WASHINGTON — Despite at least 21 states being the target of Russian hacking in the 2016 election, experts say that there is no evidence that a foreign power has interfered in the outcome of a U.S. election then or since. But election cybersecurity experts say 2020 is “the bigger prize” and not enough is being done to address the threat.
“[Russia is] going to strike when it’s in their interest to strike and unfortunately our technology is not yet there to stop them,” said University of Michigan computer science professor J. Alex Halderman. “I think 2020 is going to be the bigger prize.”
Halderman is one of the premiere election security experts in the U.S., a title that comes with a peculiar credential. In April, Halderman demonstrated the vulnerability of the U.S. election system by hacking a set of voting machines, which he then used to rig a mock election where students at the University of Michigan had to choose between their school and archrival Ohio State University.
Thanks to Halderman’s tampering, Ohio State won the vote — an occurrence that any Big 10 fan should know falls somewhere after pigs flying on a list of events ordered by probability. The experiment proved Halderman’s point, though. The U.S. election system, simply put, is severely — and in the eyes of election security experts, frighteningly — exposed to a cyberattack.
“We are still vulnerable,” said Richard Andres, a professor of national security strategy at the National War College. “The critical infrastructure is highly vulnerable and we should work hard to make it less vulnerable, but that’s going to be very tricky.”
That assertion by Andres and others is supported not only by nonpartisan groups like the Center for International and Strategic Studies and Harvard University’s Defending Digital Democracy Project, but by the U.S. intelligence community.
In the 2019 Worldwide Threat Assessment, an annual document produced by the Director of National Intelligence, U.S. intelligence agencies expressed not only that “our adversaries and strategic competitors probably already are looking to the 2020 U.S. elections as an opportunity to advance their interests,” but that U.S. adversaries are continuing to advance and refine their capability to influence U.S. elections.
Specifically, those adversaries include Russia, China and Iran. According to a CSIS survey from 2018, 81 percent of cybersecurity experts are most concerned about the threat coming from Russia, whose intelligence services are responsible for well-documented influence campaigns in both the 2016 and 2018 elections.
William Carter, deputy director for the CSIS technology policy program, says that he is very worried about the prospect of a cyberattack on the 2020 election, but it’s not vulnerable voting machines that keep him up at night.
To understand where the Russian threat is coming from, he says, “you have to understand the way that they think about attacking our elections.”
According to Carter, Russia wants to undermine confidence in American democracy and institutions. But, he adds, “they want to do so in a way that is below the threshold where we will retaliate in a meaningful way.”
As such, Carter’s concern isn’t the vote tally itself, but rather public confidence in the election results.
Andres, who is a senior fellow at the George Washington University Center for Cyber and Homeland Security in addition to his post at the National War College, worries about something similar. To him, a worst-case scenario cyberattack could see vote tallies manipulated so that they appear differently in different places in order to undermine the perceived integrity of election systems.
“All [the Russians] have to do is do it enough places … that no American was sure whether his or her vote had been accurately tallied,” he said. “The psychological ramifications of having everyone in the country worry that their vote was not accurately counted … it has the potential to paralyze the country for a fair period of time.”
While Carter and Andres have different visions of the potential threat, they share in the assertion that an attack, in some form, is highly likely. And they both say that not enough is being done to avert such an attack.
According to Andres, much of the problem stems from states such as Georgia being unwilling to accept help from the federal government. “States do not want the federal government messing with their voting machines,” he said.
However, Eric Rosenbach, director of the Harvard-affiliated Defending Digital Democracy Project, says that states are not equipped to go at it alone.
“[Russia] is a nation-state actor,” Rosenbach said in a committee hearing last month. “The states are not designed to have cybersecurity to defend against that threat.”
The Department of Homeland Security is offering a battery of free cybersecurity services to states upon request, including cybersecurity advisers, information sharing, incident response and cybersecurity assessments. The majority of states are taking advantage of these services — according to CSIS, all but nine states have installed the DHS’s Albert sensors, which monitor election systems for an intrusion. However, those nine states that haven’t installed the sensors represent weak links in the broader U.S. election system. According to Halderman, it may not matter which state is targeted by cyberattacks if that attack undermines confidence in the national outcome.
“Until we bring up the most weakly protected states to an adequate level of security,” he said, “the whole nation will be at risk.”
To do that, there is a laundry list of issues to address. The absence of any paper records in several states is one notable issue. Paul Rosenzweig, a senior fellow for national security and cybersecurity at the R Street Institute, says generating a paper trail needs to be a top priority. Beyond that, he says, more money is hugely important to improving cybersecurity in states, simply because modernizing voting machines is expensive.
According to Carter, that money likely isn’t coming.
“I just don’t see the states, or frankly the federal government in the current budget environment, ponying up the type of funding that would be necessary, he said. “The update to the [Help America Vote Act] funding was like $380 million, which is a hilariously small amount.”
More funding for states to improve their election security has been proposed in the past. In the previous Congress, Rep. Bennie Thompson, D-Miss., introduced the Election Security Act, which included grant funding for states and a mandate that they use paper ballots among other provisions, but it never received a vote.
Thompson’s bill was also incorporated into the For The People Act, H.R.1, in the 116th Congress. The omnibus bill passed the House 234-193 earlier this month, but Senate Majority Leader Mitch McConnell has said he will not bring it up in the Senate.
Thompson, who now chairs the House Committee on Homeland Security, said in a January press release that “[election security] should not be a partisan issue, but Congress has done far too little to prevent foreign election meddling after Russia interfered in the 2016 election.”
In any case, with H.R.1 at a dead end in the Senate, there is no new election security funding on the horizon.
And in 2020, with election security still underfunded unless a bipartisan agreement can be reached, Carter says that “[Russia’s] going to be coming at us with everything they’ve got.”
That isn’t to say that the U.S. is undefended. “There are a lot of very smart people spending a lot of time and money to make sure that our elections go off without a hitch and that the vote is accurately captured no matter who is trying to interfere with out elections,” Carter said. But still, he worries about whether public confidence in U.S. institutions can endure another assault by Russia.
“The biggest risk,” Rosenzweig said, “is that this helps to destroy America’s confidence in its accuracy, so that after the vote, whoever loses gets to say ‘the winner is illegitimate.’”