Thursday 29th October 2020
BLOG: Biden Their Time – The Cyber Threats To The US Election and Their Wider Consequences
By Orpheus Analysts
The US presidential election is always an important event in the domestic and international political landscape; this year, however, this importance is heightened more than ever as the tense competition between Donald Trump and Joe Biden takes place against a backdrop of distrust in the political system and increasingly disparate political ideologies.
As the battle for political victory wages on, this distrust in the integrity of the political system is likely to be exacerbated by the activities of various cyber threat actors, with increasingly negative consequences for the viability of democratic political systems worldwide.
Financially-motivated cybercriminals threaten the availability of election-related services, in turn threatening to impact the election’s integrity and subsequent public trust in the robustness of the democratic system if votes cannot be placed or counted. Nation-state activities also threaten the election’s integrity, not through attempts to physically change its outcome but rather through sophisticated and widespread online influence operations designed to exacerbate socio-political tensions and further heighten distrust in the democratic electoral process, and subsequently in democracy itself. This objective is also likely to be pursued by domestic political actors with vested interests in amplifying particular narratives.
For example, financially-motivated cybercriminals looking to leverage the election’s importance for profit will disrupt the availability of election-related services like voter registration databases or vote-tallying systems, potentially causing votes to go unplaced or uncounted.
Judging by the proliferation and profitability of ransomware incidents this year, this will likely be done by financially-motivated ransomware groups using the election’s importance as leverage to force victims to pay a ransom. Such incidents have already occurred: election software provider Tyler Technologies paid a ransom to RansomX earlier this month, while another ransomware attack against a local US government encrypted a database used to verify voter signatures, succinctly demonstrating the significant disruption caused by ransomware.1 As such, ransomware represents a significant threat to the integrity of the election if unavailable cause voters to be turned away from polling stations or have their votes go uncounted. This possibility has not been ignored by authorities: Microsoft and the FBI recently took down infrastructure used by the operators of TrickBot, a botnet used to deploy ransomware strains like Ryuk, with the botnet being identified ‘as one of the biggest threats to the upcoming US elections’.2
Recent trends of ransomware groups stealing and publishing victims’ data also represents a threat to the confidentiality of voters’ personally identifiable information (PII): in an election marred by heightened tensions and ever-increasing political divisions, releasing voters’ PII and voting behaviours is likely to have significant repercussions for the individuals affected and would undoubtedly decrease confidence in the security and integrity of democratic political institutions.
Motivations aside, cybercriminals and ransomware groups in particular represent a significant threat to the integrity of the election as their activities have the distinct potential to undermine the ability of US citizens to cast their vote, ensure their votes can be counted and keep their personal data personal. This disruption to the availability of services subsequently has a knock-on effect for the integrity – or even just the perceived integrity – of the election outcome.
While cybercriminal activities do represent a significant threat, it is important not to ignore the elephant in the room. One of the biggest controversies of the 2016 election was Russia’s extensive attempts to manipulate US voter behaviour. While the majority of reporting on this campaign focused on Russia’s undeniable objective of helping Trump win the election, the intelligence community’s analysis actually indicated a broader, strategic objective of sowing discord within US society and undermining the integrity of democratic elections, with a wider view to diminishing the power and influence of the US-led liberal democratic order more broadly.3
It is pretty likely that this objective still exists for Russia, given its rocky relationship with the US. It is also pretty likely that Russia is also seeking to promote a continued Trump presidency, as internal discord and apparent lack of cohesive global strategy weakens the US’ geopolitical position. Undermining US-led democracy and the power and influence of the US is a likely goal for other state actors too: for example, US sanctions on Iran have been a source of contention in the country, with the Iranian ambassador accusing the US of committing ‘economic tension’ this year.4 Additionally, the ongoing US-China trade war, such as restriction of suppliers for China’s Huawei, makes weakening the US an attractive prospect for Beijing too.5 The 2020 election therefore provides these state actors with an opportunity to pursue this broader strategic objective of weakening both the US and democracy in general, primarily by impacting – or appearing to impact – the integrity of the election procedure and its result.
It is true that states might seek to actually influence the election result by compromising vote counting systems and changing the results, likely in this case to ensure a Trump victory. Evidence from 2016 shows that Russia compromised vote counting systems in all 51 states, showing that this is at least within their capability.6 However, we assess that physically changing the results cast is less likely to be used: there was no evidence that votes were changed in 2016, and although it appears that a Trump presidency would superficially benefit these state actors by continuing to exacerbate US societal discord, what is likely to have more long-term advantages for these states is creating the perception that voting systems are insecure. This perception will fundamentally undermine confidence in the integrity of election procedures and the subsequent results: in the event of a Biden victory for example, evidence that state actors were able to compromise vote counting systems could allow the Trump campaign to justifiably dispute the result.
One of the most likely avenues states will use to achieve the wider strategic objective of undermining the US is through the use of online networks and cyber space to conduct influence operations aimed at manipulating public opinion and changing voting behaviour. This was a prominent tactic of Russia’s in 2016, with state actors being linked to thousands of inauthentic social media personas impersonating real Americans and trying to influence discourse related to the election.7 Growing transparency around state actor use of social media in particular shows the extent of this tactic as a way of influencing opinions and promoting particular narratives, such as Chinese networks blaming the US for the outbreak of COVID-19 (and vice versa).8
A prominent theme of 2016 was voter suppression and dividing voter support, for example dissuading African-Americans from voting and promoting alternative Democrat candidates to reduce the possibility of a block vote for Clinton: it is likely that we will see some attempts at voter suppression this year, particularly among demographics deemed less likely to vote for Trump. For example, the FBI linked Iranian state actors to a recent email campaign threatening Democrat voters, which purported to originate from the far-right Proud Boys group.9 As such, it is likely that state actors have been using social networks for some time to amplify narratives and opinions in support of their wider objectives with regards to the US election.
States may also use means like exploiting vulnerabilities or using spear-phishing emails to gain access to political-related networks, with the view to conducting espionage and obtaining potentially damaging material that will later be strategically leaked. This tactic was used against Democrat candidate Hillary Clinton in 2016, painting her as unreliable and unconcerned with security.
In the same vein, we assess that state activity of this sort will actually increase after the election result is announced, most likely promoting narratives to discredit the result and promote distrust in the integrity of democratic systems.
Overall, based on emerging evidence and the available information from 2016, the threat to the election from state actors is less about impacting the availability of services and more about subtle manipulation of its integrity, not necessarily through physically changing votes, but rather through coordinated influence campaigns designed to exacerbate divisions within US society and promote Trump’s victory, ultimately in pursuit of the strategic objective of undermining US geopolitical influence for their own gain.
Domestic actors, in addition to foreign nation-states, also have a vested interest in using cyber means to influence the election and ensure their desired candidate gets the victory. Activists and domestic political actors are less likely to have the technical capabilities to compromise networks or manipulate results, and instead are highly likely to rely on influence operations and voter manipulation, through both traditional political propaganda and adoption of tactics used by nation states such as fake online personas and amplification of damaging information, misinformation and disinformation. An emerging trend, not necessarily conducted purely by domestic political actors, is the outsourcing of disinformation and inauthentic behaviour in the growth of a ‘disinformation-for-hire’ ecosystem.10
A further threat to the election, although admittedly more abstract, is the propagation of conspiracy theories, starting online and filtering through to the offline world via media coverage. One such conspiracy theory that characterised the 2016 election was Pizzagate, which claimed Clinton and senior Democrats were running a global paedophile ring from a Washington pizza restaurant. So strong was the belief in this conspiracy theory that a man actually stormed the restaurant with a firearm to rescue the children he believed were held there.11 The ’Pizzagate’ of 2020 is the QAnon movement, whose core belief is that Trump is secretly fighting a global war on an elite paedophile network.12 Such narratives are compelling and colour perceptions, and as such amplification of such conspiracy theories could have an albeit hard-to-measure impact on the election’s outcome by influencing voter beliefs and behaviours.
Overall, there are credible cyber threats to the election: use of ransomware or data leak extortion by financially-motivated cybercriminals could seriously impact the availability of integral election-related systems and thus impact the procedures and result of the election itself, threatening the perception of its integrity and the integrity of democratic systems themselves. Given the importance of keeping these systems available, and the relative ease of deploying ransomware through vectors like open ports or spear-phishing, targeted extortion ransomware is very likely to be a threat to election services in both the run-up to voting day and afterwards as votes are tallied.
In terms of the threat from nation-states, although state actors clearly have the capability to compromise vote counting systems and influence the result, it is more likely that the most prominent threat from state actors is prolific and relatively sophisticated influence operations conducted via online networks and through manipulation of media coverage to amplify particular narratives. The main objective of the nation-states covered here is likely to be to undermine the integrity of and trust in democratic processes for their own wider geopolitical gain.
There is also a smaller yet not insignificant threat from domestic political activists, who are less likely to have the capability to compromise networks or deploy ransomware but have power to strategically amplify particular narratives and conspiracy theories in pursuit of their own political objectives, thus representing an abstract but important threat to the integrity of the election.
What do organisations need to be aware of?
While the threats to the US election undoubtedly concern all interested in democracy, the cyber risks to the election also have an application for organisations. The tactics observed during the election may be used against organisations in the future. Both campaign teams have appointed cyber security professionals and will be using threat intelligence to inform the decisions they make. If new vulnerabilities or tactics emerge, organisations should consider using this intelligence to inform their own cybersecurity strategy. In the past few days, the NSA released a list of vulnerabilities being exploited by Chinese state actors. This is relevant for all organisations.
How the campaign teams use and apply threat intelligence is also of interest. Both teams will be monitoring threat actors, ensuring they are as aware as possible of any credible threats to their activities. This intelligence will be used to inform cybersecurity priorities. In 2016, details on the intelligence the teams had been given, was made public after the election.13 While there is less sensitivity this time, as it is widely accepted there are attempts at foreign interference, we would expect to see a similar review. This intelligence will also be of interest to organisations, informing them of new potential threats and the response of intelligence agencies.
1 https://www.bleepingcomputer.com/news/security/tyler-technologies-paid-ransomware-gang-for-decryption-key/ ; https://www.washingtonpost.com/health/report-ransomware-disables-georgia-county-election-database/2020/10/23/92a8317e-156d-11eb-a258-614acf2b906d_story.html
3 US Government, ‘Assessing Russian activities and intentions in recent US elections’ (2017), pp. ii
Get our latest cyber intelligence insights straight into your inbox every week
Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.