called. Now it is back and has hit 10,000 signatures, an official (written) response is required.

100,000 signatures means the petition will be considered for debate in Parliament.

Attempts at targeted influence were not restricted to US and UK votes. The same techniques appear to have been deployed during French and German elections.

Union Jack and suit photo via Shutterstock

UK General Election 2017: How EU law will hit British politicians' Facebook fight

READ MORE

These latest admissions add massively to previous concerns that, whatever covert interference took place, financiers with deep pockets were hard at work influencing the outcomes of national elections using advanced data mining techniques and targeted online messaging.

None of the above are great for democracy. All suggest that the influence of social media has already proven malign. Yet this focus on the indirect threat, from tactics designed to swing individual voting may be missing a much bigger issue. That is, the threat from partisan campaigners and hackers to subvert the voting process directly, making the outcome of future elections at best dubious, and, whatever the outcome, destroying the legitimacy of those elections.

This summer, The Register revealed how election-rigging has spread to the disaffected of Reddit, who masterminded a campaign to deprive lefty-leaning radio presenter James O'Brien of a Radio Times award. Their tools: batch-voting bots for Windows and JavaScript, supplemented by a Tor-based Linux app, designed to get past the meagre safeguards put in place by poll host PollDaddy.

Politically motivated? It's hard to tell. Some hackers probably resented the regular spankings that O'Brien administers to pro-Brexit callers on his popular LBC radio show. Others, though, seemed to be doing it "for lulz".

More serious are reports, about the same time, of trolls attempting to distort the results of the government's first LGBT survey. According to some news outlets, this was politically motivated: far-right campaigners exploiting an opportunity to derail attempts by the Government Equalities Office to make policy more responsive to LGBT needs, while simultaneously ramping up Islamophobia.

Again, reality is likely mixed: some politics, some lulz. The end result is the same: a lot of work for data analysts weeding out spurious input; and a lingering suspicion that this survey cannot be trusted to deliver accurate insight. Because out there, in the dark spaces of the web, some of the derailers were discussing how they could more plausibly derail. This involved encouraging submissions that weren't obvious trolls, advocating propositions with little support in the LGBT community but nonetheless credible.

But scale that up, beyond simple online polls to general elections. A year ago, Symantec demonstrated there existed major holes in paperless touchscreen direct-recording electronic (DRE) voting machines used in the US. But it was not until September 2017 that the US state of Virginia agreed to stop (PDF) using these machines after attendees at DefCon's "Voting Machine Hacking Village" flagged them up as potentially vulnerable to hackers.

election hacking

It took DEF CON hackers minutes to pwn these US voting machines

READ MORE

Explaining the decision, Department of Elections Commissioner Edgardo Cortes wrote: "The Department of Elections believes that the risks presented by using this equipment in the November General Election are sufficiently significant to warrant immediate decertification to ensure the continued integrity of Virginia elections."

This is just the tip of the iceberg. Verified Voting surveyed systems used in the 2016 Presidential election. They found five states relying solely on DRE machines and a further eight relying on a mix of paper ballots and paperless DRE machines.

Security much?

In September 2017, the Department of Homeland Security finally confirmed that election systems in at least 21 states had been targeted by Russian hackers in the run-up to the 2016 contest. A small number of systems were breached but, the agency concluded, there was no evidence of any actual vote manipulation.

This follows revelations last year of attempts to hack voter registration systems in Arizona and Illinois. Officials were keen to stress that these involved "preparatory activity such as scanning computer systems" and that "attempts to compromise networks" were mostly unsuccessful. Given that the Illinois attack took down the system for 10 days, and some 200,000 voter details may have been compromised, that is a pretty elastic definition of "unsuccessful".

Still, officials are clear that it is "unlikely" that any real damage was done. So we can all sleep reassured. Mostly.

The problem with digital systems is the overarching fear that everything could be blown up in one act of hacker spite.

This is compounded by the fact that we don't know what we don't know. A further issue with the DREs in Virginia and elsewhere is that they produce no paper trail. They have no vote-auditing capability. We are assured that they have never been hacked but if they were, how would we tell?

The real enemy in this is official complacency.

According to security expert Bruce Schneier, it may now be too late to fix the holes in some systems. He wrote: "We must ignore the machine manufacturers' spurious claims of security, create tiger teams to test the machines – and systems – resistance to attack, drastically increase their cyber-defenses and take them offline if we can't guarantee their security online."

Earlier this year hacker collective Chaos Computer Club (CCC) were shocked not only to discover how easily they could hack – and change – preliminary results of the German Election, but by the dismissive attitudes of those tasked with safeguarding the election. They fixed the systems hole with a patch that CCC almost immediately circumvented.

The US State of Georgia has rejected offers of help to safeguard its voting system, claiming this was just scare-mongering and a power grab from the centre.

From social media to civil servants to politicians, the message is the same: nothing to worry about. A year on, we are beginning to understand how modest our fears were and that the worst may yet be to come.

There are two sets of hackers in this world: those targeting the machinery of voting and those seeking to corrupt the debate, the discourse, the atmosphere via social media. Both are united by a desire to compromise the actual voting, but they'll happily settle for undermining confidence in the overall result. In this, thanks to complacency everywhere, they appear to be achieving their aim. ®


Biting the hand that feeds IT © 1998–2017