When talk of Russian interference in U.S. elections comes up, much of the focus has been on state-sponsored trolls on Facebook and Twitter — special counsel Robert Mueller recently indicted a number of these actors, and Congress has taken Silicon Valley to task for allowing such accounts to flourish. But there’s another side of Russian meddling in American democracy: attacks on our election systems themselves.
We know that Russian hackers in 2016 worked to compromise state voting systems and the companies that provide voting software and machines to states. That could blossom into more concrete attacks this year. As I wrote earlier this week, the worst-case scenario is that on Election Day 2018, votes are altered or fabricated and Americans are disenfranchised.
It can be tough to track all the small stories about electoral hacking. It’s a dense issue, given that the story has been unfurling for a year and a half across all 50 states. So, as the 2018 midterms approach and election officials continue to work on fixing what went wrong in 2016, it’s worth reminding ourselves what we know and what we don’t know. We’ll break things down in Rumsfeldian terms:
There are known knowns — things we know we know about election systems hacking
- Before the 2016 election, the online systems of 21 states were “scanned” by Russian cyber actors. Scanning doesn’t mean that they were penetrated by hackers — it’s more akin to someone driving by a house to see if anyone’s at home before robbing it.
- One state — Illinois — was actually hacked. Its online voter registration system was hit with an attack, but no records were actually changed.
- The credentials of an election official in another state — Arizona — were compromised when the official opened a malware-infected email. The state took its system offline as a precaution, but it was not believed to have been compromised.
- One election system provider — VR Systems — was targeted by a Russian phishing scam. VR Systems provides services to eight states.
- The Election Assistance Commission, the federal agency that’s in charge of regulating voting machine security, was hacked. In 2016, a cybersecurity firm became aware of a Russian-speaking hacker who had obtained the credentials of 100 EAC employees and was looking to sell them — purportedly to a Middle Eastern government.
We also know there are known unknowns — things we know we do not know
- There might have been more breaches of election services providers that the public doesn’t know about. In September 2017, The New York Times reported that current and former intelligence officials said at least two other providers of elections services, in addition to VR Systems, had been breached by hackers in 2016.
- We don’t know precisely what security measures are taken by the companies that manufacture voting machines and provide other election services. Because states and counties are allowed to choose what voting machines and vendors to use, there are no across-the-board security rules about what sorts of measures must be taken. Sen. Ron Wyden of Oregon attempted to extract answers from the country’s major voting system vendors about their cybersecurity, but most gave vague responses. The federal government has very little power in this area.
But there are also unknown unknowns — things we don’t know that we don’t know
- Other state-sanctioned hackers could be working on attacks on the U.S. elections systems. That possibility was raised just this week by Sens. Kamala Harris and James Lankford, who appeared on “60 Minutes” in a bipartisan show of solidarity on the hacking issue. “This could be the Iranians next time, this could be the North Koreans next time,” Lankford said of the cyberthreat.
- Hackers could have developed “zero-day” attacks that U.S. officials don’t yet know how to scan for, meaning they could be in election systems already. Or, hackers could have figured out how to hack voting machines remotely, something that hasn’t been done but that election security experts say is possible.
So what’s being done?
After learning about the 21 states that had been scanned by Russian hackers, President Obama’s secretary of homeland security, Jeh Johnson, declared state election systems to be critical infrastructure. The designation allowed state election boards to qualify for security help from the federal government, the same kind of help that nuclear power plants and electrical companies are entitled to. Thirty-two states are currently receiving ongoing cyber hygiene scans from the Department of Homeland Security, and some state election offices have a staff member with security clearance that allows them to receive intelligence briefings on the topic of election security.
While you might assume that states would welcome help in shoring up security, it’s been a point of tension — a clash between federalism and states’ rights. “Some of them saw what we were trying to do as a way for the federal government to worm its way into states’ management of elections,” former DHS official Neil Jenkins said about the department’s engagement with states in the lead-up to the 2016 election.
Michael Daniel, the Obama White House’s cyber coordinator, said that while the decentralized U.S. election system is a good check on federal power, the need for federal help in securing election infrastructure is obvious. “Expecting every state and local government system to be able to go up against nation-state actors is also patently ridiculous.”
In late March, Congress approved a spending bill that allocated nearly $400 million for securing election infrastructure before the 2018 midterms. The Brennan Center for Justice, a left-leaning legal think tank with a focus on voting integrity, said the funds would be useful “to begin deploying paper ballots, post-election audits, and other essential cybersecurity improvements,” but the amount wouldn’t be sufficient to replace all outdated voting machines. A recently released set of recommendations from the Senate Intelligence Committee encouraged states to “rapidly replace outdated and vulnerable voting systems.” And a separate report from the Brennan Center noted that “most states will use computerized voting machines that are at least 10 years old” in the 2018 election. Ideally, election security experts say, voters should use paper ballots rather than electronic voting machines, and all states should statistically audit their election results as a precaution to spot any vote tampering.
But what worries election security watchers most is that the U.S. isn’t being proactive enough in its work against state-sponsored hackers targeting the country’s election systems and political organizations. In February 2018, Adm. Mike Rogers, the head of the National Security Agency and Cyber Command, told the Senate Armed Services Committee that he had not been instructed by President Trump or Defense Secretary James Mattis to go after Russian hackers at their point of origin. “Everything, both as the director of the NSA and what I see on the Cyber Command side, leads me to believe that if we don’t change the dynamic here, this is going to continue, and 2016 won’t be viewed as something isolated,” Rogers said. That might mean that while U.S. intelligence agencies are monitoring Russian cyberactivity or gathering on-the-ground intelligence, they might not be taking offensive actions to prevent further attacks on state election systems.
With seven months to go until millions of Americans turn out to vote, there’s much left to be done.
Read more: The Moscow Midterms