US agencies warn of election disinformation and cyber attacks

The US Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, has issued a new warning to raise awareness of heightened levels of disinformation around, and potential cyber attacks on, the pivotal 2020 presidential election, now less than two months away.

In a joint statement, the two agencies said they expected foreign actors and cyber criminals to create new, fake websites, alter or deface existing ones, and create and share corresponding social media content in an attempt to discredit the electoral process.

They highlighted in particular the increased amount of postal voting in the 2020 election, which is expected to spike because of Covid-19 protocols and is likely to leave officials with incomplete results on election night. The time needed to certify and announce the final results could well be exploited by malicious actors to disseminate disinformation about voter suppression or ballot fraud, again causing questions to be asked about the election’s legitimacy.

Many of these anticipated disinformation campaigns and attacks are likely to come from state-backed actors in China, Russia and potentially Iran, and, according to the likes of Microsoft, such interference has already started to ramp up.

All three of these state actors are motivated to interfere in US politics for various reasons, and there is substantial evidence to show that Russian interference helped elect current president Donald Trump in 2016, although neither the CISA nor the FBI touched on this point, or noted that the Trump operation itself has been shown to be the source of some electoral disinformation.

Both the CISA and the FBI are urging the public to critically evaluate the sources of the information they consume, to seek out information from trustworthy sources, verify who produced the information and consider their intent.

It is also important for people to verify via multiple sources reports about problems with voting or election results and consider the origins of sources that they choose to share via social media.

Separately, US lawmakers have approved legislation that would make hacking the country’s voting systems illegal under the Computer Fraud and Abuse Act (CFAA), which is already commonly used against cyber criminals – as in the recent indictment of Chinese and Malaysian nationals accused of state-backed cyber attacks.

Tim Mackey, principal security strategist at Synopsys Cybersecurity Research Centre (CyRC), said: “We can all agree that malicious access to a voting machine at any point in its life is a bad thing, so for those of you who thought it was already illegal to hack a voting machine, things are complicated. Since voting machines are owned and managed at the local district level, and aren’t involved in interstate commerce, the CFAA didn’t cover unauthorised access to voting machines.

“With the passage of the Defending the Integrity of Voting Systems Act, the CFAA was amended, meaning that unauthorised access to local voting machines used in federal elections will become subject to the CFAA.”

However, the CFAA is not without some controversy itself because it does not define the concept of unauthorised access. Clarification on this point is currently a topic before the US Supreme Court and, according to Mackey, the outcome could have a significant impact on how security researchers go about doing their job. This reflects similar concerns in the UK over the Computer Misuse Act.