With primaries underway and less than four months to go until this year's midterm elections, early signs of attack have already arrived—just as the US intelligence community warned. And yet Congress has still not done everything in its power to defend against them.
At the Aspen Security Forum on Thursday, Microsoft executive Tom Burt said that phishing attacks—reminiscent of those carried out in 2016 against Hillary Clinton's campaign—have targeted three midterm campaigns this year. Burt stopped short of attributing those efforts to Russia, but the disclosure is the first concrete evidence this year that candidates are being actively targeted online. They seem unlikely to be the last.
“The 2018 midterms remain a potential target for Russian actors," said Matt Masterson, a senior cybersecurity adviser to DHS, at a Senate hearing last week. "The risks to elections are real."
Meanwhile, a trend of destabilizing denial-of-service attacks against election-related systems has also emerged, including one that caused a results-reporting website to crash during a municipal primary in Knox County, Tennessee, in May, along with two reported DDoS assaults on unnamed Democratic campaigns. DDoS attacks have become common enough that both Alphabet's Project Shield and Cloudflare's Athenian Project have been offering free DDoS protection to election-related groups, like political campaigns, state and local governments, and boards of elections.
Homeland Security assistant secretary Jeanette Manfra noted this week that DHS has so far not seen the volume of phishing activity and election infrastructure probing it recorded at this time in 2016. But that could simply mean that attackers have already done their reconnaissance, or have moved on to more refined techniques. And in addition to evolving threats, reports continue to surface new, critical vulnerabilities in areas like voting machines—several of which have inadvisable remote-access software installed—and voter data handling.
Top officials have made it clear that they are bracing for attacks. "The warning lights are blinking red again," said director of national intelligence Dan Coats last week during a talk at the Hudson Institute think tank. "Today, the digital infrastructure that serves this country is literally under attack." On Thursday, deputy attorney general Rod Rosenstein echoed this conclusion. "These actions are persistent, they are pervasive, and they are meant to undermine America’s democracy," Rosenstein said.
Despite these active, ongoing concerns, the Trump administration's mixed messages about the extent of the Russian threat have hampered momentum on defense. President Trump indicated on Monday that he still doubts that Russia attempted to disrupt US democracy in 2016, and on Wednesday he appeared to dismiss the current threat from Russia as well. He later walked back some of those statements, and the White House released a compendium of its work on election defense, stating, "President Donald J. Trump and his Administration are defending the integrity of our election system."
The National Association of Secretaries of State said in a pointed response on Tuesday, "Secretaries of State ... across the nation are working hard each day to safeguard the elections process ... We ask, however, the White House and others help us rebuild voter confidence in our election systems by promoting these efforts and providing clear, accurate assessments moving forward."
And state election officials have worked for months to improve election infrastructure defenses at both the state and local levels, prioritizing cybersecurity more than in past years. But that step has been hard won, given that researchers have warned about the dangers of insecure voting machines and other infrastructure components for more than a decade. And much of the recent progress—including basic improvements to cybersecurity hygiene on voter databases and election infrastructure networks—is just a first step. Larger projects, like replacing old, insecure voting machines and those that don't produce a paper backup, or implementing robust audits to confirm electoral results, are still either nascent or nonexistent in most states.
While election officials and the Department of Homeland Security have made valuable progress on forging communication channels and information-sharing mechanisms between the federal government and state and local election boards, many of the other resources DHS has offered have gone underutilized. Officials say that only 18 states and territories have requested on-site vulnerability assessments, and 34 are receiving DHS vulnerability scans. (States can get these services elsewhere as well, and may not have tapped DHS because they already had contracts with private firms.)
The Department of Justice also announced a new policy on Thursday evening to notify the public about foreign interference in US democracy. Though questions remain about how exactly the new initiative will work in practice, the timing of the announcement seems to indicate that officials want it in place as part of defensive preparations for the midterm season.
Despite these efforts, more comprehensive infrastructure overhauls at the state and local level likely can't happen without funding. Some progress has been made along those lines; in March, Congress appropriated $380 million to states for election infrastructure work through the 2002 Help America Vote Act.
"The Election Assistance Commission gave a presentation that kind of broke down what states have said they’re going to be doing with the HAVA money so far, and they seem like the right things we would want them to be spending on, like replacing voting equipment, shoring up registration databases, cyberhiring, and post election audits," says Lawrence Norden, the deputy director of the Brennan Center's Democracy Program at New York University School of Law.
But while significant, the HAVA money still won't cover all costs associated with necessary upgrades nationwide, and it was divvied up based on state populations, not need. "It wasn’t even enough to replace the paperless machines, as we know, given that none of the states replaced their paperless machines after getting that money," Norden says. A paper-trail backup is vital to secure voting, in case evidence emerges of digital tampering or tallies reveal discrepancies in digital results.
Five states, Delaware, Georgia, Louisiana, New Jersey, and South Carolina, use only paperless voting machines. A bill to replace the machines in Georgia failed in March. Pennsylvania, which has paperless machines in some counties, has committed to eliminating them before the 2020 election. In a recent survey, only 13 states told Politico this week that they plan to use federal money to replace voting machines.
More money could be on the way soon; a promising bill specifically tailored to promoting election and voting defense, known as the Secure Elections Act, gained two cosponsors this week in the Senate, South Dakota Republican Mike Rounds and Florida Democrat Bill Nelson. But experts agree that realistically, no more funding will be available to states in time for the midterms. And in a Thursday House of Representatives vote related to a 2019 spending bill, Republicans shot down an effort by Democrats to appropriate another $380 million in election security funding. Republicans said that the March HAVA distribution was adequate and that states have the funding they need.
Analysts are clear, though, that federal funding is still urgently needed to prepare for 2020, even if it's too late for 2018 now. "There seems to be more of an understanding among lawmakers than there was before the 2016 election that Congress has a responsibility in this area," Norden says. "But some members have a mindset that paying for elections is the responsibility of the states. And while that’s defensible up to a point, I think it hasn’t quite sunk in for them that this is now a national security issue and Congress actually does have a responsibility in that arena."
In the final weeks before the midterms, experts have advised states to work on their contingency plans and emergency procedures so they can handle whatever problems or attacks arise. While widespread attacks on the midterms are not a foregone conclusion, there are plenty of signs that at least some have already started.
"We’re going to have to see what happens with the 2018 election—will there be any meddling? Will there be any things that go awry in 2018?" says Marian Schneider, president of Verified Voting, a group that promotes election system best practices. "Because to the extent that things don’t go swimmingly, unfortunately, that may be an impetus for Congress on funding."
Schneider notes, as do many security analysts, that though election process issues are often mired in bureaucratic and political controversies, the stakes transcend party lines. "I want to underscore that this is not a political issue—it’s not partisan," she says. "It really is a national security issue. This is about standing together shoulder to shoulder to protect our democracy against external threats. That’s what we have to do."
- A landmark legal shift opens Pandora’s box for DIY guns
- In the age of despair, find comfort on the "slow web"
- How to see everything your apps are allowed to do
- An astronomer explains black holes at 5 levels of difficulty
- Could a text-based dating app change swipe culture?
- Looking for more? Sign up for our daily newsletter and never miss our latest and greatest stories
