As intelligence chiefs warn that Russia is moving to build on its earlier efforts to interfere with elections, the United States is still struggling to respond to a network of voting systems alarmingly vulnerable to foreign attack.
WASHINGTON — Even as it is consumed by political fallout from Russia’s meddling in the 2016 election, the United States is still struggling to respond to what many officials see as an imminent national-security threat: a network of voting systems alarmingly vulnerable to foreign attack.
As hackers abroad plot increasingly brazen and sophisticated assaults, the United States’ creaky polling stations and outdated voter-registration technology are not up to the task of fighting them off, according to elections officials and independent experts.
Senior national-security officials have repeatedly said that the United States should prepare for more foreign efforts to interfere with elections. On Tuesday, President Donald Trump’s top intelligence adviser warned a Senate committee that Russia is moving to build on its earlier efforts to interfere with U.S. elections, which included a sustained campaign of propaganda and the unleashing of cyberoperatives.
“There should be no doubt that Russia perceives its past efforts as successful and views the 2018 U.S. midterm elections as a potential target,” said Dan Coats, the director of national intelligence. The administration’s top national-security officials have all warned about the Russian threat, although Trump himself continues to minimize it.
Most Read Nation & World Stories
- Hearing sets up dramatic showdown between Kavanaugh, accuser WATCH
- Trump Jr. mocks sexual assault claim against Kavanaugh
- Grizzly's rare aggressive attack kills 1, puzzles officials
- Noah's Ark except it's a school bus: Truck driver rescues 64 dogs and cats from floods of Hurricane Florence
- Soon-Yi Previn defends husband Woody Allen, attacks mother
At the Senate Intelligence Committee hearing on worldwide threats, Democrats demanded to know what the intelligence community is doing to counter Russia’s actions and whether Trump has given explicit directions to them to do so.
Coats admitted there is “no single agency in charge” of blocking Russian meddling, an admission that drew the ire of Democrats on the committee, which is conducting an investigation into Russian interference in the 2016 election.
He also said that social-media companies, whose platforms have been fertile turf for Russian bots seeking to stoke divisions among Americans, have been “slow to recognize the threat” and that “they’ve still got more work to do.”
Coats, the leader of the U.S. government’s 17 intelligence agencies, said that Russia will continue using propaganda, false personas and social media to undermine the upcoming election.
His assessment was echoed by all five other intelligence-agency heads present at the hearing, including CIA Director Mike Pompeo, who two weeks ago stated publicly that he had “every expectation” that Russia will try to influence the coming election.
The intelligence community’s consensus on Russia’s intentions led Sen. Jack Reed, D-R.I., to press whether Trump has directed them to take “specific actions to confront and to blunt” Russian interference activities.
FBI Director Christopher Wray said the bureau is undertaking “a lot of specific activities” to counter Russian meddling but was “not specifically directed by the president.” And Pompeo added that Trump “has made very clear we have an obligation” to make sure policymakers have a deep understanding of the Russia threat.
Coats also said the intelligence agencies “pass on to the policymakers, including the president,” relevant intelligence.
Reed pressed on his question: “Passing on relevant intelligence is not actively disrupting the operations of an opponent. Do you agree?”
Coats said, “We take all kinds of steps to disrupt Russian activities.”
Pompeo added: “Senator Reed, we have a significant effort. I’m happy to talk about it in closed session.”
A visibly frustrated Reed responded: “The simple question I’ve posed is, has the president directed the intelligence community in a coordinated effort, not merely to report but to actively stop this activity, and the answer seems to be that … the reporting is going on, as reporting [goes on] about every threat going into the United States.”
Elections officials are daunted by the challenge of fortifying their defenses. Many still use outdated software that has fewer security protections than a decade-old cellphone. Millions of Americans vote on easily corruptible machines that provide no paper trail — an essential component for auditors to verify that tampering did not take place, experts say.
Although no evidence has surfaced to indicate that Russian hackers succeeded in directly tinkering with votes in 2016 — as opposed to propaganda efforts aimed at swaying public opinion — experts warn that the United States can’t count on that holding true next time.
“Are we going to be prepared to prevent something more egregious from happening?” said David Salvo, a resident fellow at the Alliance for Securing Democracy, a bipartisan initiative guided by some of the nation’s top national-security experts. “We’re all a little skeptical.”
Congress, so far, has balked at providing resources to upgrade voting systems, despite the urging of some of the nation’s most influential national-security voices. Many states are too broke to take up the slack. The lumbering bureaucracies charged with inoculating elections against attack don’t always talk to one another. Department of Homeland Security officials remain reluctant to share intelligence tips with the espionage neophytes on local elections boards.
“They will say, ‘We may have information, but if you don’t have proper clearance, we can’t share it,’ ” said California Secretary of State Alex Padilla. “Well, let’s do something about it.
“I wish the federal government would realize the magnitude and scope of these threats and act on them,” he said.
Anxiety about the risk is shared at the highest levels of government. Secretary of State Rex Tillerson recently expressed doubt that the United States is any better prepared to deal with foreign election meddling now than it was two years ago. A bipartisan letter signed by a former Homeland Security secretary, CIA director and House Intelligence Committee chair warned that failure to help local elections boards upgrade their equipment could have “catastrophic consequences.”
The warnings come as 500 elections officials in 41 states reported in a new survey by the Brennan Center for Justice at NYU Law School that the voting systems they use are more than a decade old. Many of them agree that the machines need replacing but reported they don’t have the money to do it.
“We’re cannibalizing (voting) booths that no longer function to pull parts,” said Neal Kelley, the Orange County, California, registrar of voters. Kelley said he never imagined when he took the job 14 years ago that fighting off Russian hackers would become a central part of his duties.
“This is absolutely top of mind for us,” he said. At least Orange County, like all other jurisdictions in California, keeps a paper trail of votes that can be audited. Cybersecurity experts say paper — if audited properly — is ultimately the best defense against hackers. Roughly one in five voters in the United States casts a ballot with no such backup.
How vulnerable our elections are to tampering is a matter of dispute. Elections officials tell a concerning story. Cybersecurity experts and “white glove” hackers who have probed the machines offer an even more worrisome account.
When hackers were unleashed on 30 different voting systems at the DEF CON 25 conference in Las Vegas over the summer, every single one was penetrated, some within minutes. In one case, a 16-year-old acting alone was able to hack into a machine in less than an hour. Some machines were compromised without a trace of evidence left behind.
“These systems are uniformly vulnerable,” said Jeremy Epstein, deputy division director for computer and network systems research at the National Science Foundation. “Any cybersecurity expert would come to that conclusion,” he said in an interview, offering his personal view, not speaking for the agency.
While Homeland Security has taken encouraging steps to confront the risk — sending teams to election districts to conduct security scans and sharing more intelligence information with the states — “anyone who thinks that is enough is not looking close enough,” he said.
“Imagine hiring someone to see how resistant your house was to burglars, and they just twisted the front doorknob to make sure it was locked,” he added, offering an analogy for the lack of thoroughness of the security tests currently being done.
Election war games
Homeland Security officials take issue with such characterizations. The security training sessions and assessments they conduct are having a big impact, and new channels of communication have been opened to share threat alerts with local elections supervisors, department officials said.
“There is no question we are making real and meaningful progress,” said a statement from Jeanette Manfra, assistant secretary for the Office of Cybersecurity and Communications at the DHS.
The government’s Elections Assistance Commission has been moving aggressively to make local officials aware of the severity of the threat, prepare them to confront it and increase their access to federal intelligence. It has encouraged local officials to take part in election war games run by Harvard’s Belfer Center for Science and International Affairs, which simulate a foreign cyberattack and require officials to figure out how to keep Election Day from melting down.
It’s a stressful exercise. Participants are confronted with the prospect of their decisions leading to mass protest, aggravated by a concurrent social-media propaganda campaign launched by the hackers.
Elections officials increasingly find themselves in a job they never signed up for: information technology managers tasked with protecting some of the most sensitive computer systems in the world. Yet they don’t have the defenses of a major retailer like Target or a financial institution like Citigroup — and even those operations are getting breached.
The state of Virginia got so spooked by what happened at DEF CON that, just nine weeks before its statewide elections in November, it directed all 22 voting districts to abandon the paperless electronic voting machines they had secured for the election and immediately shift to other systems. Pennsylvania announced this month it is also moving in that direction.
The pushback that some local voting officials gave to the Department of Elections in Virginia confirmed for computer scientists that too many still don’t understand the degree of risk they face. Local officials insisted their systems were safe because they were not connected to the internet, or that they could be protected from intruders by wrapping them with tamper-proof tape. Hackers have shown repeatedly that such defenses are easy to penetrate.
“A seasoned actor that can do this is not even touching the machine,” said James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, a Washington nonprofit that is advising lawmakers on the cyberthreat. “The vulnerabilities are there to manipulate these machines.”
A fix does exist, Scott said: Congress could provide money for new voting machines and mandate they produce a paper trail that is randomly audited, steps called for in several bipartisan measures that have been introduced, but not acted on. All such proposals come with a price tag of hundreds of millions of dollars, and neither the administration nor Congress has made that a priority.