Securing democracy in the digital age
29 May 2017|

Image courtesy of Flickr user damian entwistle.

Earlier this month, the campaign of French presidential election candidate Emanuel Macron fell victim to targeted cyber intrusion efforts by infamous Russian hacking collective that goes by a number of names including Pawn Storm, Strontium, Fancy Bear or APT28. Spear phishing email attacks against Macron’s En Marche! Party were followed by the public release of 9 gigabytes of reportedly confidential communications less than 48 hours before ballot boxes opened. While Macron was still able to secure the presidency on 7 May, his campaign said that the efforts had ‘put the vital interests of democracy in jeopardy’.

The French experience is just the most recent development in what appears to be a tide change in international cyber relations. The 2016 US presidential race between Hillary Clinton and Donald Trump was a wakeup call that highlighted democracy’s vulnerability to manipulation in today’s digital world. The hacking of multiple state voter registration databases, the strategic dumping of stolen email communications and the prominent position of social media all played a role in undermining public confidence and shaping public opinion. A US intelligence community assessment controversially asserted that, ‘Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election.’ Unsurprisingly, Putin has denied any involvement, but it seems the threat’s here to stay—countries such as Germany and the UK now concerned for the digital security of their upcoming elections.

As this kind of cyber operation becomes an increasingly attractive tool of statecraft, it’s important to understand the distinct variables at play in modern election security. My new report, Securing democracy in the digital age, presents a conceptual framework through which to understand the challenge. By employing the US election experience as a case study, the report outlines the distinction between the cyber vulnerabilities of election infrastructure and the possibility that public opinion is vulnerable to manipulation.

The most direct way to influence a democratic process is to compromise the practical mechanisms that are used to assess the public will. Vulnerabilities inevitably exist in any digital system, and election infrastructure is no different. Malicious actors can target weak spots in voter registration databases and e-voting machines to influence both who can vote and how their vote is recorded. While this seems like the most obvious point to target, it’s challenging to rely on these points to sway anything other than an extremely close election, especially in countries like the US which have a particularly decentralised electoral system.

A more sophisticated technique is to influence how people decide their vote. Every vote cast is the product of the information ecosystem that individual has been exposed to in the preceding months. This environment can be manipulated in three ways: by strategic disclosure of compromising information, by disseminating “fake news” and by leveraging the echo chambers of social media.

Acquiring and distributing true but previously unavailable facts about a candidate can change the way people make their election choice. Sometimes referred to as ‘doxxing’, this approach involves ‘maliciously disclosing information in a calculated fashion to inflict setbacks in political momentum and unity’. The Wikileaks dump of 20,000 Democratic National Committee emails in June followed by 58,000 from Clinton’s campaign manager in October 2016, and the targeting of Macron’s campaign emails are the most prominent examples of that tactic in recent times.

But malicious actors don’t even have to go to the effort of stealing authentic compromising information: they can just create fake news. False information can be disseminated online to influence citizens’ decision-making and the democratisation of media means that this type of mass misinformation operation is easier to carry out than ever before. The proliferation of fake news was a defining theme of the 2016 US presidential election. Worryingly, in the final months before the election, trending fake news headlines received higher Facebook engagement rates than the top headlines from traditional media outlets, such as The New York Times and The Washington Post.

The introduction of new information into the public debate, whether real or fake, can also be more impactful than ever before thanks to artificial consensus on social media. Newsfeed algorithms are designed to show people what they want to read, based on their demonstrated preferences. The result is the creation of online silos, or ‘echo chambers’, which reduce the likelihood that an individual will be exposed to views contrary to their own. The volume of those arguments can also be automatically boosted by networks of bot accounts or manually boosted by armies of trolls. Those techniques can give a voter the impression that a particular view receives a greater level of popular support than it really does.

The issue of contemporary election security isn’t going away. Democracies need to consider the vulnerability of their electoral process and craft policy solutions for their specific context, and Australia is no exception. ICPC’s new report outlines a variety of policy questions that governments need to address related to the cybersecurity of election infrastructure, the integrity of the public debate and the development of normative responses. It will pay for Australia to be on the front foot on this issue. Proactive steps should be taken to ensure that our democracy remains secure in the digital age.