It’s easy to get dismayed about the vulnerabilities in America’s digitized electoral system.
During the 2016 presidential election, hackers easily infiltrated and looted political campaign emails and then ran sophisticated social media influence operations that raised questions about America’s ability to secure its elections. But while voters, cyber security experts, activists, and politicians braced themselves for more of the same during the 2018 midterms, a curious thing happened.
Or rather, not much; nothing that made a significant difference to any races’ outcome.
The departments of Justice and Homeland Security recently came to that conclusion after months of investigation. On February 5, they published a classified report that found “no material impact” of foreign interference on the election or political campaigns involved in it.
The reason: the advance work the departments conducted with officials in 1,400 local electoral jurisdictions, federal and state election workers, cyber security companies, and election infrastructure vendors, to harden the system and limit the risks of tampering.
What the States got Right
Among the things everyone got right this time were implementing basic cyber security best practices, like stronger passwords and two-factor authentication, limiting computer system access rights, and isolating sensitive digital data. The $800 million that federal and officials shelled out for hardening elections systems also played a major role, paying for hardware and software updates and for training for thousands of election workers.
“In general, states have improved their election security by taking a much more holistic risk-mitigation approach,” says Eric Rosenbach, director of the Defending Digital Democracy Project (D3P), at Harvard’s Kennedy School of Government. “From a tech perspective they’re going through their systems to sure their infrastructure is not connected to unsecured servers. They’re also focusing on access and verification.”
Rosenbach’s group, made up of policy experts, security professionals, tech companies like Google and Facebook, and officials from the Department of Homeland Security, has produced training manuals and table-top training exercises for state election officials.
One thing the D3P group noted when training election administrators was how reluctant they were to talk to the media after experiencing a security breach or if disinformation was being spread about a voter registration rolls, tallying machines, or reporting software. “It’s a real weakness because you need to get the facts out and engage with the public to develop trust in the system,” says Rosenbach. “And they’ve really improved on that.”
The Trouble Ahead
The continuing worry among many experts is the extremely large target that the U.S. election system presents to cyber attackers. There are roughly 10,000 jurisdictions that administer voter registration and election management systems, including voting machines, tallying systems, and election night reporting by official election websites. Add to that thousands of campaigns and party organizations, and that translates into no shortage of potential cyber back doors to breach.
And some of those doors remain particularly vulnerable because of aging infrastructure.
“There are still a lot of legacy electronic voting systems that pose a significant risk,” says Rosenbach. State officials lack the funds to replace or update them, he says, and in some cases the systems have no paper ballot backup, which is increasingly seen as a necessity. Noting that you can’t hack paper, lawmakers are increasingly calling for such a backup.
Rosenbach’s team has noted that there’s a lot of pressure from private vendors that supply and service voting machines “to not pay as much attention to security as they should.” Why? “Because it costs money for them,” says Rosenbach, “and they say it’s proprietary code. They don’t want others to see it. They make money by keeping it proprietary.”
What States Can Do
What can be easily updated, effectively and inexpensively, says Thomas MacLellan, head of policy and government affairs at Symantec, is human behavior. He notes that the majority of successful attacks begin with spear phishing, when hackers research and target prominent people in an organization who have access to the most sensitive data.
Because we all live in a world where we bring our devices to work, whether laptop or cell phones, each one of those gadgets and the people who carry them are potential targets.
MacLellan notes that election staff must ensure that those devices use industry standard security protocols, especially if staff are using them to access email or sensitive data.
This is particularly true with the growth of cloud computing. Unsecured cloud networks, especially those used for email, are ripe for hackers to gather intel and deploy malware.
MacLellan advocates an offensive posture. Go looking for threats, he counsels. Don’t wait for them to appear and then try to take defensive and late-to-the-game measures. “Local election officials,” he said, “need to actively hunt the adversaries” who will hit us.
Unsecured cloud networks, especially those used for email, are ripe for hackers to gather intel and deploy malware.
Above all, he warns against letting complacency set in.
“What states and local jurisdictions need to get right is keeping in mind this is not an end process, it’s ongoing,” according to MacLellan. “It’s no different than any security situation. It’s not one and done. You need to keep getting it right. Use peer intelligence, use basic security hygiene. It has to be an ongoing initiative.”
Two weeks after the DOJ and DHS released their findings on the 2018 midterms, concluding there was no material impact on the election from foreign interference, we learned one reason why. The Washington Post reported that the U.S. military had blocked Internet access to a foreign hacker-strike group called the Internet Research Agency.
By essentially knocking the group offline, the U.S. Cyber Command assured that it couldn’t sow the same discord through social media influence peddling as it did in the 2016 presidential race. That doesn’t mean the same will hold true in the 2020 race.
“I’ve been working in intelligence and cyber security for a long time,” says Harvard’s Rosenbach, a former Army intelligence officer and commander of a telecommunications intelligence unit that worked with the NSA in Bosnia and Kosovo, and later served as a chief of staff in the Pentagon.
Given the emphasis put on proactive offense deterrence, Rosenbach said the lower-profile adopted by hacker groups affiliated with nation-states came as little surprise.
But, he cautioned, “that doesn’t mean they won’t come after us hard in 2020.”