Election defense 2024.
Scott Small: It's absolutely going to be a historic year. We have over 50% of global populations voting in democratic elections this year. So we've seen the numbers vary, depending on which source you take a look at. We also are tracking over 60 elections, nationwide elections, for kind of parliamentary or presidential positions across the world, again, accounting for a majority of the global population. We have some really large countries taking place in votes this year.
Dave Bittner: Hello, everyone. And welcome to "Caveat," N2K CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hey, Ben.
Ben Yelin: Hello, Dave.
Dave Bittner: On today's show, Ben and I review Supreme Court oral arguments in two cases relating to state regulation of social media companies. Later in the show, my conversation with Scott Small, Director of Cyber Threat Intelligence at Tidal Cyber. We're taking a look at the cyber threats to the 2024 global elections. While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. [ Music ] All right, Ben. We are teaming up here today, story-wise, because there's so much here to cover. You have been spending a inordinate amount of time listening to our Supreme Court. Bring us up to date here on what's going on.
Ben Yelin: More than I'd like to admit, you know. It's especially hard since they still don't have video, live video, of their proceedings.
Dave Bittner: Right.
Ben Yelin: So I just have to close my eyes and imagine what it looks like inside the Supreme Court chambers -- -
Dave Bittner: You don't have a complete --
Ben Yelin: -- which is no fun.
Dave Bittner: You don't have a complete set of Supreme Court action figures?
Ben Yelin: Which I'm sure some people do. I'm nerdy, but not that nerdy.
Dave Bittner: Okay. [laughing]
Ben Yelin: So, as we're taping this, two days ago, the Supreme Court heard two separate but related cases about state laws regulating social media companies. We've talked about previous court proceedings relating to these statutes before. But basically Texas and Florida both passed laws saying that social media companies cannot discriminate or moderate content in a way that isn't politically neutral. So they can't moderate content in a way that's discriminatory against people with different viewpoints.
Dave Bittner: Okay.
Ben Yelin: And I think the governments in both Florida and Texas were very clear-eyed about what they were trying to do. They were saying that these big tech oligarchies are censoring conservative content in the name of content moderation and that this goes against the principles of free speech.
Dave Bittner: Okay.
Ben Yelin: There are minor differences in the Florida law and the Texas law, honestly not even really worth getting into because I think what's fascinating here is the broader issues at play as it relates to the First Amendment. A group called NetChoice which is a trade organization that represents basically all of the big tech companies implicated in this case. So Google, which owns YouTube, the artists formerly known as Twitter, Meta, they're all represented by this trade organization, which is saying that these laws violate the company's First Amendment rights to choose which content appears on their platforms. And Florida and Texas are saying, actually the First Amendment interests are on our side. We are trying to foster a free marketplace of ideas. So there are a lot of really interesting elements to this case from a legal procedural sense. And I'm going to try not to bore you with them. But I do think it's useful for our listeners to kind of understand some of these key distinctions.
Dave Bittner: Okay.
Ben Yelin: The first is that this is what's called a facial challenge to the laws. A facial challenge means that this organization, NetChoice, is arguing that there is no possible constitutional construction of these laws, that these laws are constitutionally invalid on their face, and therefore, they need to be wiped off the books. Most legal challenges are what are called as-applied challenges. So it would be one of these companies, for example, saying, we suffered a penalty under this law. You fined us for censoring conservative speech. And we're going to challenge the application of that law to our company. That's not what's happened here. NetChoice sought a preliminary injunction to enjoin these laws from ever going into existence in the first place. And they got that preliminary injunction. So they're saying --
Dave Bittner: Now, is it fair to say that this is sort of like the highest-level challenge there is, like all the way to the fundamentals of the Constitution?
Ben Yelin: Exactly.
Dave Bittner: Okay.
Ben Yelin: You're putting your full foot forward and saying this law is so egregious from a constitutional perspective that it should not be on the books. It doesn't matter who the law is applying to. There is no reasonable application of this law that would pass constitutional muster.
Dave Bittner: Okay.
Ben Yelin: That's what the plaintiffs in this case, represented by NetChoice, that is what they are arguing, which is a very bold argument. Now, the burden then is on the defendants in this case, so the states of Florida and Texas, to claim that there is some legitimate sweep of this law. In other words, some aspect of this law that is constitutionally valid so that the facial challenge would fail. Because a facial challenge can really only succeed if there's no way that law could be in place at all without it violating the Constitution.
Dave Bittner: Now, is this an all-or-nothing? Like if you're doing this facial challenge, is that a swing for the fences?
Ben Yelin: It's a total swing for the fences.
Dave Bittner: Okay.
Ben Yelin: And I think that was the intention of NetChoice, was to say, we don't want this law to be in existence regardless of how it applies to our companies. We think it's so fundamentally offensive to the First Amendment interests of the companies that we represent that we're going to go at this with a full facial challenge. We're not going to wait until Twitter/X gets fined for violating the law. We're going to attack the law on its face. So it is really an all-or-nothing approach.
Dave Bittner: Okay.
Ben Yelin: The problem here is that these laws were so poorly drafted that they might actually apply in situations where the laws would be constitutional, which would hurt in terms of a facial challenge. This is where it gets really complicated.
Dave Bittner: [laughing] Okay.
Ben Yelin: So there are a bunch of hypothetical questions and oral arguments about things like Gmail and Facebook chat. So could Gmail say, we are not going to transmit messages from conservative influencers? We're not going to allow Tucker Carlson to be on our platform because he's conservative. And I think the obvious answer would be no. The analog to that is common carriers. So common carriers historically have been things like railroads. They're privately owned, but they're something that are open to the public and, therefore, can be regulated by the federal or state governments.
Dave Bittner: Okay.
Ben Yelin: And like phone companies are also common carriers because there's no expressive aspect to a phone company. They're just routing your call from one number to another.
Dave Bittner: Yeah.
Ben Yelin: And I think that's how we understand email service. It is basically a common carrier. It's routing a communication from one person to another that is a private communication. It's not public. That is a distinction from the expressive aspect of what these companies do, which is what's featured on their newsfeed or their homepage. And I think what these companies are arguing is that if they are forced to put certain content on their homepage or on their newsfeed, that violates their First Amendment rights. There are a lot of precedent cases, for example, saying that a newspaper can't be forced to publish something. Even if it's published something from the opposite political party, it can't be forced to publish something because it is an expressive entity. It has the right to choose who to associate with for First Amendment purposes. But the way these laws were drafted was seemingly so sloppy that the laws might end up applying to entities like Google -- or like Gmail and Facebook chat. And if the law does apply to those entities, I think it would do so in a way that would pass constitutional muster because states and the federal government do have the power to institute regulations against common carriers.
Dave Bittner: [laughing] So wait. So just make sure I'm following you here.
Ben Yelin: Yeah, and I get this is really hard to follow, trust me.
Dave Bittner: But is this a case of these states, in their haste, may have accidentally written up something so sloppy as to be in their favor ultimately?
Ben Yelin: That's exactly what happened.
Dave Bittner: Okay. Brilliant. [laughs]
Ben Yelin: Yeah. So obviously, the purpose of these laws was to go after the big social media companies and prevent them from censoring conservatives.
Dave Bittner: Right.
Ben Yelin: But the law was drafted so sloppily that it might survive this facial challenge because there could be a constitutional application of this law. The constitutional application of the law would be regulating the throttling of emails on Gmail or the throttling of private messages on Facebook.
Dave Bittner: Well, so just let me ask you to pause for just a second here because what if Gmail, for example, discovered that, I don't know, you know, I'm just going to make up an extreme example here. You know, the American Society of Pedophiles --
Ben Yelin: Right.
Dave Bittner: -- right, is doing their business with Gmail. Is it Google's right, as an email provider, to say, we are not going to do business with you?
Ben Yelin: It is, but that's because it falls under a federal statute, which is actually, it's the same statute we've talked about a million times, Section 230, which makes exceptions for things that are clearly illegal.
Dave Bittner: Well, all right, so let me change my supposition here. So let's say it's the American Nazi Party. So not illegal, but just, I mean, in Google's view, distasteful and not the kind of thing they want to have on their platform. Does Google have the right as a email provider to say who they do or do not want to do business with?
Ben Yelin: I think that's a closer case, but I think probably the way at least Florida and Texas legislators would see it and possibly federal and state courts, that Google doesn't have the right to throttle because that would be a content-based restriction that goes beyond things that are illegal under federal law.
Dave Bittner: And is this a sort of -- The deal here is that if you want your Section 230 protection, then you got to let the Nazis use your email service.
Ben Yelin: Sort of.
Dave Bittner: Are those two things wrapped up together?
Ben Yelin: So in order to get your Section 230 protection --
Dave Bittner: Right.
Ben Yelin: -- you have to have a platform that you can regulate to prevent those illegal things from taking place, the things that are spread out in Section 230. But you are shielded from immunity from all other editorial decisions that you make that don't relate to those things that are explicitly laid out in the statute.
Dave Bittner: Okay.
Ben Yelin: So actually, what the lawyer for NetChoice was arguing is that Section 230 actually augments them because it wants to foster an environment where these companies can have some leeway in regulating content without facing legal liability. I think what Justices Thomas and Alita, who seemed the most amenable to Florida and Texas, were saying is, how does this possibly square with 230? Because we had 230 cases. In the 230 cases, you guys were saying, oh, whatever we do on Twitter and on Facebook, that's not expressive content. We are just conduits. We are mere conduits so that people can, you know, post on our site. So please don't regulate us as if we are expressing some type of expressive, creative content. But here, they're kind of arguing the opposite. And that's what lawyers do all the time. I mean, you argue in a way that favors you in this particular case.
Dave Bittner: Sure.
Ben Yelin: You're not bound by what somebody else argued in a different case.
Dave Bittner: Yeah.
Ben Yelin: But there is perhaps that inconsistency there. And I think Paul Clement, who was a Solicitor General under George W. Bush, is representing NetChoice. So he's one of the best appellate lawyers in the country.
Dave Bittner: Okay.
Ben Yelin: And he was basically saying, we think this fits with the spirit of Section 230, that 230 exists so that companies aren't fearful of liability for making content moderation decisions. And us, as NetChoice, representing these companies, want our companies to be able to make those types of decisions. So one thing I want to make clear is, through the oral argument, it appears very obviously to me, and I think most observers, that there are five-plus votes for this notion that forcing these companies to host content on their platforms they do not want to host is an unconstitutional First Amendment violation.
Dave Bittner: Okay.
Ben Yelin: So I think eventually that is where we are going to end up is a situation where these laws as applied are invalidated, as applied to these big companies who do have kind of an expressive role to play. In other words, they are not mere conduits. The homepage of Twitter and the newsfeed on Facebook, they are expressive. They attract eyeballs. They also attract advertisers because they are available to other people, if not to the public, for other people to see. So that is expressive in nature.
Dave Bittner: And that's an interesting aspect, too, because you can imagine a scenario where if they're forced to allow everyone and anything on their platform, they could cease to be a viable business because they'd be so unappealing to advertisers who pay the bills.
Ben Yelin: Exactly. And I think that's their fear here, is they might say, well, if these laws are upheld, maybe we just will not do business in Texas and Florida. Because if this becomes a cesspool of speech that too many people find offensive, whatever that speech is, but we're forced to include that content on our platform because of these laws, it might just not be worth it for us to do business in these states. It seems to me that at least five, probably six, maybe seven of the nine justices agree with that argument, that the newsfeed, the Twitter homepage, the YouTube algorithm, those are all examples of companies having expressive First Amendment rights. And that would be violated under this statute.
Dave Bittner: Okay.
Ben Yelin: The problem is that's not the nature of the challenge in this case. The challenge is a facial challenge. The standard for a facial challenge is there's no possible construction in which this would be constitutional. And because the laws were so clumsily drafted, I think what could happen here is that they remand the case saying, maybe we keep this preliminary injunction, maybe we don't. But lower courts need to figure out in which particular as-applied cases is this law constitutional and in which as-applied cases is it not constitutional. And come back to us when you have one of those cases. This might fail as a facial challenge, even though it would succeed as an as-applied challenge.
Dave Bittner: So when you look at the justices and where you are reading the tea leaves here on where they might land, to what degree is this a strange bedfellows instance?
Ben Yelin: I don't actually think it's a strange bedfellows instance because I think it's the liberals and the more moderate conservatives.
Dave Bittner: Okay.
Ben Yelin: So I think the liberal justices, Sotomayor, Kagan, and Jackson, seemed very skeptical of these laws and, as you would expect, more supportive of the plaintiffs here. Chief Justice Roberts, who's kind of the most centrist of the conservative appointees --
Dave Bittner: Right.
Ben Yelin: -- and also Justices Kavanaugh and Barrett were very skeptical of the solicitor generals of Florida and Texas. Basically asking them questions that are pretty simple, and are things we've talked about here, is how is this censorship if it's a private company doing it? Isn't our First Amendment jurisprudence to protect against government overreach?
Dave Bittner: Right.
Ben Yelin: I mean, I think Kavanaugh basically asked this explicitly. And I don't think the solicitor general of either state had a great answer to that question. They were saying, well, you know, it's more about the spirit of the First Amendment and fostering free speech. And I don't think that was particularly compelling. So that indicates to me that you have the three liberals plus those three moderate-ish conservatives who are against this idea that states can force these companies in the public-facing aspects of their platforms to post certain content. I think those six justices indicated major skepticism, fatal skepticism against that idea. Gorsuch was the one who asked kind of weird, quixotic questions. It's hard to pin down exactly where he is on this.
Dave Bittner: [laughing] Okay. When you say, so what's your recollection of the avenues he seems to be pursuing here?
Ben Yelin: He was the one who brought up Section 230 in the first place --
Dave Bittner: Okay.
Ben Yelin: -- and the interplay between this law and whether it's preempted by Section 230. Alito and Thomas, probably the two most, I mean, almost definitely the two most conservative justices, basically saw this as a pure censorship case. And they both questioned the attorney for NetChoice, Paul Clement, saying, how is this not just blatant censorship? Is it only not censorship because a private company is doing it? And, you know, we've held that you can't violate constitutional rights on what they see as common carrier, something that's open to the public where there isn't sufficient competition that somebody could just go elsewhere. I happen to think, and I think most justices agree, that that's not the correct lens to look at this law.
Dave Bittner: Yeah.
Ben Yelin: These aren't similar to common carriers because there actually is a lot of choice as to which social media websites you could use. You could just go to Truth Social if you wanted to --
Dave Bittner: Right.
Ben Yelin: -- or Rumble. It's not like, you know, the phone company where there's only two or three phone companies in a given area that provide a service. But that's the way they see it. They see this as the private companies are violating the spirit of the First Amendment by engaging in censorship. And they were like, you can use whatever euphemism you want, content moderation, editorial control, but censorship is censorship.
Dave Bittner: But okay, so that's where I was going to go next, which is, I mean, definitionally, right, it's censorship when the government does it. And that's constitutionally prohibited.
Ben Yelin: Right.
Dave Bittner: But when a private company does it, it's moderation. And that's not constitutionally prohibited.
Ben Yelin: Seems pretty darn clear to me.
Dave Bittner: [laughing] I mean, I'm no Supreme Court justice, and I know you have aspirations, Ben, but so far neither are you.
Ben Yelin: Yeah, I haven't quite gotten there yet. I mean, what you're saying is exactly what Clement said and was also the tone of six Supreme Court justices --
Dave Bittner: Okay.
Ben Yelin: -- saying censorship implies the government.
Dave Bittner: Right.
Ben Yelin: And when private companies do the exact same thing, that's something different. That's them exercising editorial control.
Dave Bittner: And that's the peril that the First Amendment was written with in mind, right?
Ben Yelin: Exactly.
Dave Bittner: Yeah.
Ben Yelin: It was designed to protect against government censorship, the government threatening to arrest you or otherwise punish you because the government, those are the guys with the guns.
Dave Bittner: Right, exactly.
Ben Yelin: I mean, I guess these days they're not the only guys with the guns. But those are the people who have handcuffs and can lock you up and can levy fines against you and can take your property.
Dave Bittner: Right.
Ben Yelin: Private companies can't do that. So the First Amendment only applies against the government.
Dave Bittner: Okay.
Ben Yelin: I think what Justices Alito and Thomas would say is the exception to that is common carriers, where you have private companies who have such a market share that they should be regulated as if they were government entities. I don't think that's a good argument here. And I think six Supreme Court justices also don't think that's a good argument.
Dave Bittner: Okay.
Ben Yelin: So I think ultimately, once we get an as-applied challenge here, maybe that's in one year or two years or five years --
Dave Bittner: [laughing] Oh, man.
Ben Yelin: -- I think if the court makeup is the same that it is now, I think this law as applied would be unconstitutional.
Dave Bittner: Okay.
Ben Yelin: Instead, because it was a facial challenge, I think they're going to say, we need to send this back to the lower courts. And the lower courts are going to have to go through every single one of those as-applied challenges and decide for themselves, as applied, is this law constitutional? There's basically only one key question that comes with that, which is, does the preliminary injunction stay in place during that whole process?
Dave Bittner: Right. Okay. So let's talk about that. So the Supreme Court kicks this can back down to the lower courts. Where does that leave the citizens of Texas and Florida?
Ben Yelin: So Clement, speaking again for NetChoice, claimed that they could just keep the preliminary injunction in place.
Dave Bittner: Okay.
Ben Yelin: The standard for a preliminary injunction is it would cause irreparable harm and that the party has a substantial likelihood of succeeding on the merits of the case.
Dave Bittner: Ah.
Ben Yelin: I think you could make an argument, and certainly Clement did, that based on what the justices are saying there, NetChoice does have a very substantial likelihood of succeeding on the merits. And that these companies would suffer irreparable harm, especially if they are forced to cease doing business in these giant states because they don't want to be in a position where they're forced to post content on their websites.
Dave Bittner: Right.
Ben Yelin: So the Supreme Court could say the preliminary injunction is still in place while you go litigate the rest of these issues. The Supreme Court could vacate the preliminary injunction and say we need a proper as-applied challenge. What the companies would do in that circumstance is go back to a lower court and ask for a new preliminary injunction as applied to whatever company or set of companies is bringing those challenges. So, if the Supreme Court keeps the current preliminary injunction in place, there will be no enforcement of this law for the residents of Texas and Florida. That is certainly a possibility. The other two possibilities I see is that they vacate the preliminary injunction so the laws are in place until Twitter or whomever gets fined and submits an as-applied challenge --
Dave Bittner: Ah, I see.
Ben Yelin: -- in which case, there may be a new preliminary injunction. Or I think the least likely scenario is the companies, if the preliminary injunction is not kept in place, these companies just say F it. We're either not going to challenge this policy and just try to comply with it, or we're getting the hell out of Florida and Texas. So those are basically the three options here. I think there is this great irony that you noted that I think cuts to the core of what happened to this oral argument is Texas and Florida, the legislators who tried to put these laws into place, might end up benefiting from the fact that the laws were sloppily drafted.
Dave Bittner: [laughing] You really need to have a good lawyer, don't you, don't you, Ben?
Ben Yelin: I mean, people make fun of us, but you'd be, you know, we can be useful at points.
Dave Bittner: So let me ask you this: If, suppose, the preliminary injunction gets vacated --
Ben Yelin: Mm-hmm.
Dave Bittner: -- could Florida and Texas choose to leave the law on the books and not enforce it and, in doing so, not move the legislation along?
Ben Yelin: Yes, they could decide to do that. It would be a question for the lower court as to whether some of these big companies, who are clearly being targeted in this law, have standing.
Dave Bittner: Oh, okay.
Ben Yelin: So the companies would say, we have standing because we have to change our practices. And in anticipation of this law going into practice, we have to spend money, you know, to change our content moderation policies.
Dave Bittner: I see.
Ben Yelin: And that would be a valid standing claim.
Dave Bittner: So that would be like a forcing function to move things along.
Ben Yelin: Exactly.
Dave Bittner: Okay.
Ben Yelin: But let's say Florida and Texas said, we are simply just not going to enforce this. Now, that would cut against standing. It would also go against the purpose of this law. I mean, why pass this law in the first place if you're not going to enforce it against these big companies?
Dave Bittner: Yeah.
Ben Yelin: So they would have to basically do a full 180 and say, eh, you know, we passed this law. We got our political message out there. We're not going to enforce it. So don't sue us. I mean, I think all of these companies would absolutely be fine with that outcome. But it would certainly defeat the purpose of what Florida and Texas were trying to do in the first place.
Dave Bittner: And it would always be like be there lurking.
Ben Yelin: It would be there lurking.
Dave Bittner: Yeah.
Ben Yelin: You get a new attorney general in there who said, you know what, day one, my priority is to enforce this law.
Dave Bittner: Right.
Ben Yelin: And so the companies might be granted standing in a lower court proceeding saying, we anticipate that a new attorney general might come in and enforce this law, even if the current government is not enforcing it.
Dave Bittner: So what's our timeline here in terms of what the Supreme Court is dealing with right now?
Ben Yelin: Right now, based on the case that went through oral argument this week, we can expect to see a decision by the end of June. Since this is such a high-profile case, it usually the decision comes out towards the end of the Supreme Court term, which is late June, occasionally early July. But I'd say late June is the time frame.
Dave Bittner: All right. Well, get out your popcorn, hold on to your hats, all that stuff.
Ben Yelin: Yeah.
Dave Bittner: It's fascinating.
Ben Yelin: I know we will come back to this once we do get a decision, even if that decision, as I anticipate, will not be very satisfying.
Dave Bittner: Yeah. Well, thank you for unpacking it and explaining it for us. It's interesting stuff and surely important for our listeners. So yeah, interesting conversation.
Ben Yelin: Oh, I try. I try.
Dave Bittner: All right. Well, we would love to hear from you. If there's something you'd like us to consider on the show, you can email us. It's caveat@n2k.com. [ Music ] Ben, I recently had the pleasure of speaking with Scott Small. He is the Director of Cyber Threat Intelligence at an organization called Tidal Cyber. And we're talking about not just the threats to the elections here in the US but really all around the world. Here's my conversation with Scott Small. [ Music ]
Scott Small: It's absolutely going to be a historic year. We have over 50% of global populations voting in democratic elections this year. So we've seen the numbers vary depending on which source you take a look at. We ourselves are tracking over 60 elections, nationwide elections, for kind of parliamentary or presidential positions across the world, again, accounting for a majority of the global population. We have some really large countries taking place in votes this year.
Dave Bittner: And so what are the things that are on your radar in terms of like top-of-mind concerns?
Scott Small: Yeah, absolutely. So, from a cyber perspective, it falls into two very broad categories, each of which kind of falls into as many ways you want to break it up from there. So the two overall categories are kind of these influence operations, which comprise a lot of different things. What our recent study focused on is what we call cyber interference. And those are going to be those attempts to interfere and disrupt using technical means in voting and election processes. Now, a lot of those interference attempts can and are used to fuel the broader influence operations, which that broader bucket can comprise like disinformation and misinformation efforts. So a lot of these things happening in tandem. But where we really drilled into was more of those kind of technical interference aspects, so in the worst-case scenarios, actually attempting to manipulate the votes themselves or maybe more often attempting to steal information related to voting or even kind of disrupting the perception of voting results. That's another common, at least attempted tactic, and something that we have seen successfully carried out in at least a limited number of cases in the recent past.
Dave Bittner: Hmm. But you mentioned two main categories. What's the second one?
Scott Small: So I guess interference is the subcomponent of influence operations. But it is so broad in and of itself that it's kind of almost becomes its own beast, yeah.
Dave Bittner: I see. So I mean, looking here at the US, you know, I think it's probably fair to say that the 2020 election, for a variety of reasons, was one of the most scrutinized elections that we've ever seen here. And in terms of election security, I think the folks who are experts with that sort of thing seem to feel like we came away with high marks. What has changed in the four years since then? What new things are we dealing with?
Scott Small: Yeah, absolutely. So it's a lot of the same, but in some ways kind of just an increased willingness, I think, to carry out certain types of interference attacks. And this could be coming from the existing well-known adversaries. It's absolutely coming from some newer ones as well. So what we saw highlighted in the 2022 kind of midterm election review report is, not going into extreme depth, so a lot of the report was pretty heavily redacted, but callouts to some newer foreign interference adversary groups. So I believe Cuba was referenced. We don't have a ton of details about specifically what was happening there. One that's really on our radar is attempts with Iran-aligned, in some cases, maybe directly state-backed or at least supported cyber adversaries. So obviously, as we've seen, a lot of kind of cyber-related disruptions as a result of kind of the embroiling of conflict in the Middle East and a lot of that carrying over into groups that may support any of the various nations within that region, so I'm thinking, you know, US support for Israel. We've seen Iranian-backed groups attacking Israeli targets and, by some extensions, any nations that might support them, so, in this case, the United States. I think the correlation of the timing of US elections, we've seen a lot of Iranian attempts to interfere with US elections in the past really kind of makes this a true and legitimate hotspot for cyber activity, cyber interference in the coming months.
Dave Bittner: Given where we stand, what's your perception of how the individual states are prepared to defend their voting systems? Is there a sense that we're in a good place?
Scott Small: Well, quite honestly, maybe a little bit of optimism here, but I do think we're in a good place. I feel like this year, heading into the elections, there is, even sooner than in years past perhaps, some increasing raising of awareness of these very legitimate security concerns and potential threats. So I think as far as we get ahead of that equation, it's really positive. I do think, again, going back to kind of maybe the broadening attack surface or adversaries perceiving more and more targets as being legitimate targets as part of these attacks, that's something that's worth keeping in mind. So what I'm really thinking about there, specifically, and it is something that we started to see, especially in the 2022 US midterm elections, is targeting of election workers themselves. So these could be full-time employees supporting, you know, state and local governments, carrying out voting processes, as well as even just volunteers. We've seen at least newer targeting of those workers for social engineering and especially spear-phishing attacks. Spear-phishing is and remains probably the top attack factor for a lot of these election-related attacks. It's just relatively so easy to carry out. And so we see increased attempts to target anyone supporting those elections in a professional or volunteer capacity, hoping once they achieve that initial access that they might be able to pivot around and find some more kind of interesting or sensitive information to steal or potentially disrupt.
Dave Bittner: Well, and of course, over the past couple of years, people have really found themselves enamored with AI, you know, these large language models. And just in the past couple weeks, we saw in the run-up here that there was a deepfake involving President Biden, you know, telling people in New Hampshire not to vote. This is a new wrinkle, I guess, is fair to say.
Scott Small: Yeah, yeah, absolutely it is. And as we've already seen, some instances where these kind of new wrinkles, the new attack methods may come into play in interference attempts coming up this year. I think in a lot of cases, the notoriety of AI has been maybe a little bit overblown in the cyber perspective. But we are seeing real impacts. And where I'm most concerned and is probably the most plausible immediate application for AI in election-related attacks is really just kind of supporting or enabling or amplifying the existing attack methods. So I do see some concerns with the deepfakes, absolutely. And the realm that we've been really focused in and studying is, again, just the social engineering and phishing attacks. That is very much an avenue where AI can kind of amplify those attacks. So helping adversaries who may not speak English as a native language, kind of refining their phishing lures and making them that much more convincing, lowering the barrier for users to potentially click on or interact with malicious content. We're already seeing some applications of that in the broader cyber landscape. And there's no reason to expect that this wouldn't come into play for election-related, malicious content and attacks. I think that's probably very, very likely going into US elections this year.
Dave Bittner: To what degree are our adversaries trying to erode confidence in our election system itself?
Scott Small: Oh, I think to a huge degree. Definitely, in the United States, I think seeing, you know, some of the reduced impacts that we saw in 2020, maybe that's a little bit of a deterrence as they see more awareness of these threats and probably stronger security around it. Maybe that's a greater deterrence to try to come after, you know, the US. I don't think it's going away by any means. But one thing that we're definitely concerned about is on our radar and was a big focus of our recent study is those exact same types of attacks and attempts to erode confidence in electoral processes playing out and implicating and applying to nations that are facing elections around the world. So we listed out, out of the over 60 countries that we're tracking, you know, these major elections this year, the large majority, almost two-thirds, face, according to our assessment methodology, face at least some level of cyber interference threat this year. And a lot of that, again, if those attacks are successful or even perceived as successful, that's an immediate fuel to the flame for fueling those concerns and callouts around the confidence of those electoral processes.
Dave Bittner: As we look around the world, are there examples where cyber interference has really had an effect on an election?
Scott Small: Yeah, absolutely. There have been numerous cases in past years, I think, especially again, when we talk about those types of attacks being used to add fuel to the flame, that's one of the biggest concerns. But coming up this year, we have obviously elections in the US and the UK, you know, well-known potential targets for election interference. Some of our greatest hotspots where we're really concerned are countries like South Korea, India, Belgium, some countries that are a little bit maybe less on folks' radars but that absolutely face the same types of cyber interference adversaries as the well-known players like the US and UK. So those are those are definitely some of our greatest concerns.
Dave Bittner: What are the take-homes for you? I mean, the research that you and your colleagues have done there, what are the messages that you hope people get out of your report?
Scott Small: Yeah, absolutely. So I would say one of the top ones, at the end of the day, is just the awareness of these threats. Considering that so much of it really is kind of focused on individuals and users, attacks against individuals, so phishing and social engineering, I truly do believe that awareness of these threats can go a long way in kind of, you know, increasing security against a lot of these attacks. So some of the user-focused controls, it's a lot of things that a lot of folks are accustomed to hearing and maybe a little bit weary about hearing, but absolutely contribute to some of these exposures that continue to be exploited, so even things like relatively weak password policies. We've seen major prominent adversary groups like APT29 and 28 exploiting weak passwords for great effect against even, you know, large enterprises, major brands in the very recent past. So strong password policies, multi-factor authentication, that's, of course, going to be something that's typically implemented organization-wide but can be an individual choice as well, having great effect in mitigating some of these credential access-type attacks that we're seeing. And then definitely just the continued asset inventory, honestly, but once you have at least a general handle on your assets, of course, applying those patches. We see a lot of attacks against election infrastructure, things like voter registration databases and voter rolls, and seeing a lot of kind of low-hanging fruit that adversaries like to do, broad-based scanning and get access to those types of resources and assets. And if those patches are being consistently applied, that just immediately eliminates that low-hanging fruit attack vector for them. [ Music ]
Dave Bittner: Ben, what do you think?
Ben Yelin: Yeah, I mean, I've always looked at this from kind of an American perspective. Maybe that's me being American-centric --
Dave Bittner: Yeah.
Ben Yelin: -- unfortunately, but it is a global problem. We've seen that in other elections. I think our apotheosis was 2016. But then some of these shenanigans happened in the UK elections, in French elections, and other Western countries.
Dave Bittner: Right.
Ben Yelin: So I just think that that's something we have to be very wary about.
Dave Bittner: Absolutely. All right. Well, again, our thanks to Scott Small from Tidal Cyber for joining us. We do appreciate him taking the time. [ Music ] That is our show. We want to thank all of you for listening. A quick reminder that N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our executive producer is Jennifer Eiben. This show is edited by Tré Hester. Our executive editor is Peter Kilpe. I'm Dave Bittner.
Ben Yelin: And I'm Ben Yelin.
Dave Bittner: Thanks for listening. [ Music ]
