After red flags were raised about vote hacking in 2018, the midterms came and went without much cybersecurity fanfare.
Director of National Intelligence Dan Coats had cautioned that “the warning lights are blinking red again,” and experts warned that voting systems, in particular, could be at risk. Russia had likely targeted them in all 50 states in 2016 and had gained access to voter-registration files in Illinois and Arizona.
But despite myriad concerns about vulnerabilities—from voting machines to tabulation systems to phishing attacks on campaigns—election hacking, by and large, did not factor in the 2018 elections. A recent report from Coats’ office to the White House confirmed as much: U.S. intelligence officials had no evidence that voting systems had been compromised, although social-media disinformation aimed at American voters had continued apace.
“The Russians didn’t need to do much in 2018. They enjoy all the turmoil in the U.S. and probably take credit for 2016 outcomes,” said James Lewis, senior vice president and director of the Technology Policy Program at the Center for Strategic and International Studies. “Midterms are confusing and the Russians probably couldn’t figure out the pressure points to swing voters. If they have new tricks, they are saving them for 2020.”
If Russia (and other foreign powers) are biding their time for the next election year, is America ready for a fresh round of attempted interference? And as the 2020 elections approach, what have officials and experts learned?
One benefit of 2016’s meddling was that it brought a slew of recommendations from election and cybersecurity experts on how to guard against vote hacking. Before the 2018 midterms, experts had recommended a handful of equipment and policy changes—like new voting machines, anti-phishing training, and two-factor authentication for employees logging into voter databases.
States took $380 million in election-upgrade funding from Congress, but spending it in a timely manner proved difficult, as legislative and procurement calendars slowed the process down. The bulk of that money will have been spent by 2020, however, according to a senior government official familiar with the matter.
Of major concern to experts were the five states that use paperless voting systems statewide and could not examine a paper trail if the vote was compromised. All of those states are now taking steps toward using voting machines with auditable paper trails. Delawareand South Carolina expect to have them in place by 2020; Georgia, where a lawsuit failed to force the state to buy new machines before November 2018, after sensitive election-related files were left unguarded on a server, has set buying new machines by 2020 as a goal; and New Jersey has begun a pilot program, with two counties already having bought new machines.
Louisiana had planned to make the switch by 2020, but that is now in doubt, after the losing bidder challenged Louisiana’s decision to award a contract for new voting machines to a competitor, and the state ultimately issued a new request for bids, starting the process over.
One federal effort, in particular, seems to be working: across the board, state election officials said coordination with the Department of Homeland Security improved drastically between 2016 and 2018 -- even as fewer than half of U.S. states took DHS up on its offer of in-person reviews of vulnerabilities in their election systems. The cyber-threat-sharing forum established for the states by DHS drew positive reviews.
“There were a few [malicious] scans that were certainly passed on from that,” said Washington Secretary of State Kim Wyman, who also said DHS and FBI staff were in Washington State to help out on election night. “They shared lots of info. We had many lists of bad IPs to block. They shared info about spear-phishing attempts to look out for.”
But apart from actual vote-hacking, campaign cybersecurity, most notably a dreaded hack-and-leak campaign, remains a concern, as does disinformation on social media.
Surprisingly few campaigns contracted with cybersecurity firms to provide protection in 2018; CrowdStrike, one of the more prominent firms in the field, worked for both political parties but was signed on by only one campaign. Campaigns, and particularly House campaigns, operate on tight budgets and may not have the resources to spare for cybersecurity services, when that money could go to extra advertising or canvassing. The Democratic Party, for its part, guided its House campaigns to a set of best practices that included things like multi-step logins and encrypted messaging.
But two notable spear-phishing attacks were attempted on national party committees in 2018: a spear-phishing campaign against the National Republican Congressional Committee before the midterms, and a similar, recently revealed attack on the Democratic National Committee after Americans voted.
Meanwhile, disinformation continues to evolve and, some say, grow more aggressive.
“I would expect to see a more aggressive effort in 2020, for two reasons,” said Bret Schafer, who tracks Russian-affiliated disinformation accounts for the German Marshall Fund’s Alliance for Securing Democracy. “One, there were a lot of races this time, and there wasn’t a way to significantly alter one race … and two, I think there’s just going to be a far more divisive, highly political campaign in 2020 than the midterms were.”
The FBI launched a task force to address foreign political influence and indicted a Russian woman in October for allegedly interfering in 2018. But the Justice Department has acknowledged limits in the government’s ability to counter foreign political messaging publicly: public announcements “must be conducted with particular sensitivity in the context of elections, to avoid even the appearance of partiality,” Deputy Assistant Attorney General Adam Hickey told the Senate Judiciary Committee in June.
And foreign actors have not been the only source of interference. For example, The New York Times reported that Democratically-aligned operatives created a false Facebook page and may have used bots in the Alabama special Senate election.
Disinformation has been geared toward exacerbating existing divisions, and we can expect to see “more of it happening on fringier platforms … places that are not going to have to set up war rooms because they’re not under the same kind of congressional scrutiny,” Schafer said.
Still, Congress has grilled tech executives about foreign meddling, and while the social media firms have taken some steps to address the issue -- Facebook, for instance, removed more than 2.1 billion fake accounts in 2018, some of which were linked to foreign political activity -- not everyone has been pleased with the response or the state of play moving forward.
“A couple of the big companies were denying that anything was wrong until a few months ago,” CSIS’s Lewis said. “It gave [Russia] and unobstructed path. Maybe we’ll figure out what to do by 2020.”