Threats known and unknown loom in 2020 elections

It remains to be seen whether election officials and federal agencies will be facing the same type of threats targeting election infrastructure and online discourse as they experienced in 2016 -- or if they should expect the unexpected.

election security (Shutterstock.com)
 

U.S. cybersecurity officials are gearing up to prevent foreign malign influence campaigns from impacting the 2020 vote.

Experts are divided over whether local election officials and federal agencies should expect the same type of threats targeting election infrastructure and online discourse as they experienced in 2016 or if they should expect the unexpected.

On Election Day in 2018, federal officials said they had no indication that voting infrastructure was successfully targeted by cyberattacks or other efforts at manipulation designed to strike voters from the rolls, change vote counts or hinder officials from completing election tallies.

But the issue of influence campaigns and as yet unknown vectors of attack remain ripe for discussion as the nation heads into the 2020 vote.

Matthew Masterson, a senior advisor at DHS who focuses on election security, said at an April 23 cybersecurity conference that he spends "a lot of time thinking through that undermining confidence [angle] and ways that we can build that resilience, because the reality is you don't actually even have to touch a system to push a narrative that undermines confidence in the elections process."

Liisa Past, former Chief Research Officer at the Cyber Security Branch of the Estonian Information System Authority, said at the same event that election influence campaigns operate on multiple fronts.

"It really illustrates the adversarial activity, which is that they're throwing spaghetti at the walls," said Past. "Cyber is one wall, misinformation, disinformation and social media is another wall. We're having to assume that using proxies and…useful idiots is another wall and I'm afraid that behind it there might also be an element of blackmail and personal manipulation."

The challenge, she said, is "how do you come up with a risk management model that clearly has the same degree of flexibility as the adversary's tactics have?"

The Mueller report and related indictments against members of Russia's Internet Research Agency, documented a wide-reaching effort on the part of Russian intelligence agencies to target state boards of elections, secretaries of state, county government officials and private technology companies responsible for making election-related software and hardware in the lead up to the 2016 presidential election.

Cybersecurity officials at DHS and Cybersecurity and Infrastructure Security Agency have built relationships and information sharing agreements with all 50 states and more than 1,400 local entities. Chris Krebs, Director of CISA, joked earlier this week that he knows the ties between DHS and the election community are stronger today because he still regularly receives texts from secretaries of state and election officials at all hours of the night, asking questions and requesting resources.

Still, elections are mostly administered at the county or local level and by DHS' own count, there are still thousands of localities left to contact. In March 2019, a Joint Intelligence Bulletin issued by the FBI and DHS warned that in fact all 50 states had their election infrastructure probed and targeted by Russian hackers in the lead up to 2016, something that was long suspected.

Additionally, according to an April 24 New York Times report, senior White House officials thwarted an effort by former DHS chief Kirstjen Nielsen to create a cabinet-level election security team to elevate the issue.

But the work of securing election infrastructure is taking place at the state level, where elections are conducted.

Lawrence Norden, Deputy Director of the Brennan Center for Justice Democracy Program, told FCW "there's no question we're in a better place" security-wise compared to 2016, citing the steady (if sluggish) progress made replacing paperless voting machines over the past three years as well as heightened awareness of the treat on the part of government, technology vendors, election officials and the media.

"For things where they were apparently successful in 2016 with spear-phishing attacks…you would hope that's less likely to happen" in 2020 due to greater education about the tactic in the election community, he said.

Efforts to counter disinformation and influence campaigns, as well as state-sponsored hacking and leaking efforts targeting political campaigns, remain a work in progress.

Krebs told a House Homeland Security panel in February that social media companies "deserve some credit" for stepping up their efforts in the 2018 election cycle. He said major platforms sent representatives to a DHS election security war room in Virginia on election day, coordinating with election officials about blatant instances of misinformation posted online (such as claims that voting machines were casting incorrect votes) and pulling down posts in real time.

Still, policymakers and advocacy groups continue to pillory social media companies for what they perceive as a lack of urgency when it comes to combatting or taking down misinformation or disinformation on their platforms.

"They played a part," said Krebs. "There's always much more to do here and keep in mind that the adversary will continue to pivot, pivot, pivot as we raise defenses and block off avenues."

Here again, DHS has indicated a willingness to enter the fray, offering vulnerability scans and other protection services to any political campaign that wants it. Masterson said "we haven't had anyone decline to have a call with us or not be excited about the resources that we're offering" when speaking with presidential campaigns.

The sooner the better. Cybersecurity experts point out that the early stages of a political campaign's operations are often they're most vulnerable, marked by high staff turnover, shoestring budgets and a lack of professional organization and sophistication that normally translates to good digital security practices.

Case in point: Research from the Global Cyber Alliance found that only four of 14 Democratic presidential campaigns were utilizing Domain-based Message Authentication, Reporting and Conformance, a tool designed to prevent outside parties from spoofing the campaign's emails.

Looking abroad could also yield clues as to how information operations have adapted and evolved against new protections. Ukrainian intelligence agencies claimed in March that Russian operatives sought to buy or rent Facebook accounts from Ukrainian citizens in order to avoid new security measures put in place after 2016. American disinformation researchers have pointed to similar tactics of co-opting native social media accounts and groups detailed in the Mueller report.

"We can't just plug the holes that we've identified because you just don't fight wars that way. You should expect and we see it in cyberattacks…they develop, they mutate," said Norden. "Adversaries who want to influence an election are going to find new ways. Having said that, we haven't even plugged the very obvious holes that we do have."

Past said what worries her most is the "strategic silence" she has witnessed over the past year by state actors like China and Russia.

The 2018 mid-terms were notably quieter than 2016, with and Past and Norden said there are not many recent examples over the past year or two to draw lessons from. Still, Past said that although policymakers should prepare for new tactics and strategies, it's not clear that a foreign influence or election hacking operation would need to tread new ground, or stray far from the plan Russia ran in 2016.

"There's been no convincing response, government-wise or internationally or diplomatically, that would tell any nation state…that they should [deviate] from the Russian playbook, and most of the costs around those attacks has become less, not more, over the last few years," said Past.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.