Illustration by Lisk Feng September 2019, ScientificAmerican.com 69
not receiving software patches for vulnerabilities.
Nearly 25 percent of states do not have complete paper
trails, so they cannot do postelection auditing of phys-
ical ballots. Election security is not a partisan issue. Yet
there are roadblocks, especially coming from Republi-
can leadership in the Senate, that make it unlikely that
an election security bill is going to advance. I think
that is a terrible abdication of Con gress’s duty to pro-
vide for the common defense. So, many of the worst-
case scenarios for election interfer ence are still going
to be possible in 2020.
LEADING UP TO ELECTION DAY
CYBERWARFARE often involves exploiting known vulner-
abilities in systems and the basic limits of people’s
psychology and gullibility. During the primaries and
in the months leading up to the election, influence
operations on social media are going to get much
more precise and data-driven than ever before—and
therefore more effective and harder to detect.
Already presidential candidates are finely crafting
political advertisements to specific demographics of
voters to maximally influence them. So, you might
receive one message from a candidate based on what’s
known about you in consumer databases. And people
with slightly different views on certain issues might
receive a different message from the same candidate.
Of course, the bad guys who are trying to spread out-
right fictions will begin to harness the same strate gy.
As we saw in 2016, one of the goals of attackers is
to increase the amount of divisiveness in society—to
reduce social cohesion. Suppose the Russians pur-
chase access to the same consumer-profile data that
advertisers in political campaigns use to target you.
They can combine that with data from political polls
and purchased (or stolen) voter-registration lists to
figure out exactly how much your individual vote mat -
ters and use those tools to push customized disin for -
mation at narrow groups of people. Attackers may
even impersonate political candidates. In a crowded
Democratic primary season, there will be sweeping
opportunity to deploy microtargeted messaging to
turn people against one another, even when they
agree about most things.
We all assume that more transparency is a good
thing. But people have always taken facts out of con-
text when it is helpful to them and harmful to their
opponents. Candidates increasingly live with the
threat of targeted theft of true information. When
information is selectively stolen from particular groups
that an attacker wants to disadvantage, the truth can
be used as a powerful and one-sided political weapon—
and as we saw with the 2016 Hillary Clinton campaign,
it was incredibly effective. It is such a fundamental
threat to our notions of how the truth in journalism
should play out in a democratic process that I’m sure
it’s going to happen again. And it can get a lot worse
than the theft of e-mails. Imagine someone hacking
into candidates’ smartphones and secretly recording
them during private moments or while talking to their
aides. My research group is polling political campaigns
to assess how well they are protecting themselves from
this, and so far I don’t think they are ready.
We’re also going to see information that is doctored
or entirely synthetic and made to appear real. In some
ways, this creates a worse threat. Attackers don’t have
to actually catch the candidate saying something or
e-mailing something if they can produce a record that’s
indistinguishable from the truth. We’ve seen recent
advances in using machine learning to synthesize vid-
eo of people saying things that they never actually said
on camera. Overall, these tactics help to undermine
our basic notions of what’s true and what’s not. It
makes it easier for candidates to deny real things that
they said by suggesting that the content of e-mails and
recordings were forged and that people shouldn’t be
believing their own eyes and ears. It’s a net loss for our
ability to form political consensus based on reality.
Meanwhile each state runs its own independent
voter-registration system. Since 2016 many states have
taken great strides to protect those systems by install-
ing better network-intrusion detection systems or by
upgrading antiquated hardware and software. But
many have not.
During the last election, Russians probed or at -
tempt ed to get into voter-registration systems in at
least 18 states. Some sources quote higher numbers.
And according to the Senate Select Committee on Intel-
ligence’s findings, in some of those states the Russians
were in a position to alter or destroy the registration
data. If they follow through this time, across entire
states people will go to the polls and be told that they
aren’t on the lists. Maybe they will be given provisional
ballots. But if this happens to a large fraction of voters,
then there will be such terrible delays that many will
give up and go home. A sophisticated attacker could
even cause the registration system to lie to voters who
confirm their own registration status through online
portals while corrupting information in the rolls that
are used in polling places.
Attacks on preelection functions could be engi-
neered to have a racial or partisan effect. Because
of antidiscrimination laws, some voter-registration
rec ords include not only political affiliation but also
race. With access to that database, someone could eas-
ily manipulate only the records belonging to people
of a certain political party, racial group or geographi-
cal location.
In some states, online voter-registration systems also
allow the voter to request an absentee ballot or to change
the address to which the ballot is directed. An attacker
could request vote-by-mail ballots for a large number of
citizens and direct them to people working with the
attacker who would fill them in and cast fake votes.
ON ELECTION DAY
ELECTION INTERFERENCE can be successful in many
ways—it depends on an attacker’s goals and level of
IN BRIEF
There are still major
cybersecurity vul-
nerabilities facing
the 2020 U.S. presi-
dential election,
in part because the
election system
is based on faith
instead of evidence.
Foreign attackers
could target voter-
registration rolls and
election machinery
ï¹yïyà ́ùy ́`y
the outcome or sow
chaos and doubt.
The worst-case sce-
narios could result in
an unprecedented
constitutional crisis.