You’ve heard the story ad nauseam by now: 2016 was the year of the hacked election. Russia inundated social media platforms with a barrage of fake news that led to the ongoing Mueller probe into how much Vladimir Putin and company interfered in the election.
Flash forward two years and the state of American election security has seen improvements, while social media platforms talk a big game about clamping down on bots and fake accounts. But the U.S. still relies on an alarmingly fragile ecosystem of antiquated technology. On the eve of the 2018 midterm elections, these are the three biggest election-hacking issues we face.
Fake News Was Just the Beginning
The Past: The information warfare of 2016 didn’t just expose the ineptitude of social media platforms to identify and ferret out political propaganda injected by foreign powers. It had real, tangible effects that swayed voters, numerous studies say. An Ohio State University survey cited three particular fake news stories that cratered Hillary Clinton’s support among former Obama voters. In the election’s immediate aftermath, another study found 27 percent of voters consumed news engineered by phony, partisan websites that drew a majority of clicks from social media. With 66 percent of adults relying on Facebook for news ahead of the election, it’s no wonder “Fake News” earned the dishonor of Politifact’s “Lie of The Year.”
Since then, Silicon Valley giants have slowly and begrudgingly made efforts to clamp down on misinformation campaigns clogging their newsfeeds. But fake news still lives: Coordinated efforts to incite conflict between voters and spread malicious lies about candidates weren’t necessarily running rampant before the 2018 midterms, but they were still plenty visible.
The Present: In October, a Russian woman working for an oligarch linked to Vladimir Putin was charged with attempted meddling in the 2018 midterms—an alleged effort to “create and amplify divisive social media and political content” via thousands of fraudulent email and social media accounts.
Just a few days later, Facebook scrubbed 80 pages and Instagram accounts linked to trolls in Iran. The accounts were removed for posting “politically charged content” while claiming to be run by U.S. and U.K. citizens. Facebook’s election war room waged the battle domestically: The social network purged nearly 800 political accounts in October for promoting their own homegrown propaganda.
The Future: Fake news was just the first step. Security experts consider the tactic a harbinger of a more sophisticated kind of digital warfare, one that Facebook and others might be ill-equipped to combat.
Brookings Institute fellow Alina Polyakova writes that fake news campaigns are becoming more technologically savvy and impervious to human detection. In a recent article on the think tank’s website, she argues that “deepfake” videos and AI-enabled botnets are likely to outnumber humans as the primary arbiters of misinformation.
AI driven disinformation will be better targeted to specific audiences; AI driven online entities will be able to predict and manipulate human responses; At some point very soon, we won’t be able to tell the difference between automated accounts and human entities.
“You Already Voted”—Russia
The Past: Election hackers are usually trying to sow confusion and undermine trust in the institutions of democracy. Voter registration databases—logs of registered voters in a particular country, township, or district—are a particularly vulnerable flashpoint, says Susan Greenhalgh, policy Director at the National Election Defense Coalition.
“Election officials are very concerned about attacks on voter registration databases—and I think they’re correct to be concerned. They are often directly exposed to the internet, but we know in the 2016 election that those voter registration databases were being probed and attacked by foreign adversaries.”
Greenhalgh’s words have precedent: Last September, the Department of Homeland Security (DHS) notified election officials in 21 states of an attempted hack on their voting registration systems and election websites. Hackers infiltrated systems in only a few states, according to the Washington Post, but in Illinois the outcome was staggering. Attackers from the GRU, a Russian intelligence agency, purloined the information from 900,000 voters including names, emails, and partial social security numbers.
The Present: Intelligence officials say the 2016 attack was a trial balloon—a way for hackers to assess lingering holes in state voting systems waiting to be ripped open. Once found, though, those vulnerabilities could be weaponized in a number of ways to unleash chaos during an election, says Adam Levin, founder of the election security firm CyberScout.
“You could delete people, you could add people” from the voter rolls, he says. “You could change people’s registration or party affiliation. You could create a shift in the addresses so that if someone shows up at a polling place and shows identification it doesn’t match [what’s on the books].”
DHS officials have already identified multiple attempts to breach databases across the country ahead of the midterms. Though the hacking attempts were stymied, DHS noted the unidentified suspects were galvanized by the usual incentives: “Numerous actors are regularly targeting election infrastructure, likely for different purposes, including to cause disruptive effects, steal sensitive data, and undermine confidence in the election.”
To see what a successful Election Day hack might look like, look at the example of North Carolina, 2016. People showing up to vote in various precincts found inaccurate warnings displayed by e-poll books—machines used by local authorities to check voters into polling places—claiming that they’d already voted or needed to show identification when they didn’t.
As reported by Vox, local authorities chalked the snafu up to a technical glitch and refused oversight from the FBI. Leaked NSA documents later revealed that faulty software might not have displayed the inaccurate warnings that caused long lines and voting booth confusion, though, indicating that a Russian cyberattack had been targeting e-poll books in several states, including North Carolina.
The Future: The American voting system is decentralized, spliced up into precincts, municipalities, districts, and counties that administer their own defenses against interference. While this ad hoc composition is designed in part to make centralized, domestic election-rigging all but impossible, it puts the onus of security on small local bodies and makes it easier for more localized attacks to succeed and reverberate throughout the system. Moving forward, unassuming precincts will have to wage battle with the technological prowess of America’s fiercest enemies.
“Different jurisdictions are making different decisions about systems they are using, the level of security they have, the level of resources they have available to actually do it,” Levin says. “Take a little rural county somewhere and realize that they could be facing off against the FSB (Russia’s version of the CIA). That’s not necessarily a fair fight.”
An event similar to what happened in North Carolina two years ago could easily occur again—perhaps even where you cast your ballot. Since small districts lack the firepower and technical savvy of a mobilized hacking unit, they’re often left defenseless when placed in the crosshairs.
Levin, for his part, says our state-oriented system plays right into a hacker’s playbook:
You have Homeland Security that’s working very hard with many states to try and help them, but you have a number of states that are generally suspicious of the federal government, and reject help…they’re out there as these islands facing off against nation states.”
The Trouble With Voting Machines
Past: In the wake of 2016’s election security scares, several states were aghast to find that their machines provided little in the way of a verifiable paper trail, rendering them useless if breached. The Virginia Board of Elections decertified its Direct Recording Electronic voting machines last year, while New Jersey received a $10 million grant to upgrade its own archaic devices. Still, attempts to improve machines across the country have been modest at best.
Present: September’s Defcon Voting Village convention provided a shocking glimpse at the myriad vulnerabilities of voting machines. Attendees were offered a chance to breach 30 different models, many of which administer elections across broad swaths of the U.S.
The volunteer hackers had little difficulty infiltrating devices made by Election Systems and Software, the largest manufacturer of voting machines in the U.S. Of the machines breached was the ES&S M650, currently in use in elections in 23 states. A report Defcon issued after the event states:
Because the device in question is a high-speed unit designed to process a high volume of ballots for an entire county, hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election.
This is reflective of a broader weakness pervading electronic voting machines, Greenhalgh says. “If those machines are attacked or have some kind of programming error or software malfunction, there’s no way to recapture how the voter voted.”
And this wasn’t the first time ES&S roused controversy. Over the summer, the company admitted it installed remote-access software on a number election management systems (EMS) it distributed between 2000 and 2006. Because EMS systems provide the tools necessary to conduct elections in a digital format, allowing remote access has glaring security repercussions, especially if the system is internet-connected. If you hack an EMS, “you can infect all the computers attached to an EMS,” Greenhalgh says.
Future: Since voting machines offer the most direct route for hackers to scramble data and cast doubt on a vote tally, they’re likely to remain a focal point in the ongoing struggle to secure elections.
“No you can’t exactly hack an entire national election, but you might be able to impact certain machines in certain places that will clearly have impacts, because they’re battleground states, battleground precincts,” Levin says.
The longer states use susceptible machines, the greater chance there is of a hack occurring.
“You don’t need to hack an entire state to call an election into question. All you need to do is create a question about the accuracy of the vote count, the accuracy of registration systems in a precinct or a county, and all of a sudden people start asking questions about what can we believe, what can’t we believe,” says Levin.