The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Voters' distrust of election security is just as powerful as an actual hack, officials worry

with Bastien Inzaurralde


As millions of people across the country vote in eight different primaries today, state officials are working hard to secure the elections from hackers. But officials say there’s a more pressing, albeit abstract, challenge: Keeping voters confident that their vote is safe.

The U.S. intelligence community has concluded that a major goal of Russia’s campaign to interfere in the 2016 presidential election through cyberattacks on 21 states and national political organizations was to undermine public faith in the U.S. democratic process. By that count, election officials say, they're already succeeding in this cycle  without breaching a single system. 

Just the fear of digital sabotage — and the perception that voting machines are hackable — is enough to scare voters into a lack of confidence in the democratic process, election officials lament.

“What terrorists do is instill fear into the general population — if they’ve done that they’ve accomplished their goals,” said Alex Padilla, secretary of state of California, which holds its primary Tuesday. That's why election interference, Padilla says, is "in and of itself is an attack on our democracy. Any enemy, foreign or domestic, that’s trying to sow doubts, that’s a form of voter suppression." 

He adds: "The best way to overcome that is to get as many people out to vote as possible.” 

Officials say the way to do that is to communicate the best and most accurate information to voters. But that can be a challenge.  

They must be clear-eyed and transparent about the threat and the need to upgrade vulnerable election systems. After all, U.S. intelligence chiefs have warned Russia is still trying to sow divisions among voters with a social media disinformation campaign and even potentially trying to infiltrate election systems to steal voter information or change data. There's no evidence of any successful state breach so far, though Tennessee has already weathered a cyberattack that caused a county election results website to go dark for an hour during a May primary and it's not clear who was behind it.  

But they also need to spread reassurances. 

“I’ve gotten calls from voters who you could tell had just been watching the news and were calling with concerns like, ‘How do I know my vote is even going to count?’ ” said Matt Dietrich, public information officer for the Illinois State Board of Elections. “When the state board of elections has to reassure people that elections aren’t rigged, that shows there was some success in sowing the seeds of doubt, if that was the goal.” (Illinois does not have a primary today but is working hard to secure its elections before the midterms.) 

Cybersecurity is an incredibly complex topic -- and the nuances are sometimes hard to get across in the headlines or in politicial punditry. So officials say they are working hard to correct several common misconceptions about election security. 

Misconception 1: It's very easy for foreign governments to hack electronic voting machines. 

Direct-recording electronic voting machines, or DREs, are frighteningly easy to hack -- provided you know what you’re doing and you can get your hands on one. When researchers at DefCon, a popular hacker convention in Las Vegas, were presented with an array of them at last summer’s meeting, they had no trouble breaking into them. Experts warned that, in light of the Russia threat, these hacks showcased a serious national security threat. 

But in an actual election, those machines are not on display, ready to be hacked by trained professionals in Las Vegas. They are protected by layers of physical security — including locks, tamper-proof seals, video surveillance and activity logs — that would make it extremely difficult for anyone to tamper with them. So while experts agree the 13 states that use them should get rid of them in favor of paper ballots, they say it's important to stay sober about the threat of actual tampering. 

“There’s always a risk, but in order to hack those machines there almost always has to be some element of physical access that's needed at some point, and isn’t as easy as it might sound,” said David Becker, director of the Center for Election Innovation and Research, a nonprofit focused on improving election administration. 

Misconception 2: When hackers target election systems, it means they’re trying to change people's votes.

The Department of Homeland Security revealed last fall that hackers targeted state election systems, breached a voter database in Illinois and stole login credentials from a county election official in Arizona during its 2016 interference campaign.  Election officials and experts I’ve spoken with say they’ve heard from many voters who took that to mean that individual votes had been changed. But there’s no evidence of that. In reality, the hackers were likely probing for vulnerabilities that they could exploit down the road, as officials and congressional investigators have concluded.

Tammy Patrick, senior adviser at the bipartisan advocacy group Democracy Fund, said voters need to understand that the election systems the hackers targeted are physically separated from the actual equipment that’s used to record and tally votes.

“By filling in an oval or using a touch screen DRE or dropping a ballot in a mailbox, the voter is casting the vote and that vote being counted is one system,” she said. Everything else — from voter rolls to campaign finance reports to candidate filing information — is stored elsewhere. “Often people conflate the two,” Patrick said. “There’s been a bit of a learning curve, now that there are nation-state adversaries that we’re talking about here.”

Dietrich, of the Illinois State Board of Elections, said he has had to address that same confusion with voters. “When you cast your vote on Election Day, it’s safe and it’s going to be counted,” he said. “It’s not an issue of outside agitators trying to steal and change votes and throw elections. It’s a matter of them trying to get into voter registration systems and wreak some havoc.”

Misconception 3: States are going it alone when it comes to securing elections. 

It's true that state election officials have long bristled at federal intervention in the way they administer elections. And there were big headlines when some states rebuffed the Department of Homeland security's offers to help secure voter registration databases ahead of the 2016 election. When the Obama administration decided to designate election systems part of the country's “critical infrastructure” last year, many balked at the move and argued it was federal overreach.  

But tensions have thawed in recent months, and some election officials are trying to get the word out that they are being collaborative. 

“The partnership between secretaries of state and the federal government is getting better,” Minnesota Secretary of State Steve Simon told me. “The Department of Homeland Security has worked with my office on various testing exercises, both in person and from remote locations, which have helped us to identify improvements to our cybersecurity. DHS has also urged me and my counterparts to obtain security clearances, which I’ve now done, to enable us to receive classified briefings and threat assessments. Additionally, DHS has set up an ongoing panel, of which I’m a member, that allows states to communicate with all levels of government regarding election security.”

DHS officials have conducted vulnerability assessments in states across the country, and are working with state and local governments to share information about cyberthreats through channels that didn't exist in 2016. And in a congressional hearing earlier this year, Homeland Security Secretary Kirstjen Nielsen said her agency's communication with state officials has improved vastly in the past two years.

“Today I can say with confidence that we know whom to contact in every state to share threat information,” Nielsen said. “That did not exist in 2016.”


PINGED: A big storm is brewing for Facebook, which faced calls for investigations following revelations from the New York Times about its deals with at least 60 makers of cellphones and other devices. "Facebook’s arrangements with, Apple, BlackBerry and Samsung allowing their devices to access data from the social network’s users could further expose Facebook to steep fines and other penalties, experts said," The Washington Post's Tony Romm reports.

Facebook could find itself under renewed scrutiny from the Federal Trade Commission, which is investigating the company over other privacy issues, Romm writes. “I think the more unauthorized sharing that comes out, the more the FTC is going to be inclined to impose a significant civil penalty on Facebook,” David Vladeck, a former top FTC official, told Romm. "In New York, meanwhile, state Attorney General Barbara Underwood also pledged to investigate the matter, adding to the state’s existing probe of Facebook’s relationship with Cambridge Analytica," Romm writes.

On the congressional side, Rep. David N. Cicilline (D-R.I.) tweeted that it “sure looks like [Facebook chief executive Mark] Zuckerberg lied to Congress about whether users have 'complete control' over who sees our data on Facebook.” He said the matter ought to be investigated. Facebook replied:

Rep. Frank Pallone Jr. (D-N.J.), the ranking Democrat on the House Energy Committee, called the revelations “deeply concerning” and said the FTC should review whether Facebook violated the settlement that it reached with the commission in 2011. “Facebook and other data collectors, including these device manufacturers, should be prepared to come before Congress so that we can get a better grasp of the entire data collection ecosystem, and how people’s personal information is being shared and used,” Pallone said in a statement.

Additionally, Sen. John Thune (R-S.D.), the chairman of the Senate Commerce Committee, said the panel will send questions to Facebook about the matter, Reuters's David Shepardson reported.

From Sen. Catherine Cortez Masto (D-Nev.):

PATCHED: Google's decision to let a contract with the Pentagon expire next year after thousands of employees voiced concerns about the project could threaten the company's ability to compete for two other deals, Bloomberg News's Mark Bergen reports. “There’s JEDI, or Joint Enterprise Defense Infrastructure, cloud storage contract totaling as much as $10 billion,” Bergen writes. “And DEOS, or Defense Enterprise Office Solutions, a 10-year deal for email and web document tools worth $8 billion.”

Even before Google employees protested the company's involvement in the Project Maven program, the firm's odds of winning the other two contracts were slim “because it has less experience than rivals like Microsoft Corp., IBM and Oracle Corp. with legacy enterprise systems that large government agencies prefer,” Bergen writes. A spokeswoman for Google declined to comment or confirm whether the tech giant is competing for the JEDI and DEOS contracts, Bergen reports.

PWNED: A hacker who defaced the website of ticketing company Ticketfly and stole customers' information last week has apparently exposed more than 26 million email addresses, Motherboard's Lorenzo Franceschi-Bicchierai reports. The journalist transmitted the hacked files that were posted online to Troy Hunt, who created the “Have I Been Pwned” service that allows users to check whether their email address was part of a data breach. “Hunt analyzed the databases and found 26,151,608 unique email addresses,” Franceschi-Bicchierai writes. “The databases did not include passwords nor credit card details. But for most users, they did include their home and billing address and phone numbers.”

Ticketfly's website remained offline as off Tuesday morning but the company provided updates about its response to the breach and said on its homepage that users can log in to their accounts. “As many of you are aware, has been the target of a cyber incident,” the company said. “In consultation with leading third-party forensic and cybersecurity experts, we are in the process of bringing the Ticketfly ticketing system back online with the security of our clients and fans top of mind.”

— More cybersecurity news from The Post and around the Web:

Did Facebook allow Chinese firms ZTE and Huawei to access user data? A lawmaker wants to know. (Tony Romm)

California Enlists Data Scientists in Election Monitoring Bid (Bloomberg News)

U.S. ex-defense intelligence officer held over alleged spying for China (Reuters)

Cambridge University perch gave FBI source access to top intelligence figures — and a cover as he reached out to Trump associates (Tom Hamburger, Robert Costa and Ellen Nakashima)


— Cyberthreats against the U.S. energy sector are “growing by the day” and “the consequences of a grid failure would be devastating,” Energy Secretary Rick Perry warned in a speech Monday. “Attacks have become easier to launch,” Perry said at the Energy Department's Cyber Conference in Austin. “Their frequency, their scale, their sophistication, it's increasing. From hostile regimes to terrorist groups to cybercriminals, we face a host of bad actors eager to exploit our vulnerabilities and disrupt or even destroy our energy assets.” Perry also said his most important mission as secretary is “protecting our nation against those dangers.”

— Bill Clinton has a suggestion on election security: “Until we get this straightened out, every state should go to some sort of paper ballot system,” the former president told the BBC's Rebecca Jones. Clinton, who published a novel titled “The President is Missing” with author James Patterson, also told Jones that he is concerned about cyberterrorism. "I've been worried about this for a long time," Clinton said. "It's something we're not doing enough to address."

— More cybersecurity news about the public sector:

Trump’s lack of cyber leader may make U.S. vulnerable (Politico)

Ohio cities face increasing ransomware, cyber attacks (Dayton Daily News)

California’s net neutrality bill could set a national standard (The Verge)


— John McAfee, the founder of the anti-virus company that's named after him, announced on Sunday that he intends to run for president in 2020. "If asked again by the Libertarian party, I will run with them," McAfee tweeted. "If not, I will create my own party. I believe this will best serve the crypto community by providing the ultimate campaign platform for us." He also added in tweet yesterday that he doesn't stand a chance of winning.

— More cybersecurity news from the private sector:

Apple Is Testing a Feature That Could Kill Police iPhone Unlockers (Motherboard)

Cybersecurity in Africa: Securing businesses with a local approach with global standards (Brookings Institution)


— "Ukraine’s state security service (SBU) prevented a cyber attack on the embassy of a NATO country in Kiev, it said in a statement on Tuesday, without specifying which one," Reuters reports. "The hackers had used information gleaned from Ukraine’s health ministry to try to launch the attack, the statement said."

— More cybersecurity news from around the world:

North Korean hacking group Covellite abandons US targets (ZDNet)


— Here's where security meets art: “The NSA has long used security posters to warn workers to keep their mouths shut,” the Verge's Angela Chen writes. “The latest declassified batch, from the 1950s and ‘60s, comes to us courtesy of Government Attic, a website that requests and posts historical documents that it obtains using the Freedom of Information Act.”

And it's fair to say that the posters did not go unnoticed on Twitter:



Coming soon: 

  • House Homeland Security Committee markup of H.R. 5733 on threats to industrial control systems and H.Res. 898 on cybersecurity threats from Chinese tech firm ZTE tomorrow.
  • House Science Subcommittee hearing on "the electric grid of the future" on June 7.

Dozens are dead after volcano erupts in Guatemala:

Guatemala's Volcan de Fuego, or “Volcano of Fire,” erupted for the second time this year, killing dozens of people on June 3. (Video: Amber Ferguson/The Washington Post)

Here’s what’s coming to your iPhone with iOS 12:

The Post's Geoffrey A. Fowler discusses Apple's latest operating system revealed at WWDC 2018, and how it's trying to get you less addicted to your iPhone. (Video: Jhaan Elker, Geoffrey Fowler/The Washington Post)

Caps fans celebrate as team moves one step closer to Stanley Cup:

Crowds gathered outside the Capital One Arena as the Capitals triumphed yet again over the Golden Knights, 6-2. (Video: Ashleigh Joplin, Sarah Parnass/The Washington Post)