The difficult path to locking hackers out of America’s elections
America's political system will remain vulnerable to cyberattacks and infiltration from foreign and domestic enemies unless the government plugs major holes and commits millions of dollars in the coming years.
Despite expectations that the U.S. on Thursday will slap Russia with retaliatory measures for hacking the recent presidential race, major political, financial and logistical obstacles stand in the way of ensuring that hackers are locked out of future elections, not to mention an incoming administration that is dismissive about the government's own allegations that Russia pulled off a widespread hacking campaign that fueled Americans' wariness of the political process and possibly helped President-elect Donald Trump win the White House.
Political campaigns and organizations are just starting to take cybersecurity seriously; states are scraping together money to replace aging, hack-prone voting machines; and officials everywhere are trying to figure out how they can better protect a sprawling election apparatus that often relies on local personnel without the advanced knowledge — or appropriate resources — to digitally secure their systems.
Meanwhile, security experts suspect hackers and other digital foes are already looking at ways to gain an advantage in future elections, whether it’s the 2018 midterms or the 2020 presidential race.
“I hope we have the foresight to start fixing these problems now,” said Tony Cole, the global government chief technical officer with FireEye, a leading digital security firm. “We need to think about our adversaries. If they wanted to influence our election, did they start four years ago? They’ve got all the time in the world to actually decide what path they want to go through.”
In dozens of interviews over the last few months, people involved in protecting the political process from cyberattacks told POLITICO that the U.S. must scramble to implement even some basic defenses — or risk a repeat of 2016.
Yet that assumes lawmakers, or a skeptical Trump administration, will even try to plug the holes. Some critics fear that any momentum for change will fade quickly after Jan. 20, even though Trump himself sounded multiple warnings about a “rigged” election before his surprising November victory.
President Barack Obama may be taking the first step before he leaves office. Multiple news outlets have reported that the White House as early as Thursday will hit Russia with economic sanctions over its alleged digital assault on the U.S. election — part of the president's last-ditch effort to deter future cyber meddling in campaigns.
But political barriers to taking further action abound. Congress has shown little enthusiasm for offering financial aid to state and local election offices, for example, or for putting an agency like the Secret Service in charge of ensuring that campaigns or parties follow accepted cybersecurity practices. And states like Georgia cried foul last summer when the Department of Homeland Security offered help in making sure their election databases were secure, accusing the feds of usurping their authority.
“This is a major problem that’s going to get worse, and for the life of me, I still can’t understand why more priority is not being placed on cybersecurity,” said Rep. Ted Lieu (D-Calif.), one of four members of Congress with a computer science degree.
Even some top Republicans fear that inaction will allow suspicion of cyber-mischief to cloud every election from now on — an existential threat to U.S. democracy.
“This experiment that got started 240 years ago is always fragile,” said Rep. Will Hurd (R-Texas), a former CIA operative whose House Oversight subcommittee has held hearings on election security.
“The peaceful transfer of power becomes much less secure if people don’t have confidence in the system,” said Nebraska state Sen. John Murante, a Republican who chairs an election technology committee in the unicameral legislature.
Obama also lamented the dangers at his end-of-year news conference Dec. 16, even as he noted that many worst-case scenarios didn’t play out on Election Day — by all appearances, no hackers managed to tamper with the vote itself.
Most worrisome, Obama said, is the ugly partisan divide that has left many Americans distrustful of their government and willing to use hacked documents against their political adversaries, even if that plays into the hands of a foreign power.
“Unless that changes, we’re going to continue to be vulnerable to foreign influence, because we’ve lost track of what it is that we’re about and what we stand for,” Obama said.
A massive, flawed election process
The Obama administration is still weighing one safeguard it had started considering before the November election — whether to declare that the electoral system needs to the same “critical” cyber protections already granted to banks and the power grid.
On Capitol Hill, lawmakers are on the verge of launching multiple probes into the Russian hacking allegations, despite scoffing from Trump and some reluctance by Republican leaders to establish a special committee to head the investigation. A few lawmakers are also preparing to advocate for election security bills in the new year. And nearly half of states are either upgrading outdated voting machines, or are in talks to do so.
Still, the challenges to action are many: Political campaigns are transient operations that have historically treated cybersecurity as an afterthought. States such as Georgia are publicly chafing against any talk about increasing the federal role in protecting elections. And Washington has shown little desire to provide another cash infusion to replace aging voting equipment, as it had done after the Bush v. Gore recount of 2000.
The election process is massive, diffuse and mainly controlled by state and local governments, which makes patching it a huge challenge. It involves dozens of primaries and caucuses, hundreds of fleeting campaigns, state and national party organizations, local and statewide voter registration databases, and a satellite world of super PACs, think tanks, advocacy groups, lobbying organizations, labor unions and law firms — which haven’t traditionally thought of themselves as primary targets for digital intruders.
Hackers went after each of these components this election and found myriad ways in, much to the misfortune of former Democratic National Committee Chairwoman Debbie Wasserman Schultz, Hillary Clinton campaign chairman John Podesta and ultimately Clinton herself, when Podesta's personal emails started leaking daily. The Obama administration has accused senior Moscow officials of directing both digital assaults.
Other targets included the email accounts of a Latino political advocacy group with ties to the Clinton campaign. At the state level, the Association of State Democratic Chairs in September warned its members that local officials were being breached and impersonated by hackers.
According to security researchers and various media reports, the scope of the alleged Russian plot encompassed hundreds of officials and groups and successfully breached more than 100 email accounts, including those of a few Republicans. The Republican National Committee was also targeted, but it’s unclear whether the digital invaders got in: The New York Times reported the organization was breached, but RNC leaders claim government investigators have found no such intrusion.
Each of these infiltrations provided opportunities for hackers to trick other officials into giving up access to their private information, burrow into related organizations, dig up distracting dirt and generally sow doubt about the validity of any digital interaction during the campaign.
“The potential to corrupt the election processes is quite clear. It’s quite prescient,” said Rep. Hank Johnson (D-Ga.), who plans to stump during the next Congress for two election cybersecurity bills.
Hackers even invaded two state voter registration databases, spurring an FBI alert that sparked questions about whether a broader attack was coming.
As for Election Day itself, 15 states — including swing state Pennsylvania — still rely at least partly on electronic voting machines that leave no paper trail. That’s despite years of warnings from digital security specialists, who say the touch-screen machines are prone to being hijacked and would provide no effective way to disprove claims of digital vote tampering.
Long-time Trump adviser Roger Stone also harped on the dangers of voting-machine hacking before the election, writing that the results in Pennsylvania, Virginia and Ohio would all be suspect unless they matched the exit polls.
Nationwide, the picture is a bit different: More than 70 percent of voters cast ballots either by hand or electronically with a voter-verified paper record. Still, tens of thousands of military and overseas Americans also cast their ballots electronically, as do some voters in Alaska, opening yet another door for digital meddling.
That tampering didn’t seem to happen on Nov. 8, however. Federal and state officials — backed up by private cybersecurity researchers — have said they observed no evidence of digital vote rigging.
Neither did another worst-case scenario — that hackers would infiltrate the vote totals reported to the media or even the news outlets themselves.
Still, the relentless reports of hacks, real or imagined, eroded public confidence.
“Quite frankly, it’s not good enough to have a secure system,” said Murante, the state senator from Nebraska. “We need to have a conspicuously secure system because there’s such rampant lack of faith in the system as a whole.”
Locking down the campaigns
That could worsen as Congress wages a largely partisan battle over how to investigate the allegations of Russian hacking of the Democrats. The hearings will reair many of the details about the weaknesses the hackers exploited, including the ease with which they got people like Podesta to click on malware-laden links in emails.
“The failure of Democrats to take cybersecurity seriously, I believe, affected our elections in 2016,” Lieu said.
In fact, cyber experts say, government efforts to lock down election databases or voting machine won’t matter unless campaigns and political parties also start to secure their own data.
“I don’t think they’re used to spending on security,” said Ari Schwartz, formerly the senior director for cybersecurity at the White House under Obama. “But they’re going to have to start doing that.”
The DNC has responded to the trauma by creating a four-member cybersecurity advisory board composed of outside tech specialists. Crowdstrike, a private security firm the committee brought in after its breach, also did a complete “restructuring and rebranding” of the DNC’s management systems.
Some former officials and digital experts say the federal government should step in too, providing digital protection for campaigns and major political groups in the same way that the Secret Service physically protects major party nominees. Proponents say these political organizations are sitting on troves of sensitive information that foreign adversaries could use to nudge elections — or influence the winners once they take office.
“It strikes me that there’s a clear public interest in that, as demonstrated by this election cycle,” said Nathaniel Gleicher, the director of cybersecurity policy at the National Security Council from 2013 to 2015, who now heads cybersecurity strategy at the security firm Illumio.
But state and federal lawmakers from both parties haven’t jumped at the idea, saying campaigns must improve their own cybersecurity instead of leaning on the government for assistance.
“I think what’s frustrating for most people in all of this … these have all been things that could have been prevented by doing basic stuff,” said Hurd, who chairs the House Subcommittee on Information Technology. “Political organizations need to recognize that that are a target.”
A more concerted effort in Congress aims to enhance the federal government’s role in the protection of state election infrastructure — which includes voter registration databases, the voting apparatus and potentially anything that helps states administer elections.
Many Democrats are pushing to have the Department of Homeland Security classify the electoral system as “critical infrastructure,” on par with the energy grid and financial sector. These are the networks that, if damaged, would cripple the country’s national or economic security, DHS says.
Supporters argue this step would give election administrators and party operatives access to better data on hacking threats, as well as better tools to combat digital meddlers. Election officials would get to deal with one federal agency that serves as their digital security liaison with DHS.
But several states objected last summer that the plan would bring more federal regulations or a loss of local control, and the Obama administration has yet to announce whether it will go ahead with the reclassification.
One of the concerned states, Ohio, “does not in any way want to see the federal government come in and take over the election system,” said Joshua Eck, a spokesman for its secretary of state’s office. Georgia even accused DHS of trying to hack its state election systems without permission, possibly as retribution for its objections. (The department — backed up by outside tech specialists — strongly denied the allegations.)
Reportedly, the Obama administration may dub the electoral system "critical" as part of the new round of sanctions the White House is expected to levy on Moscow for its digital malfeasance.
If the administration fails to take such a step, some Democrats want Congress to act. Johnson said he plans to reintroduce a bill that would declare the election system to be critical and direct DHS to offer security suggestions to Congress. Lieu said an expected bill to promote Trump’s $1 trillion infrastructure proposal could also serve as a vehicle to address election security.
States: Send me the money
If Congress really wants to help, state and local officials say, it should offer money to help them buy more secure equipment. But that’s also unlikely, even though many states are facing huge budget shortfalls.
At least 24 states are somewhere in the process of buying election technology, said Wendy Underhill, a program director at the National Conference of State Legislatures. Much of that activity is to replace voting equipment they bought with federal money following Florida’s 2000 hanging chad debacle, which prompted many states to replace their old punch-card ballots and with paperless touch-screen machines — the ones now catching criticism as hacking risks.
“If everyone bought their cars at same time … they’d start breaking at the same time,” said Arizona Secretary of State Michele Reagan. “We should be talking about that before we have another hanging chad debacle and not after. That'd be wise and prudent: Republican or Democrat. That’s just common sense.”
Some states, like Virginia, have already enacted laws to phase out touchscreen voting machines by 2020. Others — such as Pennsylvania, Delaware, Nebraska and Utah — have created task forces to investigate the issue. But Nebraska also estimates that its tax revenues will fall $910 million below expected spending in the coming fiscal year, which will force state officials to get creative with funding sources for new equipment.
“If we do nothing our election equipment will fail,” said Murante, the Nebraska lawmaker. “We don’t really have a choice.”
Congress last provided big money for voting equipment in 2002, through the Help America Vote Act. But since then, the purse strings have been closed.
Absent a federal funding push, Johnson said he will reintroduce a bill to bar states from buying paper-less voting machines and would establish procedures for auditing contested election results.
“Now that the political season is over,” Johnson said, “the bill can’t be construed as a partisan measure.”
But the partisan squabbling over the Russian hacking allegations belies any hope for a kumbaya on election security. Some Republicans, such as Senate Foreign Relations Chairman Bob Corker, have downplayed the cyber assaults on the Democrats as routine espionage.
“I don't think we ought to have our hair on fire about that. I'm sorry,” the Tennessee senator said on MSNBC. “That's what people do.”
Democrats like Lieu say Republicans are playing with fire, warning the GOP could be in Russia’s crosshairs come 2018. And have no doubt, he added, foreign hackers “could absolutely swing an election” if the U.S. fails to lock its doors.
“If the GOP leadership thinks that Russia isn’t going to turn on them whenever it’s in Russia’s interests, then I do have a bridge in Brooklyn to sell you,” Lieu said.