US intelligence officials have acknowledged that Russia worked to influence the outcome of the US election, and the New York Times has an excellent rundown of what occurred. It’s a fascinating look at what might be a blueprint for future electoral meddling. But perhaps the most startling fact is that something as large, complex, and arcane as an American election was attacked without touching a single voting machine. We’re now fighting an information war.
Hacks and Leaks
As NPR noted in October, directly attacking voting machines in the United States is quite difficult. The American electoral system is handled at a very local level; decisions about voting machines and how they’re used differ from state to state.
To be compromised by hackers, each voting machine would likely need customized malware delivered directly to the machines themselves, as they are not hooked up to the Internet. It would require a Stuxnet-level scheme, whereby the US and Israel reportedly worked to physically deliver malware to Iranian centrifuges, but for voting machines in states, cities, and counties across the US.
An information war, on the other hand, is a smaller, cheaper, and more scalable affair. Attacking inboxes with phishing emails is well understood by attackers and very difficult to prevent. There are no malicious attachments, just well-crafted links designed to trick unwitting victims into navigating to malicious sites and freely giving up their personal information. These attacks take advantage of humans operating the computer, rather than the computer itself. In the case of Hillary Clinton campaign chair John Podesta, the phishing email was convincingly disguised to look like a security alert from Google, and even encouraged him to activate two-factor identification on his account.
If the attacks had stopped with Podesta, Russia’s goal of shaking up the US election would still have achieved a modicum of success. But they didn’t stop, and each step along the way—the DNC hacks, the dumping of the data by WikiLeaks—built on the last. The slow release to the public of those emails, meanwhile, kept the issue in the news.
That’s in sharp contrast to direct attacks on voting machines or other pieces of electoral infrastructure. Had malicious software been found on voting machines, before or after Nov. 8, it would immediately negate the success (potential or otherwise) of that malware. It’s easy to imagine the United States settings aside its internal political issues and closing ranks against an outside interloper. By opting to release a steady stream of embarrassing information, though, Russian attackers didn’t leave a single smoking gun.
No Risk, All Reward
Using low-level attacks and leaks also follows a hacker tactic of flying under the radar. Hacking emails is something developed nations do to each other all the time; it’s so low level it’s almost laughable. It’s the kind of thing that can be put aside when diplomats sit down to discuss trade deals or even mocked as a piece of campaign theater. But directly attacking voting machines is the kind of thing that leads to sanctions, severing of diplomatic ties, isolation, and, perhaps, war.
So Russia opted to mess with an already contentious election via fake news and a slew of leaked documents that paralyzed a political party, emboldened the GOP, and paralyzed a sitting administration. It risked very little, shamed the American political system, and gained a friendlier White House.
If we’re going to continue to have elections in this country, we need to be able to respond quickly and effectively when another nation tries to tip the scales. Those on both sides of the aisle need to investigate and dissect the 2016 election, or we might not see the next attack coming.