The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Trump's false election claims made it tougher to talk about election security

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Placeholder while article actions load

Welcome to The Cybersecurity 202! I hope everyone is looking forward to a nice Juneteenth weekend. We'll see you back here Tuesday. Here’s “I, too” by Langston Hughes, a great D.C. poet before he moved to New York. 

Below: The United Kingdom ordered WikiLeaks founder Julian Assange extradited to the United States, and Dutch authorities say they caught a Russian spy at the war crimes court.

There's a fine line to walk in discussing election security

Election security efforts kicked into high gear after the 2016 election — fueled by Russian interference in that year’s presidential contest. 

Then 2020 happened. 

The baseless claims of hacking and fraud that former president Donald Trump and his allies spread after his 2020 loss have polluted conversations about election security ever since, making it far harder to talk about legitimate dangers to the voting process. 

Trump allies have routinely misrepresented legitimate security concerns to serve their own ends. They’ve also co-opted the language of election security to promote wild conspiracy theories and degrade public faith in the democratic process. 

They’ve claimed to have found digital vulnerabilities and back doors in voting machines that make no sense to experts who’ve studied those machines. They’ve conducted vote audits that violate all audit protocols and render election machines too insecure to be used again. 

The result: Talking about genuine election security concerns has become a tortuous process as experts try — usually in vain — to ensure nothing they say will be mischaracterized. 

  • “Everyone working in election security has become very sensitive to the need to word things carefully and precisely and to qualify even the most innocuous statements,” Matt Blaze, a Georgetown University professor who has been working on election security for decades, told me. 
  • “Election security researchers now know that their work will be amplified and distorted by activists interested in undermining democracy,” William T. Adler, senior technologist at the Center for Democracy and Technology focused on elections, told me. “It’s harder to raise concerns about legitimate vulnerabilities. … There’s a whole ecosystem set up to mischaracterize election security work.”

To be clear: Russian hackers accessed voter rolls in at least two states and probed election systems in several others before the 2016 election, according to U.S. intelligence agencies and the report from special counsel Robert S. Mueller. There's no evidence they compromised actual voting systems or changed any votes.

In response, election officials have made huge strides in security since 2016 — including retiring large numbers of voting machines that lacked paper records and could not be sufficiently audited and installing cybersecurity sensors in election offices across the nation.

But a lot still needs fixing. About 10 percent of the country still votes on machines that lack paper trails. Researchers recently found numerous digital bugs that the Cybersecurity and Infrastructure Security Agency urged fixing in voting machines used in Georgia and other states.  

  • “There are real deficiencies of security in our systems that can and need to be improved, but in many ways, the ‘big lie’ has tainted discussions or efforts,” Susan Greenhalgh, senior adviser on election security for the group Free Speech For People, told me. “There is fear any election security improvements could be twisted to validate the incredibly bogus claims from the Trump campaign.”

The challenge is heightened because election security has never been a matter of creating a perfectly secure system — a fact that’s easily exploited by election deniers.

Rather, elections are generally viewed as a balancing act between making digital attacks and fraud as difficult as possible while making the voting process as easy as possible. 

That provides a lot of opportunities for election deniers who want to blow up legitimate security concerns into something much bigger. 

For example: Election security advocates have expressed legitimate concerns that some voting machines transmit election results wirelessly to a central server and could be corrupted by hackers during the process. Some election officials dispute those concerns, saying the machines don’t touch the open internet. 

In other cases, voting machines have the ability to connect to wireless networks but it’s supposed to always be turned off — something security advocates say is too risky.

But those legitimate disputes are a far cry from Trump allies' bizarre claims that voting machines routinely communicated with Venezuela and Italy. 

  • “It’s one thing to say airplanes can crash and airplanes are vulnerable. It’s another to say that Air Force One was shot down and Joe Biden’s been replaced by a body double,” Mark Lindeman, director of the group Verified Voting, told me. “The ‘big lie’ claims are in body-double territory. They make no sense.” 

If there’s one plus side to the current moment, it’s that election machine vendors and election officials have become far more adept at engaging with cybersecurity pros and speaking openly about their security protections. 

  • Election machine vendors, in particular, have evolved from mostly shunning the cybersecurity community before the 2016 election, to inviting outside cybersecurity testing of their equipment.
  • They’ve also embraced some reforms the security community had long called for, including no longer selling voting machines without paper trails.

“One side effect of the ‘big lie’ is that election officials understand that they need to be able to explain why their systems are trustworthy, which is that the election security community has been advocating from the beginning,” Blaze told me. 

Democrats in Congress have also continued to push for election security reforms. The House Appropriations Committee released a funding bill that included $400 million in election security grants this week — which also mandated that states only buy new voting equipment that includes paper records. 

Democratic senators have called for a $5 billion investment in election security — though such a large investment is highly unlikely to win support from Republicans who have been historically wary of cooperating with Democrats on the topic.  

There’s also a chance that voters convinced by Trump that elections are fundamentally insecure could still be won back

That’s likely not possible with die-hard believers of course. But the nature of Trump allies’ election lies is that a lot of people have been left with a vague impression the election was corrupted but no firm beliefs about how.

It’s conceivable that those people might be convinced otherwise if they’re shown enough transparent evidence that elections are secure. 

“A lot of people don’t pay much attention and their beliefs about 2020 may not make a lot of sense. … Those people are worth reaching out to,” Lindeman said. “A hallmark of good election reforms is they can reach voters across a spectrum of beliefs about the 2020 election.” 

The keys

The United Kingdom orders Julian Assange extradited to the United States

The WikiLeaks founder will face espionage and hacking charges once he arrives in the United States. He still has 14 days to challenge the extradition order, Salvador Rizzo and William Booth report.

The order is the product of a drawn-out extradition process. Assange has been in prison in London since 2019 after he was booted from the Ecuadoran Embassy there where he sought political asylum. Assange’s lawyers have argued that he’s at risk of suicide if he faces trial in the United States. 

The British Home Office said in a statement that “the UK courts have not found that it would be oppressive, unjust or an abuse of process to extradite Mr Assange. Nor have they found that extradition would be incompatible with his human rights, including his right to a fair trial and to freedom of expression, and that whilst in the US he will be treated appropriately, including in relation to his health.”

Dutch authorities say they caught a Russian spy at war crimes court

The alleged spy posed as a 33-year-old Brazilian national who was starting an internship at the International Criminal Court (ICC), Annabelle Timsit and Adam Taylor report. But he was actually Sergey Vladimirovich Cherkasov, a 36-year-old Russian intelligence officer, the Netherlands’s counterintelligence agency said.

The target may have been the ICC’s investigations into Russian war crimes. “If the intelligence officer had succeeded in gaining access as an intern to the ICC, he would have been able to gather intelligence there and to look for (or recruit) sources, and arrange to have access to the ICC’s digital systems,” the Dutch counterintelligence agency said.

Cherkasov constructed an elaborate backstory complete with “long descriptions of a complicated transnational family history and mundane details about rent in different cities, crushes on schoolteachers and a favorite trance music nightclub in Brasília,” my colleagues write.

Cherkasov was awarded a master's degree from the Johns Hopkins School of Advanced International Studies (SAIS), according to the program. Here’s more from Eugene Finkel, an associate professor at SAIS:

Hackers breached Germany’s Green Party

The hackers accessed email accounts belonging to two leaders of the party and forwarded some stolen emails to an external server, Der Spiegel’s Serafin Reiber, Wolf Wiedmann-Schmidt and Marcel Rosenbach report. Hackers are believed to have later breached the party’s internal network, which has sensitive documents about its political and policy positions, the outlet reports.

It’s not clear who was responsible for the hacks. The party and German authorities are investigating. The Green Party is the second-largest party in Germany’s ruling coalition government. 

German officials have long been targeted by Russian hackers. In 2020, German authorities accused Russia of being responsible for the 2015 hacking of policymakers including then-Chancellor Angela Merkel. They have also blamed Russian hackers for breaching German government networks in 2018.

Hill happenings

House subpanel OKs $417 million boost for CISA (The Record)

Key Democrat warns of major security risk if US firm acquires NSO hacking code (The Guardian)

Government scan

U.S., partners dismantle Russian hacking 'botnet,' Justice Dept says (Reuters)

Securing the ballot

Justice Dept. secures first guilty plea for threats to election workers (By David Nakamura)

Global cyberspace

Police linked to hacking campaign to frame Indian activists (WIRED)

Interpol nabs $50 million, 2,000 alleged social engineering scammers (Gizmodo)

Israel and Hong Kong team up to test digital currency cyber risk (Bloomberg)

Latin America governments are prime targets for ransomware due to lack of resources, analysis argues (CyberScoop)

Daybook

  • CISA Director Jen Easterly and energy executives discuss cybersecurity at the EEI 2022 conference on Tuesday.
  • Sen. Angus King (I-Maine) speaks at a Reagan Institute on foreign information operations Wednesday at 10 a.m.
  • Third Way hosts an event on China and the digital world order Tuesday at 11 a.m.
  • Michael Brown, who leads the Pentagon’s Defense Innovation Unit, speaks at the Center for a New American Security on Wednesday at 12:30 p.m.
  • CISA’s Cybersecurity Advisory Council meets at 1 p.m. Wednesday.
  • White House special assistants Tim Wu and Peter Harrell discuss the Biden administration’s Declaration for the Future of the Internet at a Brookings Institution event Wednesday at 2 p.m.
  • The Committee on House Administration holds a hearing on disinformation’s threats to democracy Wednesday at 2:30 p.m.
  • The R Street Institute hosts an event on the cybersecurity of the water industry Wednesday at 4:30 p.m.

Secure log off

Thanks for reading. See you Tuesday.

Loading...