The invisible threat to democracy
All it takes is one weak link. A vulnerability in a payment system, a breach at a power plant, an attack on a government agency’s servers. Services we take for granted suddenly stop working. Pontus Johnson, professor of cybersecurity at KTH, researches how we protect the digital infrastructure on which democracy depends.
Democracy is digital. Elections, healthcare, electricity, water, payment systems, communications, and access to information all depend on digital infrastructure today. And digital infrastructure can be hacked. Pontus Johnson points to a concrete example.
During the 2016 U.S. presidential election, Russian intelligence hacked into Democratic Party headquarters and leaked damaging emails through WikiLeaks at precisely the right moment. The firm Cambridge Analytica used Facebook to target wavering voters with fear-based propaganda. The Russians also penetrated voter databases, registers containing information about who is eligible to vote. The election was decided by margins of a few hundred thousand votes in a country of 350 million people.
But that was just one election. Democracy rests on far more than ballots. What happens if the entire infrastructure behind it starts to crack? What does the worst case look like?
“The global financial system is completely digitized. What happens if it collapses, if it suddenly becomes unclear who owns which securities, who owns which land? The power grid is controlled by computer systems that can be hacked. If the grid goes down, it won’t be long before people start dying. That would be a Ragnarök moment for us,” says Pontus Johnson.
The threat landscape
Sweden’s Security Service (Säpo) and Military Intelligence (MUST) regularly identify Russia, China, and Iran as the most serious threat actors targeting Sweden. Russia seeks to destabilize democratic systems. China focuses primarily on espionage. Iran mainly monitors its opposition in exile.
Cybercriminals can also play a role, often acting as an extension of state power. And artificial intelligence has rapidly transformed what an attacker is capable of. AI-manipulated videos, deepfakes, of politicians, and highly targeted phishing attacks, are already a reality. The latest development: large language models have become better than most professional hackers at finding and exploiting security vulnerabilities in software.
“The capabilities Cambridge Analytica had in 2016 are nothing compared to what large language models now offer. The ability to tailor influence campaigns to specific individuals is on a completely different level,” Johnson says.
Studying what you fear
Pontus Johnson’s research focuses on offensive cybersecurity using artificial intelligence and attack simulations against digital twins, virtual replicas of computer networks subjected to simulated attacks. Think of it as crash-testing a computer model of a car rather than a physical prototype.
At Cybercampus Sweden, he also runs the KTH Hacking Lab, where students test the security of everyday consumer products: cars, baggage scanners, children’s smartwatches, robot vacuums, and electrical grid equipment.
“We routinely find vulnerabilities in dozens of products. It’s education, but it’s also a public service. And if manufacturers don’t fix the problems: it becomes consumer information.”
The open society’s dilemma
It’s a Friday in April. Pontus Johnson is on his way to FRA, Sweden’s National Defence Radio Establishment. In the car, he reflects on where the line should be drawn for what is acceptable in a democratic society.
FRA has two separate mandates, he notes. One is to strengthen cybersecurity. The other is signals intelligence and information gathering. And that is where debates about personal privacy tend to arise. But he raises a point that is easy to overlook.
“If you’re worried about what Swedish or American signals intelligence agencies know about you, strong cybersecurity is the best protection.”
The vulnerability of an open society doesn’t necessarily have to be resolved by choosing between security and freedom. More often than not, they point in the same direction, Johnson argues.
Light at the end of the tunnel
We are heading into a dark period, Pontus Johnson believes. AI is lowering the barriers for attackers, and the effects will be felt. But AI can also be used to build more secure systems from the ground up. One capability still lacking is AI that can not only find and exploit security vulnerabilities but also automatically patch them.
“There is a plausible, positive path forward. But we have to get through a turbulent period first, and we could be talking months rather than years.”
Text: Hamid Ershad Sarabi ( hamidsho@kth.se )