Tuesday is the US’s first nationwide election since 2016, the first time a presidential election was significantly affected by a foreign hacking operation. Naturally, we’re watching closely to see if that will be the case again in 2018.
Two things are already abundantly clear: We’ll likely see claims of cyberattacks, and it won’t be a repeat of 2016.
There are several reasons to assume people will say they’ve been hacked. Minor attacks, or things that can seem like them — probes, scans, use of simple programs to try to break into a server or knock a site offline — are daily occurrences on the internet. The finance industry, online retailers, and online gaming are inundated with such attacks daily. The US — unlike a lot of the world — was lucky enough to not see such activity around its election systems in years past, but it does now.
“It really started in 2016 in the US, but really has ramped up in the special elections and I think tomorrow will no doubt be similar,” said Matthew Prince, the CEO of Cloudflare, a company that provides cybersecurity services around the world, including free ones to election administrators.
The challenge will be looking at claims of hacks, and determining not only if they're legitimate, but also if they had any consequence. If an anonymous hacker tries an entry-level hacking technique against Cook County, Illinois, and is unsuccessful, that's not news.
The Department of Homeland Security, which has sprinted for the past two years to try to convince as many state and local governments as it can to join its threat-sharing program, has seen a drastic increase in reported attempts. It attributes this to the fact that many more people are now engaged in election cybersecurity.
But unlike 2016, when Russian military intelligence tried to hack county election workers and state voter registration databases — and was successful in getting into Illinois’ — DHS has insisted there’s no similar, drawn-out hacking campaign from any nation-state.
It’s safe to say we also won’t see a repeat of Russia’s noisiest attack from 2016, in which it hacked the Democratic National Committee and the Democratic Congressional Committee and gave emails to WikiLeaks to distribute, which dominated the news cycle for weeks. But at least seven candidates — six of them Democrats — have reported that someone has tried to hack them this year. According to Microsoft, Russia was behind at least two of those attempts. But even if a candidate has been hacked, it’s likely too late for anyone to release incriminating documents in time to affect their candidacy.
That’s not to say Russia or someone else couldn’t cause chaos tomorrow. There are a number of low-risk, high-yield targets that would cause chaos on Election Day, like knocking websites that detail polling places offline.
The most publicly unaddressed risk, and the one that DHS has spent the most time warning the public about, is a concentrated disinformation campaign to get Americans to distrust the election.
Facebook and Twitter each say they’re deleting election disinformation campaigns, like ones devoted to telling Americans the wrong place or date to vote.
But Russia’s information operations are the one area where we know they’re consistently active. The Internet Research Agency, the “troll factory” owned by a close friend of Russian president Vladimir Putin and which for several years has flooded Russia and neighboring countries’ social media sites with noise and propaganda, went into overdrive to inflame tensions ahead of the 2016 election.
In contrast to the way it treats attacks on election infrastructure, the US government is far more opaque about how it combats foreign information operations. The FBI takes the lead on those, but save in the occasional instance in which the Department of Justice charges someone with violating US laws in the process of disseminating propaganda, we’re rarely made aware of them. And the White House has no mechanism to communicate those threats to the public.
Since then, the IRA has taken some basic steps to hide its tracks, like having employees use VPNs to keep it from being as obvious to US companies that those users with American flag avatars aren’t authentic, or to no longer pay for political ads in rubles. But the operation is still active, with companies like Facebook and Twitter purging scores of accounts every few months. And as revealed in an indictment by special counsel Robert Mueller earlier this year, Russian military intelligence has its own wing that specializes in online disinformation, which has conducted US operations.
And it’s information warfare that DHS says is its main worry for tomorrow. As Secretary Kirstjen Nielsen said at an event in New York on Friday, “My biggest concern is a foreign entity will take the opportunity after the election, the night of the election, to attempt to sow discord through social media by suggesting that something did not work as it should.”
That could take the form of false stories of voter intimidation or fraud or hacking going viral on social media, or a fake county or state website telling people to show up at the wrong polling place.
Voting experts are resolute that false claims of voter fraud are far more likely, and more damaging, than fraud itself, which is rare. Trump himself ominously warned of voter fraud on Monday. But it’s worth noting that he set up a commission after he was elected specifically to find widespread fraud — and it was unable to find it.
It’s true that computer scientists have proved, over and over again, that given a few minutes alone in a voting booth with the right piece of outdated equipment, they can alter a voting machine to do their bidding. But that’s unlikely to be a source of large-scale voter fraud.
There’s currently an organized bot effort to discourage people from voting. Among their “arguments” is that voting machines are all “rigged”. Hogwash. I’m one of the computer scientists who discovered these voting system problems. And I vote, because it matters. So should you.
Not only does that risk significant criminal charges for someone caught doing it, and presume someone would invest the resources of registering a hacker to vote in a particular precinct that might become vital, it’s also far less cost-effective than convincing people you changed the vote.
On Sunday, Georgia Secretary of State Brian Kemp, who’s running as Republican candidate for governor, claimed, without providing any evidence, that the state Democratic Party tried to hack the state’s voter registration database. He has a history of false hacking claims: In 2016, he said the Obama administration tried to hack his site, only to be rebuked by a subsequent Inspector General report. His office has claimed that federal authorities are looking into it, but that’s impossible to confirm, as DHS and the FBI, who are tasked with responding, are prohibited from discussing if someone is even under investigation.
We’re going to investigate any credible claim of hacking tomorrow, and it’s going to be in the proper context: that attempts at such are common, that attempts don’t necessarily mean a hacker did anything, and that a false claim of a hack can do more damage than someone breaking into a computer.