After the 2016 U.S. presidential election turned into one of the most controversial and contentious ones ever – fueled in part by fears that foreign adversaries might have meddled in American democracy – U.S. government officials are taking no chances heading into 2020. In addition to encouraging greater coordination between authorities at the federal, state and local levels, U.S. government officials are also pushing much stricter measures to secure online election information from potential cyber attacks. Two new reports – a bipartisan Intelligence Committee report from the U.S. Senate and a report on election security from a San Mateo grand jury – highlight the degree to which fears about election meddling and tampering are now part of the current political zeitgeist in the U.S.
Senate report warns of election security threats
A new 67-page U.S. Senate report details the level of Russian meddling in the 2016 U.S. presidential campaign, warning that the first such attempts actually date back to 2014. While the bipartisan Senate report (co-authored by Senators Mark Warner and Richard Burr) falls short of suggesting that any direct vote tampering took place in 2016, it is highly suggestive of the fact that Russian state actors – perhaps at the very bidding of the Kremlin in Moscow – knowingly made attempts to sow voter discord and cause U.S. citizens to have doubts about the integrity of American elections. Case in point – during the 2016 election, the Russians created bogus social media accounts, leveraged online bots and generally tried to sow discord by posting very polarizing content online. To avoid this problem, the Senate report recommends the continued use of paper ballots, so as to create a paper trail just in case election systems, voting machines, or voting systems are compromised.
What makes the U.S. Senate report on election security so relevant is that it was released just days after Special Counsel Robert Mueller’s testimony to the U.S. Congress. Mueller’s testimony specifically warned of the continued threat of foreign powers meddling in the U.S. election. In fact, Mueller warned, “They’re doing it as we sit here…” In many ways, Special Counsel Robert Mueller was putting the finishing touches on the whole “Russian conspiracy” theory embraced by anti-Trump politicians. As many Democratic lawmakers see it, the only way President Donald Trump defeated Democratic candidate Hillary Clinton was by openly colluding with the Russians.
At nearly the same time as the U.S. Senate report came out, lawmakers in the Senate also tried to introduce bills that would require all political campaigns to report to federal authorities any attempts by foreign entities to interfere in U.S. elections. While the bills do have some form of bipartisan support, Senate Majority Leader Mitch McConnell has blocked them. This is due to the fact that he sees the bills as just a bunch of cheap politicking by the Democrats, who are eager to advance all of their “conspiracy theories” about foreigners meddling in U.S. elections. As McConnell and the Republicans see it, enough steps have been taken by the Department of Homeland Security and the federal government to protect the integrity of federal, state and local elections, secure voter registration databases and safeguard national security.
San Mateo grand jury report details risk of election tampering
Regardless of whether or not you buy into the idea of direct Russian election interference in the 2016 U.S. election, it is a fact that many of the voting systems, voter registration websites and election information platforms within the United States may be at future risk of tampering and hacking. To illustrate that point, a California grand jury report (from the San Mateo court system) intended to help election officials provides a stark and realistic look at the way that election tampering might take place in the real world. For San Mateo, election security has very real meaning because the county has been twice the victim of cyber hacks. Back in 2010, unknown hackers hijacked the election results webpage of San Mateo. And, in 2016, hackers breached employee email accounts using standard spear phishing techniques.
The San Mateo grand jury report details two possible scenarios that are worthy of greater attention for anyone worried about election security. The first scenario involves a hacker hijacking the county’s social media accounts, and then using them to report false or misleading results on election night. It might create tremendous controversy and scandal in the event of a very tight election, in which neither candidate really knows who won. The second scenario involves a hacker hijacking the county’s election website before an election in order to circulate false voting instructions. The goal here, presumably, would be to make it as hard as possible for some people to vote. The net result might be voter suppression, if some people decide to stay home instead of heading out to the nearest polling booth. Imagine, for example, if some voters were told that they needed to bring proof of U.S. citizenship, or official tax records, if they wanted to vote for U.S. president. Since these false voting instructions would appear to be coming from an official source, they might just be convincing enough to stop a lot of citizens from voting.
In addition to outlining potential election security scenarios, the San Mateo grand jury security report also highlights a few potential remedies. One of the most important of these election security remedies is greater coordination between officials at the federal, state and local levels. Another is the use of multi-factor authentication. The report specifically warns that the county’s social media accounts (Twitter, Facebook, Instagram and YouTube) are at greatest risk of being compromised by cyber assailants.
While the most common form of multi-factor authentication involves the use of one-time codes sent to a mobile device by text message, the San Mateo report warns that even this form of authentication might be at risk of being compromised. The report mentions Man-in-the-Middle (MITM) and SIM-swapping attacks as two ways that cyber hackers might get access to the one-time codes. Far better, the report says, is to use a FIDO physical security key (i.e. a small hardware device that can be connected to a computer via USB ports).
Satya Gupta, CTO of Virsec, comments on the grand jury report findings: “Raising awareness about potential threats and impersonation of officials managing elections is important, but it’s a bit unsettling to have a grand jury recommending specific security technology and even vendors. Two-factor authentication should be the norm for any important business transaction, and is used and offered by most online services. Intercepting SMS codes with a MITM attack is actually quite difficult and hardware authentication devices, while more secure, are less practical to distribute widely and securely. Stepping back, the real threat probably seems to be county agencies using social media platforms to communicate official business. Stronger authentication may help, but will not stop the torrent of false social media information we should expect during this election cycle.”
The future of election security
When it comes to election security, it’s quite likely that the “bad guys” are already at work, devising an entirely new form of federal elections meddling for the 2020 presidential election. 2016, for example, gave us “fake news” and “Russian bots.” So what should we expect in 2020?
Pierluigi Stella, CTO of Network Box USA, comments on what the new reports tell us about election security: “Attacks against our most important democratic institution – our free elections – are the most radical way to attack us at the core of our society. If our enemies can cause the public to lose faith in the election process, they’ve caused us to lose faith in the very thing that such elections represent – our democracy. The grand jury said it most accurately. Even if the elections are actually secure, if the public doesn’t show up because people no longer believe in the legitimacy of such an institution, then our enemies would’ve accomplished their ultimate objective – they would’ve successfully manipulated our elections to their advantage.”
Alas, it might be too late to hope for any last-minute election security bills from Capitol Hill before 2020, but it is not out of the question that the U.S. intelligence community will be keeping a close eye on the online chatter emanating from rivals and adversaries around the globe ahead of the upcoming presidential election.