Analysts worry about tech security threats ahead of 2020 elections
Election security has taken a newfound importance in America's social consciousness since the 2016 presidential election and in the run-up to 2020.
The New York Times had a groundbreaking report on Saturday detailing how a judicial race in Northampton County, Pennsylvania, was almost derailed because malfunctioning machines from Election Systems & Software failed to count almost any of the Democratic candidate's votes.
The situation put a spotlight on the diverse set of problems facing election security officials across the country, who are increasingly begging for election results to be protected by using backup paper ballots.
SEE: Midterm elections 2018: How 7 states are fighting cybersecurity threats from Russia and other attackers (free PDF) (TechRepublic Premium)
TechRepublic spoke to security experts about what it would take to protect election systems, safeguard voting machines, and root out disinformation campaigns in the United States.
"The threats span a pretty vast, diverse space, ranging from physical threats into voting machines to jeopardizing, accessing or compromising the networks and computers at national or state level election committees," said Shimon Oren, head of cyber intelligence at the security company Deep Instinct.
"Then there are more general threats of influencing the election process and the campaigns," said Oren.
Congress agreed to invest nearly $400 million into the Help America Vote Act, which will trickle down to all 50 states. The money is designed to help address a litany of security gaps plaguing election commissions across the country.
According to a March report from the Brennan Center for Justice, the Election Assistance Commission (EAC) states will use $136 million to bolster election cybersecurity, $103 million for new voting equipment, and another $21 million so that they can perform post-election audits.
Each state gets their cut of the funding based on the voting population, so states like Alaska, Delaware, Montana, Vermont, Rhode Island and Wyoming are slated for about $3 million, while large states like California will get almost $35 million.
The sums pale in comparison to what security experts say is needed considering the magnitude of what occurred in 2016.
A study from U.S. Senate Select Committee on Intelligence said 18, and maybe more, voter registration databases were accessed by attackers from Russia. While there is no evidence that the hackers were able to delete people from voter registration systems, the report says they had the ability to.
More than 120 election officials across 31 states told the Brennan Center that their voting equipment was outdated and needed to be replaced before the election in 2020. They added that two-thirds of respondents said they did not have the funding they needed to get this done in time, even with all of the new money appropriated by Congress.
Some 45 states are still using aging voting tools that are no longer made, making them extremely susceptible to attacks and breaches. On top of the outstanding software-related cybersecurity concerns inherent in using equipment that can't be updated or patched, election commissions reportedly can't even find replacement parts to physically maintain the machines.
While the Department of Defense has confirmed that no actual votes were changed in 2016, all 50 states reported attempts to break into their system.
"There have been multiple publications and even events at security conferences where people were able to hack these kinds of voting machines in minutes. The fact that they are still being used is a question of money. Sometimes it's just pure denial of the fact that they can be hacked," said Deep Instinct's Oren.
The Brennan Center calculated that it would cost up to $400 million to replace all of the paperless machines and that doesn't include all of the ancillary costs associated with technology upkeep.
Oren said cost concerns were the main thing stopping states from upgrading voting machines.
"A lot of the machines are using a mix between Linux and Windows, which is the majority. In both cases, there are so many vulnerabilities that exist out there, even more so because the machines are standalone, very old versions of Linux distributions," Oren added.
"Many systems are still based on Windows XP and that alone says it all. There are other operating systems being used that are no longer supported or receiving security updates. They have multiple vulnerabilities already known, with existing exploits. Attacking these is not rocket science. It's normal and can be done with off-the-shelf tools and code that exists out there."
There is a huge discussion being had over a return to paper ballots, something President Donald Trump has personally called for in interviews. Paper ballots add a measure of reassurance that can't be guaranteed by digital only machines, which have dominated states across the country.
One of the biggest election machine manufacturers, Election Systems & Software, stopped selling paperless voting machines in 2018 and has been quietly lobbying Congress to force all voting machines to have paper alternatives that allow for hand counts and more stringent post-election audits.
Election Systems & Software CEO Tom Burt released an op-ed in June calling for paper records to be required by law.
While some in Congress welcomed the commitment, Senator Ron Wyden from Oregon bashed the company in a statement to CNN, asserting that "after years of selling voting equipment that it knew was insecure, and fighting tooth and nail against real election security, ES&S is finally admitting that paper ballots are the most secure system currently available."
Disinformation on social media
Since the 2016 US presidential election, more information has been released about the breadth of actions taken by Russia's state-run Internet Research Agency
According to Special Counsel Robert Mueller's report on Russian interference in the 2016 presidential election, the Russian agency spent five years using Facebook, Instagram, Twitter and other sites to push real, but contentious, issues and stir fierce debate across US social media platforms.
The reports, compiled by the Central Intelligence Agency, Federal Bureau of Investigation and National Security Agency, said that despite failing to get into any election systems or voting machines, the agency managed to disseminate propaganda or fake news to over 126 million people on Facebook, 20 million users on Instagram, 1.4 million users on Twitter, and uploaded over 1,000 videos to YouTube.
Ameesh Divatia, CEO and co-founder of the security company Baffle, said the key problem with the way social media companies acted in 2016 concerned user-data policies. Data, he said, was collected without our permission and used for purposes users weren't aware of.
"We had no idea that when you let this app access your data, the data was going to be used for a completely different purpose. I think the real solution to this is exactly what the Europeans have implemented- the GDPR-which basically says that when you store data, you have to tell the customer why you're storing the data," Divatia said.
"So you have to find a purpose for it but it is also something that should be reversible. The U.S. is playing catchup to that."
The Russian agency spent just $25 million a year on its disinformation project, which involved posts, advertisements and the creation of groups. The agency was so successful it even managed to organize rallies remotely for members of both parties.
The report adds that the Russian disinformation efforts were boosted by the hack of the DNC, which gave the Russian military troves of damaging or embarrassing emails that they slowly leaked to the public and media throughout the summer of 2016.
"We assess Moscow will apply lessons learned from its Putin-ordered campaign aimed at the US presidential election to future influence efforts worldwide, including against US allies and their election processes," the Director of National Intelligence report said.
Disinformation campaigns work because they're cheap and more effective than any other method of election disruption, according to Andrew Peterson, CEO and founder of the security company Signal Sciences.
"It's been proven that it had an impact. Why would they need to hack the actual election material especially when each state and each precinct are all running their own technology or their own way of doing voting? So it's quite complicated to figure out who is running which technology and it will take a ton of research or a fair amount of hacker power to do that," Peterson said.
"Facebook and other social media platforms give you tools to actually target very specific locations so they can be really efficient with their time and resources to get the outcome that they want."
Peterson said it was confusing that social media companies allowed these disinformation campaigns to run amok and have done little to address the issue since 2016. Only Twitter has banned political ads entirely, but the line between what constitutes a political ad is murky and leaves room for attackers to replicate much of what was done during the 2016 election.
"As a policy maker, I would be asking for more transparency from those organizations into not only helping to understand what they're doing to proactively try to stop disinformation leading into the election, but one of the other things that would be beneficial for the public is to ask social media companies if they have the visibility into which specific areas are being more targeted with these kinds of disinformation campaigns," Peterson said.
"They're the only ones that have that information. They hold the keys to their own platform. How valuable would that be if they could tell specific precincts in these specific parts of these counties in these states that they are being targeted today. Precincts can then actively try to defend themselves against that. With that information, at least give some warning to places that are obviously being targeted that can then go out and inform their own communities. They can say 'We should be on extra alert because we have some evidence that our area is being targeted.'"
Popularization of cybersecurity and future solutions
Multiple security experts said that the fiasco in 2016 had the unintended consequence of popularizing the conversation around election security. Just the discussion of security problems has made more people aware and vigilant about protecting themselves against a variety of threats.
This popularization has trickled down to campaigns and local election commissions, whose officials now know they must have some sort of election security system in place. Security teams are now better able to manage threats because more people are aware of phishing campaigns and other tactics attackers may use to infiltrate systems.
Peterson said it was vital that the average American digs in to understand why cybersecurity is important in the context of campaigns. With automation, attackers can widen their attack base and go after states that may not think they're susceptible to either disinformation or actual attempts to break into election systems.
While the increase in funding and awareness was a positive step in the right direction, it can't solve every problem.
What exacerbated the problem in 2016 was the relative inexperience and general lack of interest in cybersecurity from both campaigns and election commissions. Peterson said election commissions can't view the adoption of new technology as a one-time purchase. Any new software needs to be updated constantly because hackers' tactics are constantly evolving.
"The way in which we build systems or projects that are technology projects related to the government is not how modern software works. In a government system where you pay an outside entity to build software and then they leave once the project is over. That's not being responsible for updating. We gotta get better at how we build, manage and deploy technology in our government systems to really be able to be good at security," Peterson said.
"We can't treat these things as one-off projects that exist for the next six months and then after that it's done. Once you've made the asset, it's your job to secure that. It's not just a point in time to check a box. It needs to be constantly monitored and defended."
The low-cost nature of what the Russian agency did makes it almost certain that more attempts will be made by a variety of countries to disrupt the conversation around the 2020 elections. The DNC hack prompted every campaign to think about security and have a heightened awareness to what kind of attacks are present.
According to both Oren and Peterson, every state should be assigned a designated, bipartisan cybersecurity official to manage the security of campaigns and local election systems.
There needs to be more use of automation in defense systems and a greater mobilization of the country's cybersecurity talent, which is eager to help but has been turned off by political infighting within the Election Assistance Commission.
"It is very hard for organizations in things like healthcare or elections when the majority of what's being attacked are software-based systems. If those organizations aren't good at building software, they're not in a good position to stop that problem. It's very presumptuous to think that just giving people money to handle their security will make it all better," Peterson added.
"Some of the banks we work with have thousands of people that they employ to work solely on security and yet they are still getting hacked. It's really naive to think that we can throw some dollars at election security and think that overnight we're going to be able to make those systems much more secure than they have been."