A Warm-Up Election

Cybersecurity

​​​Photo by Rob Crandall, Alamy Stock Photo​

A Warm-Up Election
 

​Despite concerns about the security of the U.S. midterm elections, most Americans expressed high levels of confidence that the systems in their states—and the nation overall—were secure from hacking.

“About three-quarters (77 percent) say they are very or somewhat confident that their state’s systems were secure from hacking and other technological threats, up 11 percentage points from the share saying this before the election (66 percent),” the Pew Research Center found in a survey after the election in November 2018. “And while just 45 percent expressed confidence in the security of systems in the U.S. before the election, more than six-in-ten (64 percent) now say this.”

However, some are still skeptical about the security of the midterm elections, which saw a record number of Democrats elected to the House of Representatives while the Republican Party strengthened its majority in the Senate. 

“About four-in-ten (38 percent) Americans say that Russia or other foreign governments definitely (9 percent) or probably (30 percent) influenced the congressional elections, while six-in-ten say foreign governments probably (44 percent) or definitely (16 percent) did not influence the elections,” according to Pew.

The rise in confidence may have come from the flurry of activity leading up to the midterms to prevent cyber attacks against election systems. Microsoft issued warnings about nefarious activity targeting conservative voters, Facebook and Twitter announced major takedowns of accounts linked to suspicious activity, and the U.S. Department of Homeland Security (DHS) worked with state and local election officials to enhance election security.

Just prior to election day in November, DHS Secretary Kirstjen Nielsen, then-Attorney General Jeff Sessions, Director of National Intelligence Dan Coats, and FBI Director Christopher Wray issued a joint statement on election day preparations.

“Our agencies have been working in unprecedented ways to combat influence efforts and to support state and local officials in securing our elections, including efforts to harden election infrastructure against interference,” they said. “Our goal is clear: ensure every vote is counted and counted correctly. At this time, we have no indication of compromise of our nation’s election infrastructure that would prevent voting, change vote counts, or disrupt the ability to tally votes.”

The officials cautioned, however, that all Americans should remain vigilant because threats to the system continue to exist.

“Americans should be aware that foreign actors—and Russia in particular—continue to try to influence public sentiment and voter perceptions through actions intended to sow discord,” the officials said. “They can do this by spreading false information about political processes and candidates, lying about their own interference activities, disseminating propaganda on social media, and other tactics.”

Following the midterms, Director of National Intelligence Coats provided the White House with a report about the security of the election, which was required under a previous executive order issued by U.S. President Donald Trump.

The details of the report were classified, and are likely to remain so, but Coats said in a statement that the U.S. intelligence community did not see any indicators that compromised election security, such as preventing voting, changing vote counts, or disrupting the ability to tally votes.

“The activity we did see was consistent with what we shared in the weeks leading up to the election,” Coats said. “Russia and other foreign countries, including China and Iran, conducted influence activities and messaging campaigns targeted at the United States to promote their strategic interests.”

The intelligence community, however, did not assess what impact these campaigns may have had on the outcome of the midterms. 

“The U.S. intelligence community is charged with monitoring and assessing the intentions, capabilities, and actions of foreign actors; it does not analyze U.S. political processes or U.S. public opinion,” Coats explained.

While there were some misinformation campaign efforts, Facebook attempted to thwart them by making explicit changes to its policies to ban posts that misrepresent voting information. 

Facebook made the change in October 2018 after widespread criticism of how it handled misinformation campaigns on the platform in the runup to the 2016 presidential election. 

“In 2016, we were not prepared for the coordinated information operations we now regularly face,” wrote Facebook founder and CEO Mark Zuckerberg in a post on the platform. “But we have learned a lot since then and have developed sophisticated systems that combine technology and people to prevent election interference in our services.”

Some of the changes Facebook made included banning posts that misrepresented how to vote in an election—such as giving the incorrect election day—and creating a reporting option specifically for voting information that Facebook users thought was suspicious or a violation of Facebook’s policies.

It also made changes to make its political ads sales more transparent to prevent nation-state actors from purchasing political ads targeting a candidate, similar to what happened in 2016.

Facebook has since adopted these practices for elections in Brazil, the United Kingdom, and India.

“Now anyone who wants to run an ad in India related to politics will need to first confirm their identity and location, and give more details about who placed the ad,” wrote Sarah Clark Schiff, product manager at Facebook, in the announcement. “The identity and location confirmation will take a few weeks, so advertisers can start that process today by using their mobile phones or computer to submit proof of identity and location.”

Continuing these efforts will be key as campaigning for the 2020 presidential election gets underway. This is because most election experts, including Christopher Krebs, a DHS official who later became the first director of the department’s Cybersecurity and Infrastructure Security Agency (CISA), think it will be a major target.

At CyberTalks in Washington, D.C., in November, Krebs, in his capacity as then-undersecretary for the National Protection and Programs Directorate, said DHS was working through what an adversary could do to attack election infrastructure because “the big game is 2020…2018 is just the warm-up.”

DHS worked with state and local election officials to enhance their election systems before 2018 and into the future using $380 million from the U.S. Election Assistance Commission (EAC). Recipients could use the funds to replace voting equipment, implement a post-election auditing system, upgrade their computer systems, put election officials through cybersecurity training, and other security-related measures (see “Election Hardening,” Security Management, September 2018).

And a DHS official who spoke to Security Management during preparation for the midterms said the department was using a “risk management approach that we’re going to build upon in 2020 and beyond.”

The official said DHS was working with its partners to mature the Election Information Sharing and Analysis Center and would conduct exercises with federal partners and state and local governments to prepare for the 2020 election. Security Management reached out to DHS for an updated comment but was unable to speak to an official due to the partial U.S. government shutdown that was in effect as of press time.

Despite the work that the department did to prepare for the midterms and the millions of dollars made available, John Dickson—principal at cyber firm Denim Group—says he was “underwhelmed” with the resources that were allocated to address election security.

“Namely, states and local authorities did a poor job of putting the resources in play as quickly as they could have, and they spread federal monies too thinly across a variety of needs,” he explains. “Sadly, much of that money was directed to buy new voting machines, which were not the biggest risk in my opinion.”

Instead, Dickson says more resources should have been put towards addressing risks to the static election system components—registration and reporting systems.

Election officials should address threats to these components ahead of the 2020 election, Dickson adds, and adopt the same mindset that Krebs said DHS was using towards election security.

“I recommend they view their election infrastructure as the Russians might, identifying the most attractive targets to address first,” Dickson says. “We also strongly recommend election officials conduct tabletop exercises, conduct threat modeling, and engage third parties to conduct penetration tests to mimic sophisticated nation state threats like the Russians, Chinese, or North Koreans.” 

And while cyberattacks to voting machines and reporting systems are a threat, officials should not underestimate how misinformation campaigns could be used to influence voters, according to Suzanne Spaulding, former undersecretary for the National Protection and Programs Directorate at DHS. 

Speaking at the American Bar Association’s Standing Committee on Law and National Security’s annual review, Spaulding explained that Russian propaganda efforts to divide Americans should be a major focus ahead of the 2020 elections. 

“We’ve seen that Iran is trying to wade in; we know that China is engaged in its own sophisticated operation with its own playbook,” said Spaulding, who is now a senior adviser at the Center for Strategic and International Studies (CSIS). “But I’m focused on Russia because so far it’s only Russia we see engaging in this scorched-earth approach to weaken democracy—to weaken this country.”

Russia used misinformation on social media to attempt to influence Americans who lean Democratic or Republican, which experts fear could lead to violence. 

“We cannot dismiss the seriousness of an adversary constantly pouring gasoline on the flames of division, hatred, and fear that can lead to violence,” Spaulding said.

To curb the effect misinformation campaigns can have, Spaulding and a group of experts authored a report published by CSIS that recommended publicizing Russian misinformation attacks and increasing awareness of the threat to institutions. 

The report also called for improved transparency into foreign adversary interference through campaign finance reform, foreign agent disclosure, and through promoting greater media literacy and understanding of government. 

However, Spaulding said the recommendations—and government agency efforts—will not be as effective as they could be without support from the Trump administration.

“We need a whole-of-nation approach to counter Russia’s actions to try to weaken this country, and that’s very hard to do if you don’t have leadership from the White House,” she explained.