I'm a reporter working on a story about if/how the business community is working to protect the election from cyber threats. I'd be grateful for this community's thoughts on themes, challenges, and successes. Of the three main branches of this issue (vote casting, cyber threats against campaigns, and misinformation spread) right now I'm mostly interested in threats to election boards and political campaigns.
You can check me out here: https://twitter.com/_charleslane
If you have wisdom that may help me, I can be reached at 203-365-0420, firstname.lastname@example.org
Did you have a particular election in mind? National / local?
The most obvious security concerns are around voting mechanisms themselves, but any cybersecurity threats are very specific to new technology, and new tech has been adopted in a very patchy way in different countries (and even regions of countries). Estonia was a really big pioneer of electronic voting; and there have been Russian cyberattacks against Estonia... some lessons learned there.
I think the bigger threats are much broader ones such as fake news, the occasional hacked website or social-media profiles, and so on.
Bear in mind the uniqueness of the U.S. landscape. What you are dealing with in every state are hundreds of registrars of voters/election boards. As long we don't do something like allowing the federal government to seize oversight of all elections (and I worry we might go there), we should be fine. Hacking a national election would be like trying hack every Coke machine in the country. Remember, constitutionally, the people don't elect the president. The states do. Each state is entitled to determine its elections and its electors how it sees fit. There is no legal obligation that every state does the same thing (as a matter of fact we don't; Maine and Nebraska use a split electoral vote). I am not sure we need to change anything with the election system, but if we do, it will be up to each state to make that decision. I think you would find that even at the state level, trying to implement a single homogeneous system would be impossible and overkill - a community of 100 doesn't need the same system as a community of 100,000.
As to protecting the campaigns, my understanding is that at least one of the attacks was a mere phishing email. There is no magic dust; it is simply a matter of apparently intelligent people taking the time to learn these tools before using them. However, for whatever reason, they don't. Nearly every phishing attack can be revealed by reading email in plain text and applying a little common sense. As to the other reported attacks, while the details remain vague, in all likelihood they featured a notoriously vulnerable operating system that probably was never patched. Any question regarding how do we protect these campaigns is akin to asking "how do we make sure they don't kill themselves in a car accident." If these folks insist on doing the equivalent of speeding in a car that has no brakes and failing to wear a seat belt, then I don't think we can do much to help them. To contrary, however, just a moderate degree of care and attention could make them and, by extension, our political system more safe. But it's not a technical problem. It's a human one.
Lastly fake news,I have yet to see the evidence that the fake posts influenced the election, but if they did, I suggest it was so hard for some Americans to recognize their absurdity because they had been exposed to equally absurd campaign rhetoric from both major parties for decades. Quite honestly, in looking at some of the false posts, they didn't seem much different from the mud-slinging that passes for "approved" campaign advertising. But again, is this a technical issue? Logical fallacies go back to the days of Aristotle. The fact that we have abandoned critical thinking skills in favor of other topics is not a failure of technology.