There was something inherently cringeworthy in reading about 11-year-olds hacking into the database of Florida’s election website, not because the midterm elections are suddenly under the threat of middle-schoolers, and not because hacking the 2018 midterm seems to be child’s play. Rather, it was the feeling that following the coverage of DefCon Voting Machine Hacking Village, a workshop at an annual security conference, the public was left with nothing more than the knowledge that democracy is literally in the hands of Russian hackers, and that there are some very brilliant 11-year-old kids out there.
Add some smart hackers, dilute an issue until left only with its sensationalist side, skip all the boring parts in the process of solving it, and you get technology coverage. Tech coverage seems to resemble an ad infinitum repetition of these steps, with tech companies, non-profits and hackathons following suit and framing their problems and solutions emphasizing the new and shiny. The organizers of DefCon described the environment the kids used for election websites as “exact clones.” The press decided to use the same language: “Exact clones.” After the conference, the organizers cut down on their claims, changing the term to simply “clones.” When the National Association of Secretaries of State issued a press release complaining that the “environment in no way replicates state election systems,” Jake Braun, one of the organizers, replied that they were “fucking idiots” for not seeing that “a nation-state is literally hacking our democracy.”
Later on, a report revealed students were only working with look-alikes of election websites, with specific vulnerabilities added for the event and the participants coached on finding them. Still, Braun’s aggressive response is understandable: He wasn’t actually fighting for the legitimacy of his voting machines. He was fighting for getting the necessary media coverage to make the public aware of election cybersecurity issues. Instead, in the process, the core of these issues and their possible solutions got lost in hundreds of words on terrifying Russian hackers and brilliant middle-school hackers.
In response, ProPublica released an article on a completely overlooked key piece in election security: email system vulnerability. The two-factor verification process is a way of logging in that not only requires a username and a password, but also something only the user has (i.e. a unique code on their phone). This type of logging in is so widely used that even we, as college students, can use it to log into our university accounts. But, it is also one of the things that one-third of the counties overseeing toss-up congressional elections don’t have access to. Internet-connected systems are just as vulnerable to hacking as voting machines, but email is such a mundane thing that it would be hard to find its place in an article talking about hackers undermining or saving democracy.
Throwing around the words “cybersecurity” and “hackers” instinctively brings to mind coders trying to solve an encryption. Cybersecurity, though, should not be regarded as solely a technology challenge. Harvard University’s Belfer Center for Science and International Affairs developed a checklist for managing cyber risks during political campaigns, but you probably won’t see that too often in the news. Having a report released on cyber risk mostly dealing with the “human element” in cybersecurity doesn’t seem to add anything new or shiny to tech coverage. Still, cyber risks mostly show up because we are human. Because some of the most common passwords people use are “123456” and “password.” Because we put our passwords into spear-phishing emails. Because we will sometimes share our passwords with the people we work with.
The way these conferences and journalists frame election cybersecurity and tech in general affects the perception graduates will have on their future tech jobs. We want jobs where we can work on these supposedly “new” issues and solve them with “shiny” codes and brilliant hackers. That’s why so many of us will want to work for Google, Facebook and all the other companies that dominate the press coverage of technology. In the meantime, political campaigns are getting hacked because there was no training in identifying a phishing email. In the meantime, counties are struggling to hire the people capable of dealing with all the emerging cyber risks, and people are probably hanging around DefCon, hacking supposed “election websites.”
Anamaria can be reached at anacuza@umich.edu.