The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: The security of future elections could ride on this one’s outcome

with Tonya Riley

As Americans await the outcome of the 2020 election, the security of future elections may hang in the balance. 

Election security advocates are pushing for up to $3 billion from Congress they say is vital to help protect election systems against hacking. But that money will be far more likely to come through in a Biden administration. 

Joe Biden has described election security as a major challenge and pledged to impose consequences on Russia or other adversaries that interfere in U.S. elections. 

That’s a big shift from President Trump, who has paid little attention to the topic, repeatedly questioned intelligence agencies’ conclusion that Russia interfered in the 2016 election and spread disinformation about the 2020 contest, including unfounded claims of fraud. Last night he charged without evidence that he’d won a majority of “the legal vote,” though there’s no evidence of illegal votes being cast. 

Officials are still determining the winner in five states that will determine who wins the presidency — Pennsylvania, North Carolina, Georgia, Nevada and Arizona. The Trump campaign has filed a slew of lawsuits to toss ballots or halt vote counting in Pennsylvania, Michigan and Georgia. 

If Trump wins reelection, advocates and many Democrats fear he could halt progress on election security improvements or degrade faith in the credibility of elections with more spurious claims.  

“Those who seek to undermine our free and fair elections will continue their threats with increased frequency,” California Secretary of State Alexander Padilla (D), chair of the Democratic Association of Secretaries of State, told me. “We didn’t rest on our laurels after a successful 2018 election to get us through 2020 and we can’t rest on our laurels after a successful 2020 election and assume all will be okay in 2022.” 

Even if Biden wins, it will be difficult to deliver the large sums security advocates are seeking if Democrats don’t take control of the Senate. 

That is looking less likely, however, with Republicans winning reelection in the hard-fought states of Maine and Iowa, and it will likely depend on runoff elections for Georgia’s two Senate seats in January.

Absent Democratic control of that chamber, it probably will be impossible to mandate that states make specific improvements such as using paper ballots and meeting minimum cybersecurity standards, which Democrats have long sought but Republicans have opposed.

The likeliest scenario is a repeat of the past two years, during which Republicans ultimately agreed to about $1 billion in funding to help election administrators protect against hacking and respond to challenges posed by the coronavirus pandemic. But they consistently rebuffed Democratic efforts to deliver far more money and to couple it with cybersecurity mandates for states. 

“It says something that one of the few things Democrats and Republicans were able to agree on over the last couple of years has been money for election security,” Lawrence Norden, director of the Election Reform Program at New York University’s Brennan Center for Justice, told me. “But Democrats have been far more supportive of money and mandates connected with that money.” 

Officials have credited vast improvements since 2016 for the fact there appear to have been no significant cyberattacks on Election Day 2020.

Those changes include a new nationwide network of cybersecurity sensors on election infrastructure managed by the Department of Homeland Security, new and more secure election technology in numerous states and a substantial increase in the amount of votes cast with auditable paper ballots. 

But there’s still a long way to go, officials and advocates say. 

That includes ensuring there are paper records of ballots for about 10 percent of voters who lack them, and dramatically increasing rigorous post-election audits, which have increased since 2016 but still aren’t conducted in many places. 

Without such audits, security advocates worry the value of paper ballots to help ensure vote counting isn’t compromised by hackers or technical failures isn’t really being exercised. 

“I compare it to seat belt laws,” Susan Greenhalgh, senior adviser on election security for the advocacy group Free Speech For People, told me. “They're very helpful, but only if you wear your seat belt.”

Officials also fear Russia and other adversaries will launch more sophisticated attacks and election infrastructure must evolve to protect against them

“The threats are only growing,” Norden said. “We’ve made huge progress since 2016, but this is a race without a finish line.” 

Regardless of the election outcome, Democratic officials say they plan to press hard for changes. 

“If Trump is reelected, will it make the job of state and local election officials across the country harder? Yes,” Padilla said. “But we worked our way through the last four years and we’ll continue to do it if we have to. We’ve developed really good relationships with DHS and other parts of [the federal] government, but it was the president undermining our message on election security.”

Sen. Ron Wyden (D-Ore.), who sponsored some of the most progressive election security legislation of the past two years, also pledged to keep pushing. 

“Election security legislation will pass as soon as Republican Senate leaders drop their all-out blockade against bills like mine, which would harden our defenses against bad actors,” he told me in an email. “Hats off to the hard-working elections officials and [DHS's Cybersecurity and Infrastructure Security Agency] staff who are defending our democracy. Congress needs to give them all the support we can to keep our elections secure.” 

The keys

USPS failed to deliver 150,000 ballots before Election Day, including in states that are still counting votes. 

Of the late ballots, more than 12,000 were from five states The Washington Post has not yet called for Trump or Biden, Jacob Bogage and Christopher Ingraham report. That number is expected to grow as the Postal Service releases new data. 

Just under 11,000 of the ballots are from Nevada, North Carolina and Pennsylvania and can still be counted because of rules in those states that allow counting of ballots that are postmarked on or before Election Day and arrive before today. 

But 864 Arizona ballots and 853 Georgia ballots identified so far will be disqualified

The agency released the data in federal court in response to several civil rights lawsuits over the delays. “Voters put their ballots in the mail by this week and by this past weekend, and the only reason that their vote wasn’t counted was because of Postal Service delays,” Shankar Duraiswamy, an attorney representing the civil rights group Vote Forward, said in court.

Justice Department lawyers representing the Postal Service warned the numbers may not be completely accurate since some official processing procedures may have been bypassed to send ballots directly to election officials.

Facebook banned a group Trump allies used to organize protests challenging the legitimacy of the election. 

Some posts within the STOP THE STEAL group discussed armed conflict, Tony Romm and Isaac Stanley-Becker reported.

“The group was organized around the delegitimization of the election process, and we saw worrying calls for violence from some members of the group,” Facebook spokesman Andy Stone said in a statement.

Facebook will be reviewing other groups that use the “Stop The Steal” moniker for violations, Stone said.

The removal shows the dilemma Facebook faces in moderating its groups and pages, which have become both a powerful organizing tool and a meeting ground to organize physical violence.

Protests pushing unfounded allegations of voter fraud have also gotten a boost from pro-Trump media and other influencers online. Some websites associated with the movement appeared to be fundraising off the protests.

The Justice Department seized $1 billion worth of bitcoin a hacker stole from a notorious online drug bazaar.

It's the largest amount of cryptocurrency ever seized by the department, Paul Vigna at the Wall Street Journal reports. The 69,000 bitcoin were stolen from Ross Ulbricht, the founder of the “dark Web” drug network known as the Silk Road. Ulbricht is serving a life sentence in prison for distributing narcotics and money laundering.

The hacker, identified as Individual X, appears to have stolen the online currency in 2012 and 2013. The hacker left most of the bitcoin, which have increased in value, untouched. 

The Justice Department didn't say how it got access to the bitcoin wallet or what it would do with the cryptocurrency.

More cybersecurity news:

European election observers decry Trump’s ‘baseless allegations’ of voter fraud (Carol Morello)

Twitter permanently suspends Steve Bannon account after talk of beheading (CNN)

Anonymous Trump Critic And Former DHS Staffer Miles Taylor Has Left Google (Buzzfeed)

Secretaries of State in Spotlight as Trump Ratchets Up Attacks to Sow Doubt (New York Times)

Brazilian police investigate online hacking of high court (Associated Press)

Huawei fights back in court against FCC national security threat label (The Hill)

Chat room

Here's a thread from the New America think tank's Peter Singer about disinformation before and after the election. 

As if this week hasn't been stressful enough, the vendor behind beloved Italian liqueur Campari has been knocked offline by ransomware, ZDNet's Catalin Cimpanu reports:

A response from StateScoop's Benjamin Freed:


  • The Cybersecurity Coalition and the Cyber Threat Alliance will host CyberNextDC on Nov. 17-18, starting at 11 a.m.

Secure log off

Still waiting on Nevada results:

It's going to be a long weekend. Take some time off from election monitoring and watch this relaxing video from our political reporter Felicia Sonmez. See you on Monday!