According to Varol, if a foreign or domestic cyber actor attempts to disrupt, manipulate, destroy or affect the process of the election by using cyberattack practices, this constitutes an election interference; election hacking refers to breaches that are intended to manipulate voter data, change the vote tally or discredit the results. Both types of attacks are tracked by the Federal Bureau of Investigation and the U.S. Cybersecurity and Infrastructure Security Agencies, which regularly meet with local election officials to brief for potential threats.
Varol added security measures include sensors on every state's network to monitor for cyberattacks, and once vulnerabilities are detected, they are patched as soon as possible.
This interview has been edited for length and clarity.
What impact can foreign election hacking have on election outcomes? Are there any specific past examples that you could share?
There is a very slim chance that the hackers can change vote count, but they can definitely influence people to believe that they did manipulate it. If election fraud is going to happen, it'll be because of disinformation. For instance, recently hackers on a Russian forum posted that they had stolen data on voters in Michigan, which raised concerns. Although it is a privacy issue—exposure of Personally Identifiable Information—it has no direct way of changing the vote tally. However, it has the potential to make people not vote if they start to believe that the election is hacked.
Has foreign election hacking always been a concern, or has it become more prevalent in recent election cycles? Why do you think that is?
This was always a concern, but with the recent magnitude of cyber attacks, such as WannaCry, StuxNext, Equifax and Target, not only the attackers increased their attempts after successful breaches, but also the government entities increased their attention for a secure election.
How has election security changed over the past couple of decades? Do you think elections have become more or less secure? Why?
With the increased use of social media and online campaigning, there are more ways to interfere with the elections. If successful, attackers can prevent people to not go for voting. However, the security of the election has not changed much. Still, in order to change the vote tally, one needs to either hack the voting machines in the poll locations or attack the communication lines. While it may be attractive to some foreign entities to manipulate the results, the system is getting secured each day via patching the vulnerabilities.
Should voters be concerned about foreign election hacking? Why or why not?
At the very least they should be concerned. According to several sources, voter data was obtained by foreign entities. Even though they may not able to change the outcome of the election, they still have Personally Identifiable Information, which is protected by a combination of federal laws, including the Electronic Communications Privacy Act, Telephone Consumer Protection Act, Family Educational Rights and Privacy Act, etc., that is a concern of losing one's privacy.
What do you think needs to be done in future election cycles to deter foreign election hacking?
Cybersecurity standards need to be tightened. Current security assessment standards of ISO 27001, PCI DSS, FedRAMP, even the comprehensive Cloud Security Alliance Security, Trust, and Assurance Registry standards do not emphasize the importance of digital forensics in their framework. Clarifying which logs should be acquired, analyzed and reported in a forensically sound manner is crucial to protect our elections. Any evidence that is not collected by the norms of the acquisition procedures or not analyzed according to the principles of digital evidence handling will be dismissed by the court. Therefore, security standards need to have a section on the digital forensics aspect specifically regulating data/log storage and evidence handling that should be implemented by the government.
Is there anything else you would like to add?
There is still an enormous workforce need in cybersecurity. Because of the shortage of personnel, companies, government, and our elections are under more cyberattack threats than yesterday. Therefore, not only do we need to increase the number of security experts, but also move toward more artificial intelligence solutions.