The U.S. midterm elections are at increasing risk of interference by foreign adversaries led by Russia, and cybersecurity experts warn the Trump administration isn’t adequately defending against the meddling.
At stake is control of Congress. The risks range from social media campaigns intended to fool American voters to sophisticated computer hacking that could change the tabulation of votes.
At least three congressional candidates have already been hit with phishing attacks that strongly resemble Russian sabotage in the 2016 campaign. Among them was Senator Claire McCaskill, a Missouri Democrat in one of the year’s most hotly contested races.
Facebook has shut down dozens of accounts and pages to stop what appeared to be a coordinated disinformation campaign.
Three months ahead of the election, President Donald Trump’s top national security officials are sounding the alarm. Five of them went to the White House podium last week to warn of interference and outline the government’s preparations, even as Trump himself continues to publicly raise doubts about Russia’s involvement in the 2016 election that he won. Dan Coats, the director of national intelligence, warned that a major Russian effort to undermine the November election is “only one keyboard click away.”
What would such an attack look like? Here are some of the major risks and an analysis of the damage they could do, according to experts in the field.
– Fooling voters: Russia sought to sway the vote in 2016 through disinformation campaigns and targeted hacking and leaking of information. Hackers are at it again, as shown in the phishing attacks on congressional candidates and suspect Facebook pages.
Even as Twitter and Facebook launch new initiatives to stop such meddling, hackers are adjusting to avoid — or at least delay — detection. Some of the suspect pages Facebook shut down in July had been operating for more than a year. One simple tweak their sponsors made: paying for ads in U.S. and Canadian dollars instead of Russian rubles. Others include consistently obscuring network locations and the identities of ad buyers.
Meddling through social media remains a cheap and effective means to “throw fuel on already divisive fires that are burning,” said Michael Sulmeyer, the director of the Cyber Security Project at Harvard’s Belfer Center.
The polarized U.S. political climate feeds the viral spread of incendiary material. That “exacerbates all of the false information and propaganda that can shape an information environment,” said Kara Frederick, a former member of Facebook’s counter-terrorism team.
It’s already happening and likely to spread. The strategy’s effectiveness boils down to whether American voters remain gullible enough to believe fake ads and news stories.
– Undermining trust: Elections only work in democracies if the public believes in the outcome. Russian hackers have already identified that trust as a point of attack elsewhere. In 2014, they attempted to fool television stations in Ukraine into broadcasting the wrong results to sow confusion.
Hackers need only introduce uncertainty about whether votes will be counted accurately to weaken the legitimacy of elected leaders. Even an unsuccessful cyber attack could shake faith in the results.
“In some ways they’ve achieved the goal of achieving distrust,” said Christopher Painter, who served as the nation’s top cyber diplomat under President Barack Obama. “Even if they do nothing new, we are paranoid.”
If sowing confusion was the great achievement of Russian President Vladimir Putin’s 2016 campaign, this is the logical next step.
– Suppressing the vote: It’s a truism of politics that voter turnout decides elections. Malicious hackers have plenty of ways to interfere, said Steve Grobman, chief technology officer of the security software company McAfee Inc. Russian hackers successfully penetrated voter rolls in 2016 in a few states. Security experts fear they may seek to reshape the electorate in 2018 by strategically deleting voter information.
Plenty of more subtle avenues are also available, Grobman said. Well-timed denial-of-service attacks could prevent voters in specific districts from getting information about their polling places. Fake reminders could direct voters to show up at the wrong voting locations. Malware that targets operations at specific polling places, such as systems used to check in voters, would only need to slow the process a few seconds per voter to create cascading delays.
Suppressing turnout or making voting more difficult is the most effective way to alter results without changing actual votes. Such attacks would escalate Russia’s interventions compared to 2016 but are within the Kremlin’s capabilities. Their likelihood probably depends on whether Putin fears U.S. retaliation.
– Altering the tally: The nuclear option is to attempt to change the outcome of an American election by tampering with election machines or the tabulation of votes.
A close election with a “smoking gun” showing interference in even a small number of key races “would undermine confidence in electoral tallies across the board and cause a political crisis,” said James Miller, who served as an under secretary of defense in the Obama administration.
Congress set aside $380 million in March to help states bolster election security measures. Some states are strengthening their defenses: California plans to use the money to protect voter rolls while Hawaii plans cybersecurity training and computer upgrades. But five states still don’t even have voting machines with paper trails that can be audited.
U.S. authorities are most focused on preventing just this scenario. It would the most provocative attack and invite retaliation. It may not be worth the risk to Russia or other adversaries, especially in a midterm election when the presidency isn’t on the line.
Burrowing in: Foreign hackers could stay in the background during the less-prominent Congressional elections, instead making inroads into election systems and, according to Miller, even recruit insiders to aid a campaign to significantly undermine the next presidential election.
U.S. adversaries face a key strategic question, according to James Lewis, a cybersecurity expert at the Center for Strategic and International Studies: “Would you save your best tricks for 2020 or will you maybe experiment with a couple in 2018?”
(c) 2018, Bloomberg · Alyza Sebenius