Election security: Lessons from 2016

Were voting machines hacked in 2016?

The most accurate way answer is that we don’t know. The intelligence community’s assessment after the 2016 election did not find any evidence that actual vote tabulations were changed, but the relative lack of attention paid to the issue -- combined with the widespread use of paperless voting machines and uneven post-election auditing -- mean that a successful breach might not have been detected. Department of Homeland Security officials have said they do not believe hackers ever gained the ability to access or change vote totals.

Intelligence agencies and Special Counsel Robert Mueller’s investigation into Russian interference have uncovered evidence that dozens of state election systems, including voter registration databases, were scanned by Russian hackers looking for vulnerabilities, but scanning is not hacking. Cybersecurity experts liken it to reconnaissance, the digital equivalent of casing a home before a robbery. At least one state, Illinois, did suffer a breach of its voter registration system.

Regardless of what did or did not happen in 2016, experts are almost unanimous in their assessment that voting machines are riddled with cybersecurity vulnerabilities. Many of those vulnerabilities require physical access to the machines, while others can be exploited remotely or through the compromise of the corresponding software that is used to program and update ballot information. A group of security researchers at DefCon, one of the largest annual gatherings of hackers in the world, released a report examining 30 different voting machines. All were compromised in relatively short order by volunteers with a fraction of the resources that nation states can bring to bear.

“The number and severity of vulnerabilities discovered on voting equipment still used throughout the United States today was staggering,” the report stated.

Despite the wide range of security vulnerabilities facing voting equipment, there are a few major factors that may deter foreign nations from going this route. First, the federated nature of U.S. elections means that each county and jurisdiction do things differently, from the type of voting machines they use to chain-of-custody protocols to the cyber precautions taken.

The distributed and decentralized nature of elections “is both good and bad for cybersecurity,” according to a security playbook developed for state and local election officials by the Harvard Belfer Center. While decentralization makes it difficult “for a single cyber operation to compromise multiple jurisdictions,” the report states, “disparities in cybersecurity resources and experience across jurisdictions creates vulnerabilities.”

Additionally, the sheer number of eyes watching for signs of vote hacking in this election, combined with increased resources to detect malicious activity, may make targeting election infrastructure an exceptionally risky endeavor for nation states.

Officials also believe that political campaigns -- often hastily put together on shoestring budgets -- represent the soft underbelly of election cybersecurity. Such operations rarely have sophisticated IT security protocols or dedicated cybersecurity staffers, particularly at the early stages of campaign season. While private-sector and nonprofit groups are trying to change that by offering free IT security services to political campaigns, a number of candidates and sitting members of Congress have reported attempts by hackers -- some successful -- to penetrate their communications this cycle.

Even campaigns with the best resources can be caught flatfooted by the evolving tactics of hackers targeting their staff and associates.

“We brought on a security guy because we knew the Chinese had hacked other campaigns, but we thought it was an espionage threat, not an information operation, not a doxing threat,” said Robby Mook, who ran Hillary Clinton’s presidential campaign in 2016. “That’s why…I just worry that some of these managers are going into the 2020 campaign building out for the 2016 campaign and not thinking holistically about all those threats.”

Federal responses

DHS has been the most active federal agency on election security issues since election systems were designated as critical infrastructure in 2016. The department’s cyber wing, the National Protection and Programs Directorate, has spent the past two years building up information sharing and threat detection capabilities around election systems that largely didn’t exist in the lead-up to the 2016 elections when intelligence agencies were just starting to gain awareness of the threat.

“Unfortunately in 2016, we had to build relationships when we were in a bit of a hurricane,” Bob Kolasky, a DHS official who now runs the newly created National Risk Management Center, said earlier this year. “[Since 2016], DHS has been deliberate to put resources and information -- building partnerships, building processes to share information and building making tools available to support state and local election officials.”

More data and better communication with states, localities and election system vendors represent the heart of where DHS has invested its time over the past two years. The agency has conducted vulnerability scans and assessments for state governments, substantially beefed up its deployment of sensor tools designed to pick up suspicious cyber scanning or intrusion attempts of state election systems, and a new election-related Information Sharing and Analysis Center established in February now has more than 1,000 members sharing information back and forth.

In all, DHS says it now has working relationships with all 50 states and more than 1,000 localities to strengthen election cyber defenses ahead of Nov. 6. It has set up other forms of communication, such as virtual chat rooms, to broaden its real-time communications with county level officials leading up to and past election night.

DHS, the Department of Justice and the Federal Bureau of Investigation have all stood up new task forces focused on combatting foreign influence campaigns, with the FBI taking the operational lead.

The Election Assistance Commission, meanwhile, is developing new voting system standards that include improved technical guidance around cybersecurity, but those standards must be voluntarily adopted by states and voting machine manufacturers, and they aren’t expected to impact state purchasing decisions until 2020 or 2022.

The military, more specifically U.S. Cyber Command, recently received a broader mandate to protect election infrastructure as part of the Trump administration’s new cyber strategy.

Finally, the White House, which has been criticized at times for not doing enough to secure the election system from foreign interference, issued an executive order that gives intelligence agencies 45 days after an election to report whether there is evidence that a foreign government conducted a campaign to interfere in U.S. elections. After such a finding, a range of economic, diplomatic and travel sanctions can be imposed.

Officials have also said that in select circumstances, they retain the option of alerting the public about an ongoing campaign before election day, as DHS Secretary Jeh Johnson did in October 2016 with regards to Russia. However, the difficulties around attribution as well as a concerted desire to make states the public face of most election security mean that federal agencies will often be funneling the necessary intelligence or technical advice to relevant state or local officials and letting them take the lead as the trusted authority for election related communications.