with Bastien Inzaurralde
THE KEY
It’s go time.
Today’s midterm elections will be the first major test of the election security precautions that governments and companies have adopted following revelations of a wide-ranging Russian operation to influence the 2016 presidential election in favor of Donald Trump. As voters head to the polls, we’ll be closely monitoring for any signs of cybersecurity issues, from reports of potential voting machine vulnerabilities to disinformation on social media.
In tight races, even a minor cyberattack could have a major impact on the outcome of the election — or the perception of whether a race was fairly decided. On Monday, we covered how Georgia Republican Brian Kemp’s hacking allegations put a fine point on the challenge of preserving voter confidence during the midterms.
Going into the big day, the federal government is voicing confidence in the integrity of the midterms: Department of Homeland Security Secretary Kirstjen Nielsen said at a recent event that today’s election will be “the most secure election we’ve ever had.” As of Friday, she said there was no activity targeting election infrastructure that could be attributed to a foreign entity, but she acknowledged “that can change in an hour.”
Last night, the federal government put out a statement reiterating its confidence. "Our agencies have been making preparations for nearly two years in advance of these elections and are closely engaged with officials on the ground to help them ensure the voting process is secure," said a statement from Justice Department, DHS, FBI and Office of the Director of National Intelligence.
Here are a few things we'll be watching today.
Could disinformation impact whether voters actually make it to the polls?
Much of the federal government’s focus has zeroed in on helping local election officials harden their voting system infrastructure. But rampant disinformation — especially on social media — may be an even tougher problem for security officials to address.
As my colleague Tony Romm highlighted in a report last week, disinformation is not just about influencing a potential voter's opinions. It can also be used to deter users from voting at all. In one instance, Twitter users spread a rumor that U.S. Immigration and Customs Enforcement agents would be at polling places, checking voters’ immigration statuses. Facebook and Twitter are attempting to combat the problem with aggressive steps to vet and scan such content.
And the voting hoaxes could go beyond posts on social media. As we’ve previously reported in The Cybersecurity 202, local election sites where voters get information about their polling places could be vulnerable to manipulation. If these sites are hacked, there's no impact to ballots — but there could be an impact on the race if would-be voters don't turn out.
From David E. Sanger of the New York Times: “Cybersecurity firms and some election officials reported seeing an increase in cyberattacks on websites and infrastructure surrounding the vote, but not on systems that are part of the voting process. Hackers have targeted websites across the United States — including in Georgia, Florida and California — that allow voters to look up the location of their local polling stations or to verify that they are registered to vote.
In its statement last night, the government warned voters to check the source of their election information and said they should rely on official state or local election offices. Agencies told voters “know your source — and think before you link.”
Will there be problems with aging electronic voting machines?
Even before Election Day, there were reports of glitchy voting machines in Texas.
Some voters planning to vote for Democratic Senate candidate Beto O’Rourke said their votes were changed to votes for incumbent Sen. Ted Cruz (R). The state says it’s a “user error,” and it posted notices reminding Texans to check the summary of their ballots before they submit them.
Bad technology may make people believe they were targeted by foreign hackers when they actually weren't. Either way, these errors might also fuel momentum for a shift to paper ballots so that any concerns with electronic machines can be audited. Politico reporters Christian Vasquez and Matthew Choi explained the stakes: “Experts in voting technology say the machines’ errors aren’t the result of mischief by hackers. But the same lack of a paper trail that would make it impossible to verify the voters’ intent in these races would also hamper efforts to detect a cyberattack on the election machinery.”
Will the social networks’ efforts be enough?
On Election Day 2016, social media was filled with hoaxes and false news stories, ranging from claims that rapper Lil Wayne was voting for Trump to a report that poll workers in Nevada were wearing “Defeat Trump” shirts, according to a roundup from BuzzFeed News at the time. It's continuing this cycle too: As my colleagues recently reported, several politically charged events like the migrant caravan and mail bombs have recently led to many false reports on social media.
The election will test whether they have done enough about it. Just last night, Facebook announced it took down 115 accounts in an effort to publicize its actions on the eve of the election. And the company has a "war room" where employees will be responding around the clock to election integrity issues.
Will federal agencies, local election officials and social media companies all be able to coordinate?
As Gerald Seib of the Wall Street Journal pointed out at Friday’s event with Nielsen, the dispersed nature of the U.S. election system is both an advantage and a disadvantage. “That’s a good thing, in the sense that you can’t break into one — you can’t walk through one door and be in the whole house if you want to break into the system,” he said. “On the other hand, it makes it very hard to figure out if something small has happened over here that it might be happening over there, but the person over here and the person over there don’t necessarily have a way to communicate.”
As Nielsen points out, the federal government is working to improve its coordination in several ways since the 2016 election. It has established two councils: one that brings governments together and one that brings the private sector together, which enables them to coordinate with one another and understand which entity has responsibility to address an issue. They’ve created an information sharing and analysis center, which she says includes all 50 states and more than 1,300 counties. This allows federal agencies to share potential threat information with local election officials and vice versa, in a way that is very similar to financial institutions’ threat-sharing consortium.
What will be the impact of any cybersecurity problems after the election itself?
Nielsen warned on Friday that foreign actors could still try to influence voters' perception of election integrity even after the polls close. “My biggest concern is that a foreign entity will take the opportunity after the election or the night of the election to attempt to sow discord on social media by suggesting that something did not work as it should,” Nielsen said. “We have to not jump to conclusions as Americans. We just need to pause election night and not jump to conclusions.”
We'll also be watching to see how politicians handle cybersecurity issues and any reports of potential hacking. As the controversy over Kemp's hacking allegations in Georgia underscored over the weekend, cybersecurity issues can be swiftly politicized. With hacking in the news so much lately, there is a risk that politicians unhappy with election results could point to any reports of cybersecurity interference before conceding.
As University of North Carolina professor Zeynep Tufekci penned in a New York Times op-ed: “Because the legitimacy of an election depends on the electorate accepting that it was fair, that everyone who tried to vote got to vote and that every vote counted. Lose that, and your voting system might as well have suffered a devastating technological attack. Unfortunately, in much of the United States, we are no longer able to assure people that none of those things has happened.”
See anything resembling disinformation about voting on social media, problems with electronic voting machines or other cybersecurity issues today? Shoot me an email or DM.
| You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news. | |
| Not a regular subscriber? | |
|
PINGED, PATCHED, PWNED
PINGED: First, the office of Georgia Secretary of State Brian Kemp accused the state's Democratic Party of a failed hacking attempt. Then state officials insisted the voter information system in question was secure. But ProPublica reports that they quickly patched vulnerabilities that they had not acknowledged in the first place. “A representative for Kemp, the state’s Republican candidate for governor, denied vulnerabilities existed in the state’s voter-lookup site and said the problems alleged could not be reproduced,” Jack Gillum, Jessica Huseman, Mike Tigas and Jeff Kao of ProPublica and Stephen Fowler of Georgia Public Broadcasting reported. “But in the evening hours of Sunday, as the political storm raged, ProPublica found state officials quietly rewriting the website’s computer code.”
The reporters on Sunday reviewed Georgia's voter system using information originally assembled by a person who had tipped off Democrats about the vulnerabilities, and they noticed “software fixes made that evening,” according to ProPublica. “ProPublica’s review of the state’s voter system followed a detailed recipe created by the tipster, who was described as having IT experience and alerted Democrats to the possible security problems,” ProPublica reported. “Using the name of a valid Georgia voter who gave ProPublica permission to access his voter file, reporters attempted to trace the security lapses that were identified.”
PATCHED: Russia remains a top concern on Election Day, even as election security has improved in the last two years. “Officials are worried that Russia or others could deploy new, unpredictable tactics on election day, and are unnerved by how quiet Russian hackers have been compared with 2016, when they allegedly hacked and leaked emails of top Democrats and targeted voting systems,” the Wall Street Journal's Dustin Volz reported. Christopher Krebs, undersecretary for DHS's National Protection and Programs Directorate — the agency's cybersecurity wing — told the Journal that Russia tends to renew its tactics. “If we have learned anything about how the Russians operate in this space, it is that when they come back they are better and they are different,” Krebs said, as quoted by Volz.
Moreover, the Russians may have been quiet in this election season so far, but they are still active online. “There is no evidence that election infrastructure, including voter registration systems or voting machines, has been targeted by Russia leading into the midterms, but Moscow is still attempting to spread disinformation on Facebook, Twitter and YouTube, according to senior officials,” Volz wrote. “A recent Morning Consult/Politico poll found that nearly half of Americans think Russia is trying to interfere in Tuesday’s vote.”
PWNED: Experts say disinformation efforts on social media around the midterms increasingly originate from the United States but often employ tactics similar to Russia's 2016 online influence operations, Politico's Nancy Scola reported. “Researchers already see Americans amplifying divisive social media hashtags aimed at the midterms — such as ‘#nomenmidterms,’ urging liberal men to stay home from the polls so that women will decide the outcome,” Scola wrote. “But a bigger worry is that more targeted disruption or suppression efforts will appear on Election Day, such as posts that mislead about polling place closing times or discourage people from voting via fake pictures of people being bused into the wrong district. The perpetrators, say experts, range from bored pranksters to partisans executing dirty tricks.”
What is more, social media companies may find themselves in a complicated situation of policing content that is produced by American users, according to Politico. “While U.S. law and norms restrict foreign activity during elections, removing domestic content exposes the companies to charges that they’re censoring American speech — something they’re eager to avoid in the already tense political atmosphere around the tech industry in Washington,” Scola reported. “Republicans frequently accuse the internet giants of discriminating against conservative views.”
PUBLIC KEY
— “The Supreme Court said Monday that it will not hear a closely watched case over the future of the Internet — rejecting a petition by telecom industry groups to consider net neutrality, the principle that Internet providers should treat all online content equally,” The Washington Post's Brian Fung reported. “Three of the justices — Clarence Thomas, Samuel Alito and Neil M. Gorsuch — would have voted to take up the case, according to the court’s announcement, and wipe off the books a lower court’s decision backing the Federal Communications Commission’s net neutrality rules, which were originally passed in 2015. But there were not enough justices for a majority, after Chief Justice John G. Roberts Jr. and Justice Brett M. Kavanaugh recused themselves.”
— “Sens. Mark Warner, D-Va. and Amy Klobuchar, D.-Minn., wrote an open letter to Facebook CEO Mark Zuckerberg asking him to fix the site's ad transparency tool,” Nextgov's Caitlin Fairchild reported. “Facebook introduced advertising rules in May to help crack down on political misinformation campaigns that require anyone buying a political ad to verify their identity and location before the ad could be posted.” However, as Fairchild reported, “the new tool that verifies ad-buyers' identities is easily abused and still allows ads from buyers with falsified identities to slip through.”
— More cybersecurity news from the public sector:
PRIVATE KEY
— “An election security expert who has done risk-assessments in several states since 2016 recently found a reference manual that appears to have been created by one voting machine vendor for county election officials and that lists critical usernames and passwords for the vendor's tabulation system,” Kim Zetter reported in Motherboard. “The passwords, including a system administrator and root password, are trivial and easy to crack, including one composed from the vendor’s name. And although the document indicates that customers will be prompted periodically by the system to change the passwords, the document instructs customers to re-use passwords in some cases — alternating between two of them — and in other cases to simply change a number appended to the end of some passwords to change them.”
— More cybersecurity news from the private sector:
Twitter Says It Is Ready for the Midterms, but Rogue Accounts Aren’t Letting Up (The New York Times)
SECURITY FAILS
THE NEW WILD WEST
— “Iran’s telecommunications minister accused Israel on Monday of a new cyber attack on its telecommunications infrastructure, and vowed to respond with legal action,” Reuters reported. “This followed comments from another official last week that Iran had uncovered a new generation of Stuxnet, a virus which was used against the country’s nuclear program more than a decade ago.”
— More cybersecurity news from abroad:
ZERO DAYBOOK
Coming soon
- Federal IT Security Conference tomorrow in College Park, Md.
- The National Institute of Standards and Technology hosts the 2018 Cybersecurity Risk Management Conference tomorrow through Friday in Baltimore.
- Infosecurity North America conference on Nov. 14 through Nov. 15 in New York.
EASTER EGGS
Why don’t these Americans vote?
Trump’s closing remarks before the midterm elections, in 3 minutes:
Regular order is dead. That's why irregular order is Congress’s new normal: