Physical ballots can't be hacked — but other parts of the process aren't immune. (Shutterstock)
Physical ballots can't be hacked — but other parts of the process aren't immune. (Shutterstock)

In 2015, a year before hacked emails were dumped on the internet in an attempt to sway the outcome of the US election, a similar thing happened in Canada.

Starting in July 2015, self-identified hackers under the banner of the Anonymous collective shared confidential government documents from the Treasury Board with several news outlets. The documents revealed information about foreign spy stations, diplomatic buildings in the United Kingdom and other Canadian government secrets of varying levels of significance. The campaign started after an Anonymous member was fatally shot by a Royal Canadian Military Police officer at a protest. But after a second leak that September, an Anonymous spokesperson told the National Post that the group intended to influence the federal election that was three weeks away.

If you don’t remember this, that’s because the Anonymous campaign in Canada was much less successful than the 2016 Russian campaign in the United States when it came to disrupting the election narrative. Anonymous released fewer Canadian documents, containing lower-stakes secrets, compared to the tens of thousands of emails stolen from the Democratic National Committee and Hillary Clinton’s campaign chairman John Podesta that included insights into campaign intrigue and undisclosed comments from Clinton about foreign policy. During a busy election campaign season in the fall of 2015, nothing that Anonymous dug up was captivating enough to divert the focus of the Canadian media.

But, with another federal election looming a little less than a year from now, Canada might not get that lucky again. The Russian operation’s success in interfering with the US presidential election offered both inspiration and pointers for state adversaries or other bad actors aiming to derail democracies. Canada’s electronic spy agency, the Communications Security Establishment (CSE), noted in a 2017 report that cyber operations aimed at damaging the democratic process are rising around the world, and predicted that Canada would not be immune from this kind of threat activity.

Canadians still vote with paper ballots in their federal elections, which is a major advantage — unlike electronic voting machines or online voting, physical ballots can’t be hacked. But even if voting isn’t digital, many other parts of the election process are, and that makes them vulnerable to interference. Here are a few ways that could happen.

Hacking the Vote

While the voting process in Canada is relatively safe from digital interference, voter registry information that is stored online can be meddled with in several ways if an adversary gains access to it. They could delete all or part of the list, tamper with entries or add fake ones, or encrypt it with ransomware, making it inaccessible to the election bodies that need it. “All of this activity has the potential to embarrass the electoral agency and sow doubt in the minds of voters,” the CSE warns in its election report. “It could also slow down voting, leading to voter frustration and/or suppression, which could impact election results.”

Anyone who can access voter information can also use it to misdirect voters  — Canada saw something similar to this in the 2011 election when automated telephone messages were sent to voters directing them to the wrong polling location. Even without voter information, these misdirection efforts can take root on social media. In the US presidential election in 2016, several messages circulated on social media encouraging voters to stay home and vote by text — which is impossible.

After votes are tabulated, the results are transmitted and released electronically. This part of the process could also be hijacked by hackers to release incorrect results to the public. Again, this interference could create doubt about the process or the outcome. It would also have the potential to sway the outcome of the vote in Canada, because after the first results begin emerging on the East Coast, voters in British Columbia and the Prairies still have a couple of hours to cast their ballots. For this reason, it used to be illegal to announce polling results until all the polls had closed across the country, but this policy was reversed ahead of the 2015 election because social media made it impossible to enforce.

Hacking the Parties and Candidates

Political parties and campaign offices collect huge amounts of information to help them organize their campaigns, from donor lists to strategy documents to driver schedules that aid in get-out-the-vote efforts. Any of these can be compromised if they are stored on devices that are connected to the internet or shared in emails. Once data security has been compromised, there is no end to the ways that adversaries can deploy data to damage the campaign. As with the Clinton campaign, sensitive internal documents or communications could be hacked and revealed, to damage a party’s or candidate’s public image. Even if nothing untoward is happening in private conversations that are exposed, they can still contribute to public perceptions of unsavoury behaviour. “When released to the public, frank internal communications can damage the façade of respectability that politicians model for the public,” Nathaniel Zelinsky wrote in a paper for the Yale Law Journal. Meanwhile, if a campaign’s contact information or schedules are deleted or tampered with, it can cause chaos for the campaign’s logistical operations.

Influence operations can also take the form of coordinated harassment campaigns that target candidates. Female candidates and those from marginalized groups are particularly vulnerable to harassment and abuse, both online and offline, but on social media platforms, hateful harassment campaigns can easily become amplified. This effect makes it more difficult for affected candidates to use social media in the same way as their white male rivals might use it to connect with voters and spread their message. In some cases, it may also lead them to withdraw from the race or discourage other women or minority candidates from running. In Iowa last year, a candidate named Kim Weaver, a Democrat running for US Congress against Steve King, an incumbent known for supporting white nationalist views, was overwhelmed by abuse and threats after she was singled out in an article by the neo-Nazi Daily Stormer website. “I’m normally a pretty brave person, but when you feel like you’re in a fishbowl and you don’t know who it is that’s throwing rocks at you, it’s disconcerting,” she told The New York Times. “You don’t know if it’s somebody sitting in his mother’s basement in Florida or if it’s a gun-happy white supremacist who hates you who lives a block away.” She eventually decided to pull out of the race.

Hacking the Information Environment

Coordinated disinformation campaigns on social media have been widely discussed since the US election, but they have not yet been eliminated. Facebook and Twitter have both made efforts to crack down on bots — automated accounts that pose as regular users to spread their messages. However, because platforms largely rely on algorithms or artificial intelligence to detect telltale signs of automation, it is more difficult to identify trolling campaigns that may be run by individuals or are only partially automated. Just last week, Facebook identified and removed a few dozen more false accounts and groups that originated in Iran but posed as Americans posting on sensitive political topics.

Disinformation campaigns like this can affect elections in several ways. They can create general confusion in the digital information space, which is where Canadians increasingly go to get information about news and issues that matter to them. They can sow doubt in the democratic process or the outcome of the vote. And they can hijack attention away from important campaign issues.

What Can Be Done?

All efforts should be made to protect digital election infrastructure from hacking, and to build that infrastructure’s resilience in case protection measures fail. But those efforts should also extend from central organizations, such as Elections Canada and party leadership, to candidates, returning officers and campaign volunteers across the country. Many of these smaller campaign and elections offices have less staff and fewer resources than their national counterparts, and without proper training and education, their employees and volunteers might not be able to identify hacking attempts or influence operations until it’s too late. The Canadian government partnered with Facebook last year to release a Cyber Hygiene Guide for parties and candidates. While it is mostly focused on Facebook accounts and pages, some of the information it contains can be applied to other forms of digital technology that many campaigns use. Still, more training may be needed, particularly when it comes to influence campaigns. In Sweden, for example, the government agency in charge of emergency preparedness trained more than 10,000 civil servants and election officials on how to detect and respond to influence operations ahead of this year’s federal elections.

Public awareness efforts are also key, in order to help voters improve their media and digital literacy skills to become better at detecting influence efforts and false information. As part of its election outreach campaign, the Canadian government also partnered with a media literacy organization called MediaSmarts, but the group has traditionally been focused on students and youth. So far, its reach on election issues appears limited, but there is still time to change that before October 2019. If democracy is going to be resilient in the face of disinformation efforts, public education efforts need to reach as broad a segment of the population as possible — and it needs to start now. 

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.
  • Stephanie MacLellan

    Stephanie MacLellan joined the Global Security and Politics program in July 2016, specializing in Internet governance and cybersecurity.

Return
to cigi
2017