Americans should not be confident about the security of the 2020 election, according to a slim majority of experts surveyed by The Cybersecurity 202.
The assessment from 57 percent of The Network, a panel of more than 100 cybersecurity experts who participate in our ongoing informal survey, puts a serious damper on the years-long push by federal, state and local government officials and political parties to bolster election security since a Russian hacking and influence operation upended the 2016 contest.
“There are no signs that any part of our institutions are capable of providing an election that is reasonably secure from tampering and manipulation,” said Dave Aitel, a former NSA computer scientist who is now CEO of the cybersecurity company Immunity.
“Every part of the voting process is vulnerable. This includes the voter registration process, the voting itself, the vote tabulation, and the results-reporting system,” said Bruce Schneier, fellow and lecturer at the Harvard Kennedy School of Government.
Cindy Cohn, executive director of the Electronic Frontier Foundation, called for “more serious security measures for voting, from registration through to reporting the results back to the central voting authority.”
The Network features experts from the U.S. government, private sector and the security research community. (You can see the full list of experts here.)
The negative assessment comes as intelligence officials warn that Russian operatives are already interfering in the 2020 race, as part of an effort to boost support for President Trump and Sen. Bernie Sanders (I-Vt.), now the front-runner for the Democratic nomination.
While there are positive signs – including that the Department of Homeland Security has surged its security work and campaigns are better-equipped to deal with threats – voting systems remain inconsistent across the country as Congress has failed to mandate any protections for elections, such as paper ballots and post-election audits.
“Although a lot of progress has been made, there are still significant vulnerabilities and dedicated adversaries bent on undermining our elections and democracy more generally,” said Chris Painter, who was the top State Department cybersecurity official during the Obama administration. “Their tactics will continue to evolve and we must be ready — but we won’t be until make this a true national priority.”
Many experts blamed the Trump administration – and Trump himself, who continues to cast doubt on intelligence agencies’ conclusion that Russia interfered in the 2016 contest – for not putting enough emphasis on protecting elections.
“The current administration has gone from neglect to denying the problem exists at all,” said John Pescatore, director of emerging security trends at the SANS Institute, the nation’s largest cybersecurity training organization.
“We have yet to see a full-court press on election security by the Trump administration,” said Herb Lin, a senior research scholar for cybersecurity policy at Stanford University who has written extensively about election security.
Chris Finan, a top National Security Council cybersecurity official during the Obama administration, warned that “adversaries are postured to sow discord again and the party in power has aligned incentives to let it happen.”
Others put the blame on Congress, where Senate Majority Leader Mitch McConnell (R-Ky.) has blocked Democratic efforts to mandate election cybersecurity protections even as Republicans and Democrats have united to deliver more than $800 million in election security grants to state and local governments since 2018.
“The Senate majority leader has blocked every attempt to give authority and resources to [the Homeland Security Department’s main cybersecurity agency] and is responsible for what happens in November,” said Alex Stamos, formerly chief security officer at Facebook who is now an adjunct professor at Stanford.
Some experts pointed to the caucus night debacle in Iowa when a badly coded app crashed and delayed results for days as evidence that the 2020 vote could be chaotic. There’s no evidence that app was hacked, and the Iowa caucus was run by the state Democratic Party rather than trained election officials, but it still demonstrates the people running elections are dramatically unprepared, experts said.
They also pointed to the Nevada caucus, which came off without major technical problems but only after officials there jettisoned two apps made by the same start-up that built the Iowa app and reconfigured their entire vote reporting process just a couple of weeks before the contest.
“The Iowa debacle and Nevada's last-minute changes to their processes suggest we are not ready for the 2020 primaries. If we can't fix systems before the general election, Americans should be deeply concerned,” said Betsy Cooper, director of the Tech Policy Hub at the Aspen Institute.
“After Iowa and the current conversations about the use of technology in the Nevada caucuses, I think it would be difficult to say with confidence that the elections will not be affected in some fashion,” said Mark Weatherford, a former top DHS cybersecurity official who is now a global information security strategist at Booking Holdings.
Other experts zeroed in on specific risks such as the approximately 10 percent of voters across the country who won’t have paper records of their votes in 2020, according to a tally by the Brennan Center for Justice at New York University.
“Voting and election infrastructure remain woefully vulnerable to compromise — and multiple states lack a paper backup for their ballots, [which is] an enormous risk,” said Laura Galante, a former top executive at the cybersecurity company FireEye who now runs the consultancy Galante Strategies.
Officials also haven’t done enough to ensure that adversaries aren’t inserting backdoors into the components that end up in voting machines and other election systems, said Liisa Past, chief national cyber risk officer for the Estonian government. “It is key to be able to defend the very core infrastructure of democracy,” she said.
The 43 percent of experts who said Americans should indeed be confident about the security of the 2020 election, meanwhile, mainly touted DHS’s election security work, which includes placing cybersecurity sensors on election systems throughout the nation and vetting the security of dozens of voting jurisdictions, and many states’ efforts to make elections more secure by switching to voting systems with paper records and auditing election results.
“In 2016, we were largely caught flat-footed by the Russian campaign to interfere in our elections. However, in the intervening years, we have invested in our state and local elections authorities … Americans should go to the ballot box in November confident that their votes will be counted,” Rep. Jim Langevin (D-R.I.), co-founder of the congressional cybersecurity caucus, said.
“We are considerably better off than we were four years ago. However, the threat to the electoral infrastructure and the possibility that the public will lose confidence in the process remains very real,” said Michael Daniel, former White House cybersecurity coordinator during the Obama administration and now president of the Cyber Threat Alliance.
“The good news is that most states, including the expected ‘battleground’ states, have paper ballots,” said Suzanne Spaulding, DHS’s top cybersecurity official during the Obama administration. “Americans need to understand how much progress has been made on securing the election and that there are processes in place to verify the results.”
Still, many experts who said Americans should be confident about election security in 2020 nevertheless said they worried that disinformation operations from Russia and elsewhere could dampen public confidence in the election’s result.
“Security experts, elections experts and the media…should make every effort to be specific and fact-based so as not to further contribute to disinformation campaigns,” said Megan Stifel, executive director for the Americas at the Global Cyber Alliance nonprofit group and a National Security Council cybersecurity official during the Obama administration.
“If election security is measured by the integrity of votes cast, then Americans should be confident when going to the polls in 2020. The question of whether or not these votes are influenced by external forces is a different matter altogether,” said David Weinstein, a former U.S. Cyber Command official who is now vice president of threat research at Claroty, a New York-based industrial cybersecurity firm.
“While voters should have confidence in the election process itself, there is great cause for concern related to cyber voter suppression and influence,” said Steve Grobman, chief technology officer at the anti-virus firm McAfee.
While Jay Kaplan, co-founder of cybersecurity firm Synack, said election cybersecurity is “in a significantly better position than we were four years ago,” he pointed to the Iowa caucus fiasco to warn that officials must ensure they’re vetting and testing any new technology. “I hope Iowa was enough of a wake-up call,” he said.
Big picture: Experts on both sides stressed that Americans should not be so fearful of election interference that they don’t participate in the process.
Jamie Winterton, director of strategy for Arizona State University’s Global Security Initiative, summed it up this way: “Should Americans be concerned about election security? Yes. Should this keep Americans away from the polls? No!”
More responses to The Network survey on whether Americans should be confident about the security of the 2020 election:
- NO: “We should not have been as confident as we were about the security of the 2016 election... or 2012... or 2008 or before. The security problems of 2020 aren't new, they're just magnified. We should have been paying attention long ago.” — Steve Weber, director of the Center for Long Term Cybersecurity at the University of California at Berkeley
- YES: “Domestic and international experts are paying attention. Researchers and manufacturers are watching for anomalies. Reporters are anxious to publish in depth exposes. With so many different groups engaged the risk isn't an adversary secretly changing votes but instead an attempt to erode confidence in the outcome." – Jeff Moss, founder and CEO of DEF CON Communications.
- NO: “For years, lobbyists from the voting technology industry have been able to limit researchers' ability to test and evaluate voting systems. … Extrapolating what we don't know publicly from the little we do know, the state of election security is extremely poor.” — Jake Williams, a former NSA hacker and founder and president of Rendition Infosec
- YES: “[DHS’s cybersecurity division] has made great strides since 2016 in working with state and local governments and engaging them on improving election security. But, at the end of the day, the state and local governments need to take the steps themselves to be secure and need to know when and how to ask for help from the federal government and from industry.” — Kiersten Todt, a former White House official who’s now president and managing partner of Liberty Group Ventures
- NO: “While there is much to be worried about in foreign interference, what worries me more is the weaponization of social media by domestic actors at the highest level of our own government.” — Peter Singer, a strategist at the New America think tank
- YES: “Public awareness is so high that it's hard to imagine malicious interference attempts going unnoticed.” — Maurice Turner, director of the Internet architecture project at the Center for Democracy and Technology
- NO: “[People] should have a pretty high degree of confidence in the actual integrity of [election] infrastructure…But they should have much less confidence in the ability of the government to implement the election well (see the Iowa caucus crash as an example). — Paul Rosenzweig, a former DHS official and founder of Red Branch Consulting
PINGED, PATCHED, PWNED
President Trump spoke to reporters before departing the White House on Feb. 23, claiming he had not been briefed on reports alleging Russia wants Sen. Bernie Sanders (I-Vt.) to win the Democratic presidential primary.
PINGED: Democrats slammed President Trump for retaliating against intelligence officials for briefing Congress on Russia's efforts to help him in the 2020 election. The outcry came after Trump rebuked and ousted his acting director of national intelligence Joseph Maguire in favor of a loyalist Richard Grenell, as my colleagues Shane Harris, Ellen Nakashima and Josh Dawsey reported.
“Our Intelligence officials are doing their job to protect our democracy and Trump is punishing them,” tweeted Sen. Kamala Harris (D-Calif), who dropped out of the presidential race in December.
Our Intelligence officials are doing their job to protect our democracy and Trump is punishing them.— Kamala Harris (@SenKamalaHarris) February 22, 2020
But Trump can't fire members of Congress―we must protect the integrity of our elections against Russia's ongoing interference. Our democracy is at stake. https://t.co/d6M847L7iV
Sen. Chris Murphy (D-Conn.) warned that the future of U.S. democracy is on the line:
Our democracy today is like the frog, slowly being boiled to death.— Chris Murphy (@ChrisMurphyCT) February 21, 2020
The President found out that Russia is secretly trying to help him get re-elected, and when the secret leaked, he took steps to tighten his grip on the information.
The burner just got turned up a notch.
Other lawmakers used the opportunity to push for election security reforms that have been blocked by Trump allies in the Senate. Here’s Rep Lloyd Doggett (D-Tex.):
In addition to not wanting to hear about Russia interfering in our election, Trump will purge those who reveal it to Congress. Our democracy is endangered when those providing background intel. reports are expected to always cover the President’s back. https://t.co/XyT3Nz3NVE— Lloyd Doggett (@RepLloydDoggett) February 23, 2020
Rep. Dean Phillips (D-Minn.) called for greater cybersecurity defenses.
Now that it appears Russia is actively supporting the campaigns of @realDonaldTrump and @BernieSanders, perhaps a CyberSpace Force should take precedence over the Space Force. Foreign influence in our elections and sowing division among Americans is a clear and present danger.— Rep. Dean Phillips (@RepDeanPhillips) February 21, 2020
As our colleagues report: “Intelligence officers are used to working with presidents who don’t enthusiastically embrace or always agree with their analysis. But Trump’s tendency to shoot the messenger puts the people working for him in a precarious position. Three other former senior intelligence officials said that Trump’s violent reactions could encourage his advisers to withhold unsettling information. There is talk of ‘trying to hide’ stuff, one of the former officials said.”
“[I]n this administration, good men and women don’t last long,” retired Adm. William H. McRaven wrote in a Post opinion piece.
Republicans, meanwhile, have criticized House Intelligence Chairman Adam B. Schiff (D-Calif.) whom they accuse of leaking classified information about the committee briefing:
Somebody please tell incompetent (thanks for my high poll numbers) & corrupt politician Adam “Shifty” Schiff to stop leaking Classified information or, even worse, made up information, to the Fake News Media. Someday he will be caught, & that will be a very unpleasant experience!— Donald J. Trump (@realDonaldTrump) February 23, 2020
And some Republicans latched onto a CNN report that Shelby Pierson, the intelligence official who briefed the House Intelligence Committee, may have overstated the evidence. Per CNN, intelligence officials have concluded that Russia is interfering in the election and that Russian leaders believe Trump is a leader they can work with but their efforts may not be explicitly aimed at getting him reelected. Here’s Rep. Lee Zeldin (R-N.Y.):
Russia wants to sow discord in US politics.— Lee Zeldin (@RepLeeZeldin) February 23, 2020
Many Americans do far too much to assist Putin w/crazed rhetoric & false conspiracy theories that achieve nothing other than dumbing down Americans & sowing that discord.
This clears up a tad of that👇https://t.co/FbVzlfuABG
PATCHED: Attorneys for Julian Assange will make their opening arguments in a London court today that the WikiLeaks founder should not be extradited to face hacking charges in the United States, Jill Lawless at the Associated Press reports. The trial could produce new information about Assange's recent allegations that President Trump offered him a pardon in exchange for saying Russia had no involvement in hacking Democrats in 2016. The White House has denied the claims.
The Justice Department claims Assange violated anti-hacking laws by offering to help Chelsea Manning crack a Defense Department password to leak more documents to his organization. If found guilty of those and other charges, he could face up to 175 years in prison, my colleagues William Booth and Karla Adam report.
Assange has gathered support from journalism and civil liberties groups who say the charges against him violate the First Amendment. A decision on extradition is still several months out. After opening arguments this week, the case will break until May.
PWNED: Hotel guests whose personal information was exposed in a data breach of MGM Resorts International filed a class-action lawsuit against the company, Kanishka Singh at Reuters reported. The breach exposed the phone numbers, addresses and emails of more than 10 million guests, including high-profile clients such as pop star Justin Bieber and Twitter CEO Jack Dorsey, ZDNet reported.
MGM has not yet said how many guests’ information was exposed in the breach.
It’s also not clear how many MGM guests will join the lawsuit, and Morgan & Morgan, the law firm representing the victims, hasn’t said how much money it’s seeking. The firm also represented victims of the Yahoo and Equifax breaches.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
- The Penn State Dickinson Law and Institute for Computational and Data Sciences will host an event “Hacking The U.S. Election: How Can We Make U.S. Elections More Secure?” on Monday from 8:30am-1:00pm.
- RSA Conference 2020 is scheduled for Feb. 24 to 28 in San Francisco.
- The Cyberspace Solarium Commission will release of its final report and recommendations during a public event on March 11 at 2:30pm.