Why a Failed Election Hack Could Be Worse Than a Successful One
The culmination of the U.S. presidential election next month will set the course for American politics over the next four years. But it will also mark one of the largest cybersecurity efforts in history: to protect the nation’s polling and vote tallying infrastructure from online interference.
As election workers count votes on Nov. 3, an operations center at the Department of Homeland Security will be a 24-hour contact point for thousands of local governments and hundreds of IT and cybersecurity vendors that service them, officials said last month. At the joint headquarters of U.S. Cyber Command and the National Security Agency in Ft. Meade, Md., military cyber teams—both offensive and defensive—will be on alert, ready to respond to foreign intruders. The “Big Ear” of the NSA will be tuning in to the communications of foreign governments and intelligence agencies, straining for any whisper of a hacking plot.
But some fear that America is gearing up to fight the wrong war: According to former intelligence and homeland security officials, it doesn’t matter how strong the U.S.’s cyber defenses are, because even a failed or thwarted hack could still disrupt the election—maybe even worse than a successful one.
“An attempted hack, even a failed one, could still have a significant impact, if it makes people doubt the integrity of the process, if it undermines public confidence in the result,” Suzanne Spaulding, who was the DHS undersecretary responsible for cybersecurity in the Obama administration, told The Record. “That’s something we worried a lot about in 2016,” she added.
Undermining Americans’ confidence in the election result is also something that aligns very well with the objectives of at least one nation-state adversary that’s already been caught trying to put it’s thumb on the scales for 2020—Russia.
“The Russians could win even if their hack fails,” former senior DHS official Tom Warrick explained in an interview, “because sowing confusion is the strategic impact they’re aiming for” in meddling in the 2020 poll.
“From the Russian standpoint, confusion about the result, increasing doubt about the process, is almost as useful as actual success [in hacking the election],” Warrick said.
Social media and a bitter partisan divide have created a news environment that’s ripe for election disinformation, experts say. A single inaccurate data point can almost instantaneously be amplified in an online echo chamber. And in an unprecedented series of bulletins over the past couple of weeks, the FBI has sought to sound a warning to Americans regarding the impact of such disinformation about election hacking.
“Foreign actors and cyber criminals” are using online platforms to spread “false and inconsistent information… in an attempt to manipulate public opinion, discredit the electoral process, and undermine confidence in U.S. democratic institutions,” the bureau stated.
Such disinformation could include claims that “successful cyber operations have compromised election infrastructure,” the warning adds, although in fact, the FBI has “no reporting to suggest cyber activity has prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, or affected the accuracy of voter registration information.”
The FBI would be unlikely to issue such warnings unless they believed that foreign information operations were actually planned or already underway, Warrick said. “This kind of bulletin is typically issued when there’s some kind of underlying intelligence that backs it up, even if they can’t release the details,” he said.
The FBI declined to make officials available for interview, citing the heavy workload leading up to the election. DHS was also unable to make anyone available for an interview by deadline.
But Spaulding said concerns about disinformation were very much top of mind for officials investigating Russian cyber reconnaissance of election infrastructure in 2016. As the extent of scanning and intrusion efforts against state voter registration databases became clear, officials started to fret that they were laying the groundwork for a disinformation campaign undermining public confidence in the result if Clinton won.
“Indicators of an attempted intrusion, even a failed one, would be enough to form the basis of a claim that you’d somehow hacked those databases, somehow impacted the result,” said Spaulding.
This time around, the Russians are unlikely to wait until the election is over, according to Marek Posard, a military sociologist and disinformation expert with the RAND Corp., a think tank with historic ties to the U.S. military.
“Russia’s strategic objective in its information campaigns [against America] is to maximize political paralysis by magnifying polarization,” he told The Record. “They want to undermine the legitimacy of the institutions like elections that… make American democracy work.”
Creating a contested election, with an uncertain result that plunges the country into political crisis, would be the ideal outcome for the Russians, agreed former CIA senior cyber operative Marcus Fowler, now the director of strategic threat at cybersecurity firm Darktrace. “They have a preferred candidate, but that’s not their end goal,” he said. “What they really want is to erode our superpower status and slow our economic recovery [from the Coronavirus recession] through undermining our institutions.”
And cyberattacks are the perfect subject for disinformation campaigns, Fowler added. “There’s this big mystery about cyberattacks. Because they’re so poorly understood, because they’re so hard to put your finger on, they can easily be made to seem scarier than they actually are… the facts around them can be easily manipulated.”
In reality, it would be very hard to affect the outcome of a U.S. election through cyberattacks, experts say, partly because each state and territory runs its own voter registration and polling process, and each is configured differently and uses a different IT system.
“Literally thousands of local jurisdictions are involved,” DHS point man on election security Matt Masterson said last month. He called it “a very complex environment to operate in.”
But that complexity also means there aren’t consistent security standards, according to Recorded Future Intelligence Analyst Allan Liska. “The balkanized nature of state election systems means you get a patchwork of security standards,” he said at the Predict 2020 conference this week.
Local election officials are concerned about possible cyberattacks, especially from ransomware, Liska said. But they feel prepared for them, at least up to a point: “They have a playbook, they have a response plan, they have ways to mitigate… What really worries them is disinformation [about potential hacks]… Even if an attack doesn’t succeed in impacting the election result, it could still be used to create doubt” about the integrity of the poll.
At the end of the day, said Masterson, “The American voter is the last and best measure of resilience in the election process” against disinformation, and DHS is trying to focus on educating them. “Helping them understand who their trusted voices are for information, getting them to… stop before they share something and think about the source.”
Fowler, the former CIA senior cyber official, said America needs to think about training its citizens to be aware of disinformation the way that companies train their employees to suspect phishing emails. “Just as we try to get people to think before they click [on an attachment or a link in a suspect email], we need to train people to think before they link,” he said.
Masterson acknowledged that building the resilience of voters was a generational project. “You have to get them to really think about how misinformation takes hold,” he said. “But that’s a long-term process.”
Correction: An earlier version of this article misstated Suzanne Spaulding’s former role at the Department of Homeland Security. She was the Undersecretary for National Protection and Programs Directorate, not the Undersecretary for Preparedness.