We have discussed election security for many years, perhaps more so within the last ten years with the documented confirmation of interference by nation states (Russia, China and Iran). Until recently, however, domestic election interference that leverages the power of social networks wasn’t recognized and, frankly, didn’t exist. The power of social media to influence elections has now been thrust into the spotlight again with the whistleblower allegations of Twitter’s former CISO.
History of social media influence on U.S. elections
The 2008 and 2012 election campaigns of President Barack Obama displayed the power of social networks in delivering platform points and energizing the electorate. Pundits and technical analysts at that time (including me) characterized the effort as Obama’s campaign smoking their opponents on the social network landscape. This success was achieved through a better understanding of the social network medium the amplification provided through viral messaging.
By 2015, we saw Russia up to its hips targeting state election infrastructure and shaping the narrative via misinformation and disinformation. This included using personnel operating in the United States at the direction of the Russian government to affect the outcome of the 2016 presidential election. The FBI warned both major political parties of the Russian cyber actions targeting the election infrastructure, including their candidates and party infrastructure in 2015. By October 2016 we were seeing the publication of information from purportedly independent entities that was shaded or full-on mistruths.
In 2017 the terms “misinformation” and “disinformation” had barely entered the lexicon of the average voter in the United States. I wrote about them in Déjà Vu All Over Again – Russian Active Measures in December 2017 and then again in Election Interference: The Russians Are Back, or They Never Left in September 2020. Both pieces dissected and explained Russian intelligence’s long history of covert action when it comes to elections in other countries.
U.S. moves to counter election disinformation
Now in 2022, these terms fly off our tongues and those of every pundit and media personality. To that end, the United States Department of State stood up the Global Engagement Center within the Bureau of Public Diplomacy and Public Affairs to direct the United States’ efforts to “recognize, understand, expose and counter foreign state and non-state propaganda and disinformation efforts aimed at undermining or influencing the policies, security, or stability of the United States, its allies, and partner nations.”
The Bipartisan Policy organization produced a report, How Tech and Election Officials can Protect Elections Online on August 24, 2022. The report begins with a declaration that should be absorbed by all involved in evolving technology, be it infrastructure or that used to engage with the electorate, “Tech companies can be a force for good around elections.”
The Department of Homeland Security’s Operational Analysis Center, in conjunction with RAND, issued a 2022 report Securing U.S. Elections, A Method for Prioritizing Cybersecurity Risk in Election Infrastructure. As the title suggests, the 58-page document is focused largely on the technology securing elections and not the use of technology that informs and influences the electorate. The report does mention, however, how digital platforms “play an important role in disseminating information (or disinformation), shaping public opinion, and providing a means for candidates and campaigns to engage with the voting public. These platforms are also subject to potential cyber threats. They are, however, beyond an election official’s control or influence to address potential vulnerabilities to cyber threats.”
Similarly, the Cybersecurity and Infrastructure Security Agency (CISA) has created an election security resource library that highlights both “new and evolving threats that require a whole-of-society approach.” CISA’s toolbox, made in conjunction with the U.S. Election Assistance Commission, highlights areas of greatest risk, technical cybersecurity assessments and services meeting critical needs, and gaining a sound analytic foundation for managing election security risk with key partners (local, state, federal). CISOs whose entities are involved in securing election infrastructure may wish to avail themselves to the free training offered by CISA.
Is Twitter a threat to election security?
In late-August the former CSO of Twitter, Peiter “Mudge” Zatko, filed a whistleblower complaint against Twitter, in which he discusses the security shortcomings of the social network among which was the observation that these shortcomings constituted, “Negligence and even complicity with respect to efforts by foreign governments to infiltrate, control, exploit, surveil and/or censor the ‘company’s platform, staff, and operations.”
The 84-page whistleblower complaint, which provides the former executives perspective, is replete with a litany of shortcomings which, in his opinion, made Twitter vulnerable to manipulation during the 2020 presidential election cycle. Here we are in August 2022, heading into an election cycle in November 2022, this is not reassuring from the electorate’s point of view, especially since the Bipartisan Policy organization has called on companies like Twitter to lean into protecting the public from disinformation, misinformation and exploitation.
Twitter stated, “Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance. What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context.”
A public post on LinkedIn by Edward Amoroso, CEO of Tag InfoSphere, which garnered over 250 comments, highlighted his disagreement with Zatko’s approach. I agree. From my seat, CISOs have been tussling with CEO, CFO and CIOs on the distribution of resources, budget availability and strategic implementation for seemingly forever. The lack of transparency of cybersecurity issues within a company has launched the SEC proposed requirement to include attestations in filings, similarly, the ongoing prosecution of the former CSO of Uber has highlighted the need for errors and omissions insurance for all executives. What every CISO needs to focus on is identifying risks, addressing those risks, rinse and repeat.
Election security needs to be “always on”
Yet, the use of information, disinformation and misinformation both domestic and foreign to influence voters on how to vote and to take action, which has often been deleterious to the wellbeing of election officials, is a very real concern. The Bipartisan Policy report highlights with clarity how “future cycles will look different.” The report cites the opportunity for tech companies to work with election officials.
While not specifically mentioned, the opportunity for tech companies to ameliorate the flow of election disinformation and misinformation was clear as crystal during the 2020 election cycle. Highlighted was the “rampant false information and online and real-life harassment of election officials, as well as the never-ending questioning of the legitimacy of the results of the 2020 election, even today in August 2022.”
The recommendations of the Bipartisan Policy organization are for tech companies and election officials to engage today, not only for the 2022 midterm elections but also for the 2024 presidential elections as well as the elections at the state and local level in 2023. They will need to have availed to them the latest/greatest in cyber products and best practices in protecting the elections.
That said, the report also offers a pragmatic observation. “Know the difference between bad actors’ intentional spreading of false information and news stories that need corrections.” While also emphasizing the need for transparent policies surrounding elections that address:
- Content
- MDM (mis/dis/malinformation)
- Verification
- Advertising
- Security
Lastly, the report urges the adoption of an “always on” perspective, not just in the run-up to election day.
I agree.
Copyright © 2022 IDG Communications, Inc.