ELECTION HACKING: SECURITY UPGRADES ARE TOO LITTLE, TOO LATE FOR 2018 MIDTERMS, AND RACE IS ALREADY ON FOR 2020, EXPERTS SAY

This piece originally appeared in Newsweek on August 29, 2018.

BY  

Election experts, cybersecurity experts and those who are overseeing the upcoming midterms have one thing to say about stopping Russian interference in American elections: Forget 2018. It’s too late. Focus on 2020.

Before President Donald Trump had even been sworn into office, intelligence agencies revealed that cyberattacks spanning across 21 states had been conducted under the direct order of Russian President Vladimir Putin. The FBI, CIA and National Security Agency’s report concluded that “Russia’s goals were to undermine public faith in the U.S. democratic process, denigrate Secretary Clinton and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump.”

Despite this, lawmakers and federal officials took months, sometimes longer, to take action, with the result that most federal assistance arrived too late to protect the midterm elections.

It wasn’t until eight months later, in September 2017, that the Department of Homeland Security notified the states whose voting systems had been targeted. One state had already identified itself as having been seriously breached: Illinois. The state reported its voter database had been hacked, leaving such personal information as the names, driver’s licenses and partial Social Security numbers for 15 million people in the hands of Russian hackers. In the end, 90,000 voters had their information compromised. Investigators said the foreign hackers had tried to delete or alter voter data but had ultimately failed.

A county database in Arizona, a Tennessee state website and an information technology vendor in Florida all had their systems breached by hackers as well. A classified NSA document published by The Intercept in 2017 referenced how products made by the Florida-based vendor VR Systems were breached by Russian hackers. A DHS document obtained by CBS 60 Minutes in April reportedly showed Russians were the perpetrators of the breaches in all four states. But it was later thought that Arizona had likely been infiltrated by criminal actors, according to what a Trump administration official told Reuters following the CBS report.

Russian election interference seems to have never stopped since the 2016 presidential election. Current cyberattacks have long been in progress, including aggressive spear-phishing campaigns against specific people. Foreign hackers have reportedly already targeted four Democratic candidates: Missouri Senator Claire McCaskill, California congressional candidates Hans Keirstead and David Min, and Alabama congressional candidate Tabitha Isner. All four had been targeted in similar ways, with some attacks dating back to mid-2017.

Although it was not believed to have been done at the hands of cyberattackers, voter records with personal information, including birth dates, home addresses and phone numbers of more than 19 million Texans was found on an unsecured online server without a password, as reported by TechCrunch earlier this month. An analysis showed the GOP-created analytics firm, Data Trust, likely compiled the data, but it was unknown who owned the server. The Republican data firm Deep Root Analytics was responsible for a similar unsecured database of 198 million voters discovered last year.

Stuffing the Ballot Box—With Cash

Election Hacking: Security Upgrades Are Too Little, Too Late For 2018 MidtermsAn election worker drops a ballot into a ballot box at the Registrar of Voters office in San Diego, California, June 5.REUTERS/MIKE BLAKE/FILE PHOTO

It wasn’t until the end of March 2018—more than a year after intelligence agencies released their first report on Russian hacking—that Congress allocated $380 million for states to bolster the security of their election systems.

The Department of Homeland Security concluded that the targeted states included Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Florida, Illinois, Iowa, Maryland, Minnesota, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Texas, Virginia, Washington and Wisconsin.

California received more than $34 million in grants from the $380 million package. The state’s top election official, Secretary of State Alex Padilla, told Newsweek the money was “helpful, but by no means enough” to make the desired—and necessary—security upgrades to the state’s election infrastructure.

In response, the state took matters into its own hands. State lawmakers allocated $134 million of the state budget to upgrade software, replace hardware and provide more cybersecurity training for election officials. The state already required a paper trail for each vote, whether an electronic voting machine or a paper ballot had been used. Election and cybersecurity experts said a paper trail was one of the best solutions to ensuring an accurate election.

Federal Monday Awarded By StateCongress appropriated $380 million in grants for states to bolster their election security systems before the 2018 midterm elections. This chart shows how much federal money was allocated to each state, not including a 5 percent match states were required to contribute.RAMSEY TOUCHBERRY/NEWSWEEK

Florida, another one of the targeted states in 2016, received nearly $20 million for its upgrades. In a statement to Newsweek, the Florida Department of State said it had enacted myriad changes for this election cycle. The department hired five cybersecurity specialists to serve as a resource for state and local election officials. Some counties purchased a network-monitoring security solution that “provides automated alerts about system threats.” The state also upgraded its hardware, software and firewalls to safeguard voter information in the state’s voter registration system to prevent similar attacks similar to those in Illinois. All of Florida’s voting was already being done by paper ballot to ensure the accuracy of electronic results.

However, recent claims by Florida Democratic Senator Bill Nelson that Russians had already “penetrated” some of the state’s county voter systems and had “free rein to move about” led to concerns over the state’s security. While offering no evidence to back his claims, saying the information was “classified,” Nelson has pitted himself against local, state and federal agencies, which all say there had been no sign of Russian intrusion.

When asked about the validity of Nelson’s claims, Matt Masterson, a senior cybersecurity adviser for the Department of Homeland Security, would neither confirm nor deny whether they were true. Instead, he referred Newsweek to a previous letter from Homeland Security Secretary Kirstjen Nielsen and FBI Director Christopher Wray that was sent to Florida Secretary of State Ken Deztner.

“Although we have not seen new or ongoing compromises of state or local election infrastructure in Florida, Russian government actors have previously demonstrated both the intent and the capability to conduct malicious cyber operations,” the letter read.

But new reporting by NBC News suggested Nelson’s claims could be accurate, with three people familiar with the intelligence saying there was a classified reason for Nelson’s allegations. The top Democrat on the Senate Intelligence Committee, Mark Warner, confirmed to MSNBC that he and Republican Chairman Richard Burr had approved a joint warning from Florida Senators Nelson and Marco Rubio to Florida election officials regarding Russian attempts to hack into Florida voting systems. When asked for further details about the alleged attack, no confirmation or specifics was given to Florida state officials by the Senate Intelligence Committee, the FBI or Department of Homeland Security.

Smaller states like Vermont, Wyoming and Delaware received only about $3 million of the total $380 million in federal money to bolster their voting systems.

Since the funding package was doled out, states have told lawmakers it was not enough. But Republicans, for the most part, have dragged their feet when it comes to divvying up additional federal dollars.

In mid-July, House Republicans approved a new spending bill that excluded millions of dollars in additional election security funding. Days later, 21 state attorneys general urged Congress in a letter to provide more funding, saying it was “essential to adequately equip states with the financial resources we need to safeguard our democracy and protect the data of voting members in our states.” Senate Republicans rejected a measure the very next week that would have provided an additional $250 million for states to further strengthen their voting systems and protect against election hacking.

The White House has been no ally of election security upgrades either. A bipartisan bill known as the Secure Elections Act would have bolstered states’ election security. It had been held up in the Senate and was recently put on hold after an unexpected halt in the Senate Rules Committee, reportedly on behalf of the White House. The measure would have granted security clearance status to each state’s top election official to receive information on threats, which could have potentially solved the dispute over Nelson’s claims of “classified” information. Most importantly, the bill would have required each state to conduct an audit after every federal election, ensuring votes had been tallied correctly by referring to a paper record of all the votes. Elections and cybersecurity experts all told Newsweek the single best way to secure an election was to require a vote audit, otherwise “you’re really shooting in the dark.”

Following the stalling of the Secure Elections Act, White House spokeswoman Lindsay Walters told Yahoo News in a statement that although the administration “appreciates Congress’s interest in election security, [the Department of Homeland Security] has all the statutory authority it needs to assist state and local officials to improve the security of existing election infrastructure.”

Masterson told Newsweek that the Department of Homeland Security had implemented new measures to better secure, detect and recover from cyberattacks, especially against vulnerable systems like websites, voter registration databases and election night reporting. One of the measures that Homeland Security has rolled out is a voluntary six-week assessment for local election officials that allows them to test their security systems against cyber and phishing attacks. Homeland Security also continues to work with states on improving the way they conduct vote audits to ensure accurate election results. But not all states have laws on the books that require audits, which the Secure Elections Act would have required. The department’s many new policies, Masterson said, has strengthened the relationships between local, state and national agencies.

Partisan politics can undoubtedly play into whether certain states believe enough action has been taken. Those that have fought for more said the aid they received wasn’t enough to put the appropriate safeguards in place across the entire state. And without new laws, states or local districts aren’t required to make any upgrades. It took all 50 states nearly four months to apply for the allocated money after it was approved in March. Cybersecurity experts said whatever improvements the states made likely wouldn’t make a difference for 2018.

Too Little, Too Late

Is Election hacking a Bigger Midterm Threat?A man casts his ballot in the New Jersey’s primary on June 7, 2016, in Hoboken.EDUARDO MUNOZ ALVAREZ/AFP/GETTY IMAGES

While cybersecurity and election experts told Newsweek the midterms might not be morevulnerable to attacks, many of the new security measures came too late to be effective. Or in some cases, states might not have made the right upgrades.

Much like Florida and California, other states have tended to focus their resources primarily on upgrading voting equipment. But cybersecurity expert Adrien Gendre at Vade Secure, an email security software company, told Newsweek there was another area of technology that should take priority when it comes to securing elections: email.

“Upgrading your [election] software and making it more secure is efficient for 7 percent of hacking methods,” he said. “The rest will use the weakness point in the organization: the user. A hacker sends an email, waits for the user to click the attack and then you get access on the inside.”

What Gendre is referring to is email phishing attacks, the likes of which hit the Democratic National Committee, Hillary Clinton campaign officials and more than 100 local election officials leading up to the 2016 election, according to a classified intelligence report obtained by The Intercept.

A hacker will send an email containing a link that appears as though it’s from a company, such as Microsoft, requesting that users upgrade their passwords. After the users click on the link and are taken to a website designed to look legitimate, they are prompted to enter account information or other personal information. Once that happens, Gendre said it’s like walking through the front door of someone’s house.

“Not only do you gain access to their email, you can also have access to all their contact lists, computer files, calendar, etc.” Gendre said, adding that 93 percent of successful hacking attacks that organizations face typically start with an email.

Microsoft was able to prevent an attack on a policy aide for Democratic Senator Claire McCaskill last year. California congressional candidates Hans Keirstead and David Min, who were both defeated in neighboring districts, and Alabama congressional candidate Tabitha Isner have also faced similar attacks over the past year. The methods of the attacks were either through repeated attempts to hack into the candidates’ campaign websites or through email phishing attacks. While it’s not known for certain whether the attacks on Keirstead and Min were at the hands of Russians, the style resembled the Russian attacks on McCaskill and Isner.

To protect against these attacks, cybersecurity experts recommend implementing email firewalls, upgrading security software to detect phishing or other malicious emails and undergoing training to learn how to recognize a phishing attempt.

William Boyett, who is with the Supervisor of Elections office in Alachua County, Florida, said his office had done exactly that. It even went so far as to keep a “red flag” flyer at each desk with key information on how to detect phishing attempts.

“Seeing phishing prevention as a low-cost, high-reward aspect of a robust cybersecurity environment, we had already collaborated with the [technology services] department of our county government to put these measures in place prior to the recent heightened concerns and grant money distribution,” Boyett said.

When it came to Florida Senator Bill Nelson’s claims that Russians had already “penetrated” some of the state’s voter registration databases, Gendre said they were not far-fetched by any means. By targeting certain election or state officials with the same types of phishing attacks Russia did in 2016, it could happen with one click.

While voting machines may also be susceptible to hacking, University of Michigan computer science professor Alex Halderman said it was most likely not the direction Russia would take this time around.

“If Russia or other countries are planning to disrupt the 2018 election, they’re probably already in our computer systems just waiting for the order to pull the trigger,” Halderman said. “One of the scary things is nation states that are targeting specific people or organizations. Their way of working is to play the long game.”

Considering Halderman had demonstrated, in a video for The New York Times, how easy it could be to hack into voting machines, it says a lot about the potential ways a foreign adversary could inflict damage by targeting the emails of certain local election officials or the infrastructure of a key district.

There was one common solution both election and cybersecurity experts agreed was not susceptible to hacking: paper. Having access to a paper trail is something many states and counties have seen to for years, while many continue to use only electronic machines. “In this election cycle, there’s not all that much more we’re going to be able to do, short of states that currently have no paper trail using emergency measures to put one in place as a fallback,” Halderman said.

Using information from Verified Voting, an advocacy group that promotes better security policies for elections, Newsweek created the following map that shows the counties that currently vote only by electronic machine, only by paper or a combination of both.

Voting Technology by CountyCounties still vary in the way they administer elections across the country. Using data from Verified Voting, this chart shows how each U.S. county votes: by machine, paper or a mix of both.RAMSEY TOUCHBERRY/NEWSWEEK

Verified Voting President Marian Schneider has been advocating for election officials to use paper ballots for more than a decade. “If you don’t have a paper record, you have no ability to detect and no ability to recover [the vote] if something happens,” she said. “For a close election, even a statewide race, if you want to change vote totals you would find the weakest link in one of the localities and alter votes in a few counties.”

Once a hacker is in, whether it be voting hardware, software or emails, it could be weeks or months before a breach is even detected, much less eradicated. The FBI didn’t meet with Keirstead’s campaign until it reported a second cyberattack months later, prompting a meeting between the campaign and the federal agency. Having worked for the Department of Homeland Security’s cybersecurity division, Chris Cummiskey told Newsweek most states and campaigns probably did not know if they had been penetrated.

“Unless you send in hunt teams from DHS or NSA to actually go in and do the assessments and scanning, most states would never know if they were penetrated. That’s the most dangerous aspect of what we’re seeing for 2018,” Cummiskey said. “Even with the $380 million Congress just appropriated back in March, it was late in the cycle. Whatever additional cyber measures they would put in place to counter attacks probably came too late for this particular election.”

Halderson seemed to summarize the feelings of the majority of cybersecurity experts Newsweekspoke with about the current state of U.S. election systems: “At this point, we’ve got to get started now or it will be too late for 2020 as well.”