Leading up to this year’s midterm election, scores of U.S. senators, intelligence officials, and security experts were sounding the alarm: do nothing, and what happened in 2016 will happen again.
“We know foreign adversaries are still targeting our upcoming elections,” said Sen. Amy Klobuchar in a letter dated May 9. “The open question is, how serious are we about preventing it from happening again?”
The wide-ranging campaign carried out by the government of Russia, in concert with other non-governmental entities, to influence the 2016 presidential election shocked the U.S. political and media establishment. It exposed vulnerabilities seemingly everywhere, from social media, where foreign operatives ginned up division on Facebook, to the political parties, where top officials’ emails were hacked and released, to the infrastructure of the voting process itself, which experts worried was weak and could be manipulated.
Klobuchar and other lawmakers introduced legislation to address those vulnerabilities — none made it far, despite earning bipartisan support, though companies like Facebook ended up implementing some of the proposed reforms on their own. The federal government made $380 million worth of grants available to states ahead of 2018 to shore up election infrastructure, but many observers deemed that move too little, too late.
A month after the election, however, it appears that the worst of those doomsday worries did not come to pass. The U.S. Department of Homeland Security declared there is no evidence so far that operatives from Russia, or elsewhere, hacked or otherwise meaningfully interfered in the midterms. Election administrators around the country, like Minnesota Secretary of State Steve Simon, have said they detected no major breaches of voting infrastructure in 2018.
That’s not to say nothing happened at all: Politicians and parties were targeted over the course of campaign season. In one example, unknown entities broke into the email accounts of top Republican strategists and monitored them for months. Secretary of Defense James Mattis said this week that Russia “tried again to muck around in our elections.”
But there’s little evidence yet to indicate that mucking had an impact on the elections. Nevertheless, no one seems to be accusing security watchdogs of crying wolf, and Klobuchar, Simon, and other officials maintain that the threat remains — and that there’s no better time than now to shore up U.S. elections as a monumental 2020 election looms.
2016: Heavy meddle
The 2016 election showed that a range of tactics, from the relatively low-tech to the highly sophisticated, could be effective in influencing voter attitudes and swaying the outcome of an election.
Extensive reporting, and a detailed indictment from special counsel Robert Mueller, revealed that the Russia-based Internet Research Agency, backed by the government of Vladimir Putin, employed an army of professional trolls who posed as Americans, placing ads on social media that spread fake news and inflammatory opinions, and even pretending to be activists aligned with causes like Black Lives Matter in order to create real, in-person rallies and events.
Many in the U.S. were concerned that this kind of guerilla election interference would be the easiest to replicate in 2018, and that without action from Congress, voters would remain in the dark about the entities behind political communication.
In response, a group of senators — led by Klobuchar and Sen. Mark Warner, a Virginia Democrat — pushed for legislation that aimed to give social media users basic information about who places political ads, and which users are targeted with those ads. The essence of Klobuchar and Warner’s pitch was that the bill would hold online political ads to existing standards for political ads on TV and radio.
The so-called Honest Ads Act was co-sponsored by 31 Democratic senators, and Republican Sen. John McCain before he died in August. It never received a vote in committee, but Silicon Valley took notice of the bill’s substance: Facebook and Google both rolled out searchable databases of the political ads placed on their platforms, which included data about who paid for ads, how much they paid, and which users were targeted with the ad.
On guard in the face of widespread public backlash over its role in election meddling, Facebook did take measures to head off the kind of meddling that the Internet Research Agency carried out in 2016. (At the same time, it also worked behind the scenes in D.C. to thwart Klobuchar’s legislation.) In the months before the 2018 midterm, the social media giant identified foreign trolls and banned hundreds of accounts that they created. It banned 100 accounts on the eve of election day.
There is evidence that foreign entities, including Russia, reprised their email hacking tactics, which was their most devastating and effective ploy in 2016. That year, Russian hackers infiltrated the email accounts of top Democratic officials, such as close Hillary Clinton adviser John Podesta, and passed the trove onto WikiLeaks, which released the emails over the course of the 2016 contest, damaging Clinton’s presidential bid.
The Russian hackers behind the DNC operation tried, unsuccessfully, to hack the email accounts of Democratic candidates in 2018, including Sen. Claire McCaskill of Missouri. Politico reported this week that the email accounts of four top staffers at the National Republican Congressional Committee, the official campaign arm for House Republicans, were hacked and monitored for several months. It’s not known who was responsible, but whoever carried out the hack did not release the emails publicly before the election, like WikiLeaks did with Democrats’ emails in 2016.
Sounding the alarm without being ‘alarmist’
The most dire warnings about 2018 election interference, though, focused on the possibility that foreign entities could infiltrate voting systems: hacking into voter databases to obtain or leak sensitive information, or even manipulating vote totals by breaking into voting machines.
Experts worried that some states’ technology was so weak that experienced hackers could pull off such a feat with ease. Florida’s infrastructure, for example, is so ridden with vulnerabilities that an 11-year old manipulated election results on a replica voting machine during a hackathon in August. (It took 10 minutes.)
The Department of Homeland Security confirmed that no such hacks are believed to have occurred. Secretary of State Simon, speaking with MinnPost, did, too: “To our knowledge, we in Minnesota suffered no breach. That’s a very good thing.”
“It’ll take more time to understand what may have happened behind the scenes,” he added. “I’d say that the time, attention, and resources were well-spent on the issue, and need to be spent going forward.”
That Minnesota warded off any interference — and that it ranks near the top of states in terms of voting infrastructure strength, according to a scorecard produced by the liberal Center for American Progress think tank — was in spite of state officials being unable to access the $6.6 million in federal grant money allotted to them to beef up election security. The funds were held up due to a budget disagreement between DFL Gov. Mark Dayton and Republicans in the state legislature.
Simon is hopeful that his office will be able to access that money quickly in the new year, and he has a lot of plans for it. “It’s three people coding for four years,” he said of the effort to modernize Minnesota’s voting system. “That’s crucial in efforts to prepare for 2020.”
The possibility of this kind of devastating election hack — even though it didn’t occur in 2018 — remains the rationale behind Klobuchar’s other major bill, the Secure Elections Act, which aims to ward off hacks by making it easier for states and the federal government to share cyber-intelligence. It also establishes procedure for cooperation among governments in the event of a breach, and would require states to conduct post-election audits and have paper ballot backups where electronic voting systems are used.
The bill had the backing of a variety of Democratic and Republican senators, who came out of a closed-door briefing this summer convinced of the need to pass election security legislation. But formal consideration of the legislation was postponed indefinitely in the wake of concerns from a few state election administrators over “unfunded mandates” in the bill. Though Klobuchar wanted to add $250 million to help states perform audits of election results, the bill ended up collapsing by Labor Day amid finger-pointing between senators and election administrators.
Finding the money
In the eyes of many election security experts, Congress has a central role to play in compelling states, which have different standards and systems for voting, to get on the same page when it comes to election security. Dave Aitel, a former National Security Agency security specialist, told the Washington Post that “Protecting systems from cyber-threats from nation-states can really only be done on a national level. It’s insane we have state-level control of these systems.”
“Right now we are asking states to protect themselves against attacks from sophisticated foreign adversaries and that’s not right,” Klobuchar said in a statement to MinnPost. “In the 21st century, our adversaries will continue to use cyberwarfare to undermine our democracy and we need to be prepared to defend our networks against this growing threat to the most fundamental part of our political system: our elections.”
To experts, it’ll take comprehensive efforts — and lots of money — from the federal government to modernize the election systems of all 50 states and adequately protect them from the hacking threat. Christopher Deluzio of New York University’s Brennan Center for Justice wrote the federal government’s $380 million in grants to states is not nearly enough: he points out that in several states, like Louisiana and Pennsylvania, that total is not enough to replace electronic voting machines that are especially vulnerable to hacking.
“There simply is not enough federal money to go around to cover all of these needed investments in election security,” he writes. “These federal grants were an excellent first step by Congress, but, they’re exactly that — a first step.” (The Secure Elections Act would give states that use electronic machines additional grant money to make sure their voting systems have a paper trail, important in anti-hacking security.)
Simon said the legislation sets the floor, not the ceiling, for standards around election administration. “I think they’re reasonable expectations in terms of administering elections,” he said. “Getting a good version of the Secure Elections Act, sooner rather than later, is a really good thing.”
Klobuchar reiterated the need for Congress to pass that bill, along with the Honest Ads Act, ahead of the next election. “While we still don’t know the full extent of foreign interference in the 2018 elections, we do know that the threats to our election infrastructure from Russia and other adversaries are not going to stop and they are more than merely ‘meddling’ and ‘mucking around.’”
“The 2020 elections are right around the corner, and we need to take action to secure and protect our elections from interference of any kind,” Klobuchar said. “We can’t afford to wait.”
“What I would say, and do say, to Minnesota voters is, I don’t want anyone pausing for a second to withhold their vote because they believe their vote is going to be hacked,” Simon said.
“I characterize myself as wanting to sound the alarm without being alarmist,” he said. “People are looking actively to exploit vulnerabilities. We shouldn’t take our success in keeping people out of the system as a license to just let our attention turn away from this issue.”