Defending the 2020 election against hacking: 5 questions answered
- By Doug Jones
- Sep 14, 2020
Editor’s note: Journalist Bob Woodward reports in his new book, “Rage,” that the NSA and CIA have classified evidence that the Russian intelligence services placed malware in the election registration systems of at least two Florida counties in 2016, and that the malware was sophisticated and could erase voters. This appears to confirm earlier reports. Meanwhile, Russian intelligence agents and other foreign players are already at work interfering in the 2020 presidential election. Douglas W. Jones, Associate Professor of Computer Science at the University of Iowa and coauthor of the book “Broken Ballots: Will Your Vote Count?,” describes the vulnerabilities of the U.S. election system in light of this news.
1. Though Woodward reports there was no evidence the election registration system malware had been activated, this sounds scary. Should people be worried?
Yes, we should be worried. Four years ago, Russia managed to penetrate systems in several states but there’s no evidence that they “pulled the trigger” to take advantage of their penetration. One possibility is that they simply saw no need, having successfully “hacked the electorate” by damaging Hillary Clinton’s candidacy through selective dumps of hacked documents on Wikileaks.
We know that VR Systems, a contractor that worked for several Florida counties, was hacked, and we know that there were serious problems in Durham County, North Carolina, during the 2016 election, including software glitches that caused poll workers to turn away voters during parts of Election Day. Durham County was also a VR Systems customer.
I know of no post-election investigation of the problems in Durham County that was conducted with sufficient depth to assure me that Russia was not involved. It remains possible that they did pull the trigger on that county, but it is also possible that the problems there were entirely the result of “normal incompetence.”
2. How does this change what we knew previously about Russian efforts to hack U.S. election systems?
The specific counties compromised in Florida were never officially revealed. Previous leaks indicated that Washington County was one of them. Now we know that St. Lucie was the other.
Furthermore, previous reports mostly said that the systems had been penetrated. Woodward is saying that malware was installed on these machines. I am not sure whether I should interpret his use of terms in their narrow technical sense, but there is a significant difference between penetration, as in “they got the password to your system, broke in and looked around,” and installing malware, as in “they got in and made technical changes to the operation of your system.”
The latter is far more serious because voters could have been removed from registration rolls and therefore prevented from casting ballots, and that’s what I gather Woodward is describing.
3. How have attempts to hack U.S. election systems changed since 2016?
I do not have inside knowledge of what’s going on now, but my impression is that the Russians are getting more subtle. The basic Russian tactics of four years ago were only moderately subtle. Dumping all the stolen Democratic National Committee files on Wikileaks wasn’t subtle, but some of the narrowcasting of targeted misinformation on social media was brilliant, if utterly evil. For example, using Facebook, Russian propagandists were able to target prospective voters in swing states with disinformation tailored for them.
My impression is that they’re getting better at disinformation campaigns. I think it’s safe to assume that they’re also getting better at digging into the actual machinery of elections.
4. Have efforts to defend U.S. election systems against hackers improved?
On the social media front, there has certainly been improvement. The obvious “sock puppet farms,” large numbers of fake accounts controlled by a single entity that Russia was running on U.S. social media, are far more difficult to run these days because of the way the social media companies are cracking down. What I fear is that the country is defending against the attacks of four years ago while not really knowing about the attacks of today.
In the world of actual election machinery, the U.S. has made a little progress, but COVID-19 has thrown a monkey wrench in the system, forcing a massive shift to postal ballots in states that permit this. That means that attacks on polling-place machinery will be generally less effective than in the past, while attacks on county election offices remain a real threat.
5. What keeps you awake at night going into the 2020 presidential election?
Oh dear. The list is long. Everything from crazies on the loony fringe of American politics shooting at each other in response to election results they don’t like, to people living in such closed media bubbles that we are effectively two different cultures living next door to each other while believing entirely different things about the world we live in.
Between those extremes, consider the possibility of results appearing to be reversed after polls have closed. If there is a demographic split between the vote-in-person crowd and the vote-by-mail crowd, election night results could go one way, while in states like Iowa, where postal ballots received six days after the election get counted if there is proof they were mailed on time, the final results could go another way.
Then, add in the possibility of hacked central tabulating software in key counties, and there’s plenty to lose sleep over.
This article was first posted on The Conversation.
Doug is the Director of Ledios Digital Modernization Accelerator, an organization within the Office of Technology under the CTO responsible for developing and scaling solutions in Digital Modernization, DevSecOps, and Cyber including R&D and solution development for our largest and most complicated proposals and customer needs. His team identifies the best solutions and technologies from across the corporation, leading vendors, and startups to integrate them into customers to accelerate their time to value, improving capabilities and reducing costs. In this role, Doug is the point person for our Digital Modernization strategy, technical lead for partnerships with key vendors, and has also personally led some of our largest proposal efforts including the solution for our recent NASA NEST End User Support contract ($2.9B).
Doug is a recognized thought leader in Digital Modernization who not only understands the application of new and emerging technologies, but has successfully delivered modernization capabilities across large, complex programs in the government. He is a subject matter expert in IT and Application modernization, focused on delivering solutions for cloud, DevSecOps, IT infrastructure, user support, and other key technologies. He brings nearly 20 years of leadership in large government system integration across the entire lifecycle of systems in complex system development, transition to operations, and O&M.
Doug previously lead the startup of the DHS ESOC $395M cyber contract resulting in a blue startup with the customer stating it was the smoothest contract transition in all of his years of government support. He also lead the final Increment of the FBI’s Next Generation Identification biometric system including sun-setting of the legacy IAFIS system and addition of facial search capabilities. This $40M/year increment developed over 3 ½ years resulted in achieving Full Operational Capability (FOC) on time, with full scope. Over 6 years on the FBI’s NGI, which is the largest IT project in the history of the DOJ, Doug held various leadership roles including leading efforts to achieve both IOC and FOC for the program which the FBI has hailed as a tremendous example of government / industry partnership with immediate tangible examples of direct benefits to law enforcement nationwide.
Doug has extensive experience in engineering and project leadership including design through deployment and operations support to large-scale, mission critical, COTS and custom code solutions. He has also led major infrastructure upgrades on operating mission critical systems including upgrading 50+ COTS products over a 3 month period for one 24/7 system within Customs and Border Protection (CBP). He has been an IPT lead on three different programs, beyond his role on NGI, Doug was IPT lead on the $75M Increment 5 for the Customs Modernization (ACE) program and IPT lead for NARA’s Electronic Record Archiving (ERA) program. He has also led software integration, system integration, and system acceptance test programs on four different large COTS integration programs with teams over 300 people.
Doug holds both a Bachelor’s of Science in Materials Science & Engineering and Bachelors of Arts in Public Policy & Technology from North Carolina State University, in Raleigh, NC and a Masters in Systems Engineering from Johns Hopkins University, in Baltimore, MD. In addition to his degrees, he is a Certified Information Systems Security Professional (CISSP), a Six Sigma Green Belt, and holds a Project Management Professional (PMP) Certification.