Usually, when we write a "What you need to know" post on the Rapid7 blog, it's generally a rapid response to breaking news about a specific software vulnerability that's grabbing headlines — recently, we covered the Exim, RDP, and Zoom vulnerabilities. Today, though, I want to talk about pretty much the opposite of that, and put together an explainer on one of the most written-about information security challenges we have today, covering everything from the weaknesses of individual voting machines, to the information ecosystem they participate in, through the human factors exploited by phishing and election day anxiety.
Hacking elections
Before we get into details, I want to set a little context here. Generally, you can boil election manipulation down to two main goals: either you want to influence the outcome of an election to give one candidate an edge over another, or you want to fundamentally undermine confidence in the democratic election process as a whole. If your goal is the former, you will generally look for means that are highly scalable so you can get the result you want, and hard to detect so you get away with it and no one knows or can prove what you’ve done. For this, your best avenues are largely techniques that have been used to influence election outcomes for centuries; propaganda and misinformation, blackmail, and smear campaigns. Attempting to manipulate the technological systems that underpin elections to influence the outcome of an election is actually much less effective than well-executed propaganda campaigns, though some hacking can certainly be helpful in building these campaigns, as election security
