No matter their political persuasions, there’s one thing that election-watchers agree about the recent midterm election: The worst-case scenarios failed to materialize. Voting machines weren’t hacked, voting rolls weren’t stolen or altered, and there were only limited incidents of social media attacks aimed at sowing political discord.
That’s good news. Electoral officials around the country, as well as the Department of Homeland Security were on high alert, eager to avoid a repeat of 2016 when Hilary Clinton’s campaign and the Democratic National Committee were hacked. What’s more, hackers stole information from a state election website on 500,000 voters, including their names, partial Social Security numbers, addresses, birthdays and driver’s license numbers. They also targeted but were unable to get into the websites of 20 other states.
Clearly, there was reason for concern. And a month before the 2018 midterm election, Symantec’s DeepSight Adversary Intelligence report, "Cyber Threats to US Midterm Elections," warned that "state-sponsored threat actors" would likely try to deploy similar tactics and raised the possibility that disinformation campaigns would take place on social media and other online platforms.
Preparing for the Worst
To help make sure none of that happened, the Department of Homeland Security (DHS), state and local governments and the private sector took multi-pronged defensive measures. DHS offered training, advice and intelligence, risk assessments and penetration testing to the states. State and local governments took steps including installing devices calls Albert sensors, which detect attempts to hack electoral systems, blacklisting dangerous IP addresses and making daily backups of voter registration databases. They also offered cyber training to the local officials and poll workers responsible for the nitty-gritty work that fuels elections. And on election day, 45 states joined DHS in a national situational awareness room to share information about threats. That’s in sharp contrast to 2016, when the states and DHS had very little communication before or during the election.
The private sector stepped up as well.
Facebook, which had been used as part of a massive disinformation campaign by Russian hackers in 2016, set up a war room this time around to detect those kinds of attacks. The company blocked more than 100 accounts on Facebook and Instagram which appeared to have been “engaged in coordinated inauthentic behavior” — in other words, were part of a disinformation campaign. In addition, Microsoft identified and helped thwart hackers attempting to attack three Congressional candidates. And Symantec offered its “Project Dolphin” anti-spoofing service for free to election officials and political campaigns as well as anyone else wanting to be considered for the service. Project Dolphin uses AI-driven technology to identify web spoofing and phishing attacks, both of which have been used in attacking political campaigns and elections. Symantec also created an election website on election safety, including tips for election officials and staff.
The Worst Never Materialized
The preparations seem to have paid off. On election day, Homeland Security Secretary Kirstjen Nielsen said there was "no indication of compromise to our nation’s election infrastructure that would prevent voting, change vote counts, or distrust the ability to tally votes." The day after the election, a DHS official told reporters on a background briefing that, “We’ve not seen, or we’re not aware, of any successful cyber security-related compromises of election infrastructure.”
Political campaigns themselves weren’t hacked. There was no trove of stolen emails from a campaign as there was from Hilary Clinton and the Democratic National Committee. No massive disinformation campaigns were launched on Facebook.
That’s not to say all was perfect. Small attempts at cyber disruption were reported. DHS says that it detected “run-of-the-mill” scanning of various election systems on election day. One DHS official noted, “At this point, there’s not enough information to tie it back to any single actor. Certainly nothing that would be attributed back to Russia.”
And although Facebook took down more than 100 accounts due to attempts to broadcast disinformation, that action only came on election eve. The accounts had been operating for some time before then, some as far back as the middle of 2017. More than 600,000 people in the U.S followed at least one of the Instagram accounts that was eventually taken down.
And although Microsoft helped thwart attacks against three Congressional campaigns, the fact remains that those campaigns were targeted in the first place.
Slouching Towards 2020
None of this ought to be interpreted as an “all clear” sign for the 2020 election. Federal and state election officials say that they’re not sure whether the midterm election remained free from cyber attacks because attackers were dissuaded by the various preparative measures put in place, or because foreign governments and their operatives instead are waiting to unleash their cyber weapons during the 2020 presidential election.
Meanwhile, more work needs to get done at the state and local level to ensure the reliability of their voting systems to withstand attacks. At the fall Def Con hacking conference, for instance, white hat hackers discovered that election machines used by more than half of the states still have a flaw that was uncovered more than a decade ago. Security researcher Harri Hursti who helped uncover that flaw and was co-founder and co-organizer of the Def Con Voting Machine Hacking Village, says that if a hacker exploits the flaw, “He can reprogram the machines and ultimately control an election.”
Georgia’s security holes are particularly worriesome. Its electronic voting machines don’t have paper backup, and its voting registration system remains vulnerable as well. Susan Greenhalgh, policy director for the National Election Defense Coalition, warned that the “gaping vulnerability found in Georgia should be sending shock waves, not just in the Georgia secretary of state’s office, but in all the other states that are using the same technology.” She further raised the specter of an attacker, anywhere in the world, being able to execute a voter suppression operation using election technology.
In addition, officials from U.S. intelligence agencies continue to warn that other nations remain involved in efforts to influence our elections. And they believe that those countries may be holding back their big guns for the 2020 election. Chris Krebs, head of cyber security at the Department of Homeland Security, has no doubt that at least some of those countries will roll out their cyber weapons then.
“The midterm is not the big game,” he said. “The big game we think for the adversaries is 2020.”
We’ll only know then whether the U.S. is really prepared to meet that challenge.