by Tim Maurer and Arthur Nelson*
Carnegie Europe is on the ground at the 2020 Munich Security Conference, offering readers exclusive access to the debates as they unfold and providing insights on today’s threats to international peace and stability.
The debacle during the Iowa caucus on February 3–4, when a new app designed to collect voting results malfunctioned, was a powerful reminder that it doesn’t take a nation-state to disrupt an election.
It was also a powerful reminder that while each of us carries the internet in our pockets via smartphones, the process of digitalization is by no means complete. The long-awaited advent of the Internet of Things—the extension of the internet connecting with things such as televisions and refrigerators—will lead to an exponential increase in internet-connected devices.
Even in the delicate context of elections such as the U.S. presidential primaries, the desire to go digital has not stopped.
As these trends unfold, there are few signs that cybersecurity will get much better. Instead, the amount of potential targets for attackers will increase, and the number of malign actors savvy enough to exploit them for their criminal or political advantage will grow. In recent years, the focus has been on securing elections, and understandably so after recent events around the world, including Moscow’s interference in the 2016 U.S. presidential election.
However, it is important to avoid the trap of fighting the last war (using past experiences to deal with future challenges) and to overcome the failure of imagination for what the future of cyber may bring.
Democracies, in particular, are vulnerable. Cyber attackers can target institutions directly, or indirectly by undermining public trust in them, but democratic societies—because they cannot risk jeopardizing democratic values and principles—are constrained in how to prepare and respond to such attacks.
It is therefore paramount to focus more broadly on institutions that depend on public trust. The following three are particularly worthy of increased attention.
First, the census. Census data is a core pillar for the functioning of a state, from economic planning to how parliament gets elected in some countries. Similar to elections, if the collection, transmission, or storage of census data or processes were disrupted, corrupted, or even appeared to be corrupted, it could undermine trust in public institutions.
As countries around the world rely more and more on digital services to conduct their census, mostly as a cost-saving exercise, the possibilities for malign actors to interfere with the conduct of a census grows.
For example, the 2020 United States Census has been dubbed “America’s First Online Census.” Yet, the digitalization process has been rushed, leading to a government watchdog considering the 2020 census to be a “high-risk” undertaking. Much like the attempted election interference in Ukraine in 2014, the United States would not be first to suffer interference in its census. In 2016, the census in Australia became the target of a so-called distributed denial-of-service attack, which unlike the app failure in Iowa needed somebody with malicious intent behind it.
Second, consider how reliant financial systems are on public trust. “The malicious use of Information and Communication Technologies (ICT) could . . . undermine security and confidence and endanger financial stability,” warned the G20 Finance Ministers and Central Bank Governors in 2017. Just last week, on February 5, Christine Lagarde, former managing director of the IMF and now president of the European Central Bank, warned that a well-organized cyber attack on a major financial institution could cause a financial crisis.
Following past attacks that have been traced back to North Korean and Iranian actors, these are not empty warnings. Profit-driven nonstate actors are no longer the only ones targeting financial institutions—nation-states have gotten a taste for it too.
For those with the intent to disrupt and destroy, hacking to steal money may not be enough, and the mix of hacking and conducting influence operations could be a tempting option.
Attackers could seed false information to affect the stock market—like the fake tweet in 2013 about an attack on the White House, placed on the Associated Press’s Twitter account by the Syrian Electronic Army hacker group, that (temporarily) sent the stock markets south—or they could erode public trust in banks like when a false rumor spread via WhatsApp caused a run on a London bank in 2019.
As we learned in the 2008 crash, once public trust in financial markets is lost, it is hard to recover.
Third and finally, elections understandably have and should remain a top priority. The operation targeting the 2017 French presidential election demonstrated that the interference in the 2016 U.S. presidential election was not the end of it.
It is also clear that the combination of hacking with the deliberate leaking of information is becoming the preferred modus operandi. Manipulating election infrastructure itself is more challenging—and keeping it secure must remain a focus—but it is easier to hack a campaign and leak compromising material to derail a candidate, and this requires a different set of responses and stakeholders.
In short, while cybersecurity is no longer the shiny new object, we should brace ourselves for what is yet to come. Democratic societies, in particular, have an unsteady path ahead.
The biggest challenge is to develop effective responses to cyber threats without undermining the very values and principles that democratic societies are designed to protect. Democracies must also be careful to avoid falling into the trap of blaming adversaries for outcomes of bad governance. Influence operations work by amplifying existing discontent, not creating it.
How countries deal with these threats, which take place in the gray space between war and peace, is certainly a topic worthy of discussion at the 2020 Munich Security Conference.
*co-director of the Cyber Policy Initiative& a senior fellow at the Carnegie Endowment for International Peace and research analyst in Carnegie’s Cyber Policy Initiative
**first publist in: carnegieeurope.eu