It’s almost certain that hostile foreign hackers will try to disrupt and sow confusion around the pivotal U.S. elections in 2020, whether they’re hunkered down in bunkers in Belarus, drab office buildings in the Moscow suburbs, living rooms in Tehran, or warehouses in Beijing. And they’ll bring their A-game.
The question is, How well prepared is the U.S. to counter and contain those attacks?
And the answer is: Be scared, very scared.
The U.S. government has almost certainly not learned its lesson in the wake of the large-scale attack on election systems in 2016, and by the smaller-scale activity around the 2018 midterm elections, say election experts and cybersecurity researchers.
“There were no forensic audits of voting systems after 2016 or 2018,” says Susan Greenhalgh, policy director at the election security watchdog group National Election Defense Coalition.
The government’s understanding of those events has been hamstrung by legal and structural issues, future shock, spotty coordination with states, political gamesmanship, an even denial that a serious threat exists among people at the highest levels of government.
Special counsel Robert Mueller’s main mandate was to investigate the coordinated cyberattack on the 2016 presidential election, and to charge those responsible. The report’s description of the breadth of the attack is stunning. Russian operatives targeted “individuals and entities involved in the administration of the  elections; U.S. state and local entities, such as state boards of elections, secretaries of state, and county governments, as well as individuals who worked for those entities,” and “private technology firms responsible for manufacturing and administering election-related software and hardware, such as voter registration software and electronic polling stations.”
Mueller was tasked with investigating the 2016 attack from an intelligence standpoint; the special counsel did not investigate the hacks at a technical and forensic level. That sort of investigation is the province of the federal agency charged with protecting election systems against cyberattack–the Department of Homeland Security (DHS). Yet Jeanette Manfra, a top DHS cybersecurity official, admitted under questioning by Senator Ron Wyden (D-OR) during a congressional hearing in 2017 that her agency hadn’t conducted an audit of the election systems targeted in the attack.
Wyden and his staff soon launched an investigation into election security. “After Russia’s efforts to influence the 2016 election were confirmed by the intelligence community, the Department of Homeland Security should have conducted a nationwide forensic audit of the paperless voting machines used by states,” Wyden wrote in a letter to then DHS secretary Kirstjen Nielsen on the day of the 2018 midterm elections. “As far as I can tell, no systematic post-election forensic examination of these voting machines took place. Whatever the reason for this failure to act, this administration cannot afford to repeat the mistakes of 2016.”
Missing the midterms
There’s good reason to believe that no such “nationwide forensic audit” took place after the 2018 midterms.
DHS declared election systems to be “critical infrastructure” in 2017, but the government has far more jurisdiction over infrastructure like bridges or reservoirs than it does over voting systems. DHS can’t mandate such an audit with state and local election boards. State laws reserve the right of the states to administer state and national elections, and to manage systems audits after the fact. And local and state election boards often lack the time and money to conduct thorough forensic audits of past elections. In the months leading up to the 2016 election, the agency didn’t verify vote counts or vote tabulation systems, a DHS official told the Daily Beast.
Instead, DHS is relegated to the role of a service bureau that offers election security handbooks, advice, and systems audits to state and county election offices. The primary service provided by DHS is helping states and counties assess the security configuration of their systems, patch security holes, and close internet routes that could be exploited by hackers to gain access to voting systems or records.
“So, for example, they’ll see if you’ve got systems connected to the internet that shouldn’t be connected, or if you have ports open on the system that make you less secure,” explains freelance journalist Kim Zetter, who has written extensively on election cybersecurity for the New York Times, Wired, and Motherboard. The DHS can scan internet-connected systems used by election boards (such as for posting election results) remotely, or it might send out an on-the-ground team to do the work, Zetter says.
But it’s entirely up to local and state election boards to utilize these services.
DHS and the states
The willingness of the states to cooperate with the DHS varies widely.
“The states are very uneven–some working hard, others not so much,” said the National Election Defense Coalition’s Greenhalgh. “I think DHS is trying to help the states, but they have to tread lightly because all cooperation is voluntary, so they need to woo the states to work with them. All carrot, no stick.”
Ron Bushar, VP and CTO of government solutions at the security firm FireEye, says the states, in general, are more focused on and investing resources in election security since the Russian interference in 2016. But, he says, the way individual states manage security is highly varied. “Some states are putting a lot of resources into security than other states, where it’s less of a priority,” Bushar says. “Some states outsource their systems, and they rely on the outside firm IT vendor to manage the security, while in other states the election boards are much more hands-on and work directly with systems vendors and cybersecurity people, and work closely with DHS as an added layer on top of that.”
The willingness of state election officials to work with DHS is often dictated by the political leaning of the state, one congressional source told me.
Red states like Georgia have tended to resist cooperating with the DHS. In Georgia, which has faced a firestorm of criticism over lack of election security and conflicts of interest, state election officials claimed that the DHS itself tried to hack into the state’s election systems when the agency did a simple audit of its website. An investigation proved otherwise.
Meanwhile, blue states like Illinois tend to be more cooperative. The state has been working closely with the DHS on voting security after the state had its election systems probed by Russians before the 2016 election. Illinois was one of 37 states where hackers probed voter registration systems. In six other states, the hackers did more, using “SQL” attacks to access sensitive voter data through the front end 0f a voter website.
DHS says its cooperation with states and localities has improved since 2016. “This has resulted in increased reporting from our partners on what they are seeing to DHS, which has contributed to a more comprehensive understanding of the threats facing our nation’s election infrastructure,” an agency official told me.
Nothing to see here
On February 5, three months after the midterms, DHS and the Department of Justice released a statement saying they had found “no evidence to date that any identified activities of a foreign government or foreign agent had a material impact on the integrity or security of election infrastructure . . .”
This statement is a bit surprising after the DHS had informed Senator Wyden in a December letter that “[u]nder our existing authorities, DHS cannot mandate that states submit to comprehensive forensic examinations of their voting machines.”
As Senator Wyden did in February (and received no response), I asked the DHS for specifics on what evidence the February 5 statement was based on, to which an agency official replied in an email:
The department bases its assessment on a variety of factors, including information on network traffic gleaned from Albert sensors on state networks, information shared from state and local election officials about their networks, either in real time or from risk limiting audits, and intelligence.
An “Albert sensor” is an open-source network device that gives the DHS a view into the voter registration and voting systems used by states. They’re commonly used by enterprises to detect intrusions by hackers. As of August 2018, 36 out of 50 states had adopted the Albert sensors. Some of the other states, Reuters reported, had or were set to adopt other similar monitoring technology.
DHS has yet to respond to our request for the number of “state and local officials” who shared information about their networks.
As you might imagine, Wyden wondered how the DHS and DOJ could make such a reassuring statement about the 2018 midterms when it had already said it hadn’t the authority to fully investigate what happened.
And the midterms weren’t exactly quiet. A few months before the 2018 midterms, Director of National Intelligence Dan Coats said, “Warning lights are blinking red again. Today, the digital infrastructure that serves this country is literally under attack.”
A month after election day, the National Republican Congressional Committee (NRCC) reported that its email system had been hacked by an unknown actor before the midterms. The Democratic National Committee reported in January that it, too, was the target of a spear-phishing attack shortly after the midterms, but that the attack had been unsuccessful. A Russian cyber-espionage group called APT29 is thought to be the culprit.
And note the careful wording of the DHS’s and DOJ’s February 5 statement. It doesn’t actually say the agencies hadn’t identified hacking activities around the 2018 election, only that no such activities had a “material impact” on the results of the election.
“We continue to see various cyber-actors target election systems, activities that could serve various purposes, including to steal sensitive data, disrupt the availability of election services, or even to undermine the confidence in the election,” the DHS official said in another email response. “As we have consistently said, we have not seen any activity of the scale or level of coordination that we saw in 2016.”
That may be by design. Experts say foreign adversaries may have used the midterms to test out new infiltration techniques, in preparation for the larger-scale use of those tactics in the 2020 elections. Tactics tested in 2018 might be used to cause great harm in 2020 if not understood and countered.
Voting machines on lockdown
Senator Wyden is particularly concerned about the vulnerability of voting machines as vectors of future election meddling. The Mueller report states clearly that Russian agents attempted to hack into election systems in 2016.
But DHS can’t demand to look inside voting machines and software for evidence of election meddling, or for vulnerabilities that might be exploited in future elections.
“They’re not doing any forensic examination, they haven’t done any forensic examination, they don’t have authority to do any forensic examination unless a county were to invite them in and say, ‘Hey, can you look at our systems?’ And even then it’s questionable whether they could do that, because in the past, voting machine vendors have intervened when anyone has tried to look at the voting machines,” Zetter says. The vendor could invite DHS to have a look at the technology, but it’s entirely voluntary.
In September 2017, the Virginia elections commission decertified its direct recording electronic (DRE) voting machines after the technology vendor, ES&S, refused to let the state do a technical audit of the machines. The state moved to paper ballots.”
Update 5/16 5 p.m. EST: ES&S says it did not deny Virginia election officials access to its machines to perform an audit in 2017. The company points out that use of its iVotronic machines was discontinued in Virginia before the state’s decision to decertify DRE machines.
ES&S did not refuse a technical audit in Virginia in 2017. That vendor was Hart InterCivic. Our customer had already moved off of ES&S voting equipment at that time so there was no audit for us to participate in.
The largest voting technology vendor, ES&S, told Fast Company that DHS has never requested permission to conduct a forensic examination on ES&S hardware, or a code review on ES&S software, that was suspected to have been compromised before, during, or after an election.
The DHS doesn’t even require the voting machine vendors to comply with a set of technical standards to ensure the security of voting machines. The Election Assistance Commission offers standards for voting machines, but they are strictly voluntary.
Duty to care
There are those who don’t want to fully understand what happened in 2016 and 2018.
The current chairwoman of the Election Assistance Commission, Christy McCormick, denied the intelligence community’s finding in 2017 that Russia had interfered in the 2016 election, calling it “propaganda perpetrated on the American public.”
Former DHS secretary Kirstjen Nielsen was very concerned about the security of the 2020 election before she was fired by Donald Trump. An April 24 New York Times article said Nielsen was trying to set up meetings at the highest levels of government to talk about the problem, but was told by White House chief of staff Mick Mulvaney not to mention the problem around the president. Trump, Mulvaney reportedly said, equates any talk about election security with the idea that he wasn’t elected legitimately in 2016.
WH transcript, no joke:
Q Did you ask [Putin] not to meddle?
Q Did you tell him not to meddle in the next election?
PRESIDENT TRUMP: We didn't discuss that. Really, we didn't discuss it.
— Laura Rozen (@lrozen) May 3, 2019
Last year, Trump’s national security adviser John Bolton eliminated the position of White House cybersecurity coordinator. This put the work in the hands of junior White House aides.
During the government shutdown in January, 45% of the DHS’s cybersecurity staff were not included in the “essential” government workforce that remained on the job.
And Senate Majority Leader Mitch McConnell (R-KY) blocked a Democratically sponsored election fairness and inclusion bill from a vote on the Senate floor in March.
The Russian interference in the 2016 election may be the biggest attack on U.S. sovereignty since Pearl Harbor, yet the U.S. government lacked the will, and possibly the authority, to understand the methods and vectors of the attack. Because of that lack of understanding–and, likely a less than complete understanding of hacking during the 2018 midterms–the U.S. may be walking straight into an even larger and more damaging election subversion in 2020. And the election decisions in 2020 will have a profound impact on the historical direction of the country.
Even the perception that election infrastructure and systems were compromised could have frightening effects. The loser in the election–if his name is Donald Trump–might simply disregard the results.
Clarification: ES&S, in fact, was just one of several voting machine vendors whose DRE equipment was decertified by Virginia. The company’s (iVotronic) machines were removed in the state by mid-August 2017. This was before the state’s September 2017 decision to decertify DREs, but after a Virginia Information Technology Agency investigation had begun, and after the state had notified localities that the DRE voting machines might be decertified.
Correction: An earlier version of this story said the Mueller report stated that Russian agents targeted voting machines during the 2016 election. The report says Russians targeted election officials and election web sites.