[Image via npr]
NPR reporter/electiongeek Pam Fessler looks ahead to today’s twin election security hearings on Capitol Hill with five (excellent!) questions about what to watch:
Russia’s efforts to interfere with last year’s elections will be front and center during two hearings on Capitol Hill on Wednesday. Former Secretary of Homeland Security Jeh Johnson will appear before the House Permanent Select Committee on Intelligence while the Senate Select Committee on Intelligence will hear from current U.S. intelligence officials and state election experts.
Here are five questions likely to be on lawmakers’ minds as they listen to witnesses and ask questions.
1. How extensive were Russian efforts to hack into U.S. election systems last year?
Right now, it’s not clear but here’s what we know so far.
Last June, the FBI alerted Arizona election officials that a known Russian hacker had gained access to a county employee’s username and password and that someone using those credentials tried to gain access to the state’s voter registration database. That effort did not appear to be successful.
In July, a computer expert working for the Illinois State Board of Elections noticed that someone had broken into the state’s voter registration database and had access to tens of thousands of voter records. No records appeared to have been altered or deleted, but the hacker had access to the system for three weeks before being detected.
The FBI alerted states to be on the lookout for similar attacks. Election officials were given a list of more than 800 “cyberthreat indicators” or digital signs that someone involved in the attacks was trying to infiltrate their computers, said Geoffrey Hale with the Department of Homeland Security’s Office of Cybersecurity and Communications. According to Hale, 21 states reported that their systems — mostly involved with voter registration databases — had been scanned, but there were no signs of any other successful intrusions.
Last week, Bloomberg News reported that traces of the hackers had been found in 39 states, not 21, citing anonymous sources. At a meeting of state election officials on June 15, Hale said DHS did not know where the news organization got that number and that the agency still believes only 21 states were affected.
The Bloomberg article followed the leak of a National Security Agency report that Russian intelligence tried to hack a U.S. election systems vendor last August. The report also described a related spear-phishing campaign shortly before the November elections involving as many as 122 local election officials. Those officials were sent emails that appeared to come from the vendor — VR Systems of Tallahassee, Fla. — and included attachments containing malicious software.
The NSA report says it’s unknown if any of the local officials’ systems were compromised in the attack, but that it’s “likely” at least one of VR Systems’ email accounts was. But in an interview with NPR the company’s chief operating officer, Ben Martin, denied that the hack was successful. He said as soon as company employees noticed the suspicious emails, they alerted law enforcement.
Lawmakers will likely want to know which version of events is correct.
2. Do we know for a fact that no votes were changed?
Federal authorities and state and local election officials have repeatedly insisted that there is no evidence hackers were able to change any votes in last year’s elections.
Instead, signs point to what was likely a scanning operation — with Russians probing election systems for information about how the U.S. voting process works and potential vulnerabilities — for possible future attacks.
But cybersecurity experts admit they don’t know for sure that no ballots were manipulated. While voting machines are generally not connected to the Internet, they often use memory cards that have been programmed by a computer that might have been connected to the Internet, or to another computer that was at some point connected to the Internet. It’s possible for a hacker to infect one of these machines remotely — perhaps by tricking some election official to click on a link containing malicious software — and this could conceivably infect the memory cards to change election results.
Election officials insist this is a highly unlikely scenario, and that they have multiple layers of security in place to detect and prevent unauthorized intrusions. Still, cybersecurity experts note that voting machines used in 14 states — including Georgia and New Jersey — do not include paper ballot records that can be used to verify the electronic results if there are any suspicions of tampering.
3. What is the future threat?
If the Russians weren’t trying to change votes, what were they after?
“They want to undermine our credibility in the face of the world. They think that this great experiment of ours is a threat to them,” warned former FBI Director James Comey in a recent appearance before the Senate Intelligence Committee. “So they’re going to try to run it down and dirty it up as much as possible. That’s what this is about and they will be back,” he said.
If nothing else, last year’s hacking attempts showed the extent of Russian interest in U.S. elections. Intelligence and elections officials worry that hackers were laying the groundwork for future attempts to either manipulate votes or to throw the system into chaos by tampering with things such as voter registration databases. Change or delete some names, and that could wreak havoc on Election Day.
Another possibility is that the Russians are primarily interested in undermining public confidence in the U.S. democratic system by trying to raise suspicions that votes have been changed, even if they haven’t.
Cybersecurity experts say they’re also increasingly worried about “hacks for hire” — those hackers who might be trying to gain access to voting systems with the intention of selling that access to the highest bidder, whether it’s the Russians or someone else.
4. What can be done to protect against future attacks?
State and local election officials say they have multiple layers of security in place to prevent and detect such attacks and that they’re routinely putting new security measures in place. They’re also working more closely with federal agencies to help identify any vulnerabilities.
After last year’s attempted cyberattacks, Johnson declared U.S. elections system “critical infrastructure.” He said this would mean that federal authorities could provide more intelligence and support to state and local election offices to help prevent future attacks.
But it’s not clear what that will mean in practice. Six months after the announcement, DHS is still trying to set up working groups with state and local election officials and vendors to discuss what to do next.
Many election officials have also asked if the designation comes with any federal funding for them to buy new equipment and beef up security, but they’ve been told that it does not. Aging voting equipment is considered by many to be one of the biggest problems faced by local election offices.
Others think the best protection against cyberattacks is to make sure that all electronic voting machines have paper ballot backups that can be checked in post-election audits to ensure that electronic results are accurate.
5. If state and local election officials are wary about federal interference, how well will they work together?
A number of state and local officials are worried that the critical infrastructure designation will lead to the federal government trying to tell them how to run elections, something that’s traditionally been run at the local level. Many election experts think the fact that U.S. voting is so decentralized is one of the best protections against foreign tampering
Federal authorities insist they are only offering assistance to those who request it and are not trying to impose any requirements on local election offices.
But the relationship has a long way to go. State and local election officials were upset to learn about the Russian spear-phishing campaign detailed in the NSA report from media accounts, not from federal intelligence agencies.
The release of that report led to a thinly-veiled complaint from the National Association of Secretaries of State, which initially opposed the critical infrastructure designation: “We urge DHS and other federal law enforcement to share threat intelligence information with election officials and notify all local election officials who were targeted in the email spear-phishing campaign that is documented in the NSA report.”
Many local election officials say they want whatever help they can get from the federal government, as long as there are no strings attached. They’re worried mostly about two things — whether the feds understand how elections work and whether they’ll really share threat information as promised. There’s a lot of misunderstanding on both sides, something lawmakers will almost certainly want to discuss.
Needless to say, the stakes are very high on this issue. Pam’s last point – that the federal-state-local relationship is increasingly strained because of the perceived imbalance of information about what’s happened so far, what it means and what’s next – is likely to drive much of the debate (and help/hinder progress on solutions) on this topic in the coming months.
Thanks to Pam Fessler for her continued quality coverage of the election administration “beat” – and stay tuned in what promises to be a busy news cycle …