Greasing the machinery of democracy can be tedious business. Aside from the occasional recount or a hanging chad, the bureaucrats who run state elections don’t usually see much drama in their work.
But this year’s all-important midterms are no ordinary election cycle. So it was that election administrators from all 50 states received rarified, red-carpet treatment outside Washington earlier this year, as federal intelligence gurus granted them secret clearances for the day, shuttled them to a secure facility, and gave them eye-opening, classified briefings on the looming threat.
The message, participants said, was chilling. Officials from the FBI, the Department of Homeland Security, the National Security Agency and other agencies warned that the Russians had already shown they could hit hard in the 2016 presidential campaign, and they have been preparing to hit even harder — and no doubt in different ways — this time around.
“This was a first for me,” Steve Sandvoss, who heads the Illinois elections office and attended the briefing, said in a recent interview. “I came out of there with the understanding that the threat is not going to go away.”
The midterms will determine control of Congress, where a flip to the Democrats in the House or the Senate would no doubt intensify the pressure Trump is already facing from Special Counsel Robert Mueller’s Russia investigation.
Over the years, officials in Washington have rarely paid much attention to the mechanics of state elections, and local vote-counting officials, who prize their independence, have usually wanted it that way. But Moscow’s surprise attacks on the 2016 campaign — through cyber-hacks and skillful manipulation of social media — has triggered alarm at all levels of government, generating a slew of initiatives over the last 18 months that are aimed at bolstering security.
Silicon Valley’s biggest names will be the ones under the klieg lights this week over a series of suspected breaches by Russian operatives and other using American social-media platforms to spread fake propaganda. Executives from Facebook, Twitter and possibly Google are scheduled to testify on Wednesday before the Senate intelligence committee. They have pledged steps to root out foreign interlopers, but some congressional Democrats say the self-policing has not gone far enough and are pushing for tighter regulations.
Whether the range of new defensive measures will actually work may end up determining not only what happens on Election Day, but also in the months and years that follow.
After all, President Vladimir Putin might have already succeeded in what American officials say is one of his main objectives: sowing confusion and doubt among voters. The question that voters in Illinois have been asking at public events, said Matt Dietrich, a state election official, is: “How do I even know that my vote is going to be counted?”
Voters in his state have first-hand reason for concern. Russian-tied hackers successfully accessed tens of thousands of voter-registration files in Illinois before the 2016 presidential election. Federal officials say they found evidence after the fact that Russian hackers had attempted to hack 21 states in all, although there have been conflicting accounts about whether any states other than Illinois were successfully compromised or not. Officials are quick to point out that the Russians are not known to have succeeded in actually changing any voter tallies.
Local election officials never really had to worry about foreign cyber-attacks before 2016, notes Jake Braun, a cybersecurity specialist in the Obama Administration who teaches at the University of Chicago. Now, officials at all ends of the election system are keenly aware of the cyber-threat not only from Russia, but also from possible copycats in Iran, North Korea, China, and rogue actors who learned from Moscow’s playbook. While the recent slew of security initiatives should help, Braun said, “I’m really concerned, and everyone should be. At the end of the day, this is a massive national security threat.”
Intelligence officials say they have picked up on clear evidence that Russia intends to continue meddling in some form or other in the November elections. Dan Coats, the director of national intelligence, laid the threat out in stark terms in a speech in June in Normandy, France. “In 2016, Russia conducted an unprecedented influence campaign to interfere in the U.S. electoral and political process. It is 2018, and we continue to see Russian targeting of American society in ways that could affect our midterm elections,” Coats said. Prosecutors from Mueller’s office, meanwhile, said in court just days after Coats’ warning that they believe Russian operatives “are continuing to engage in interference operations” like the type seen in 2016.
The dizzying pace of news about election threats over the summer has only heightened the fears in the run-up to the November mid-terms. In Florida, Democratic Sen. Ben Nelson, who is running for re-election, claimed that Russian operatives had already penetrated some state voter-registration systems, a claim that has not been verified. A Microsoft executive said it knew of spearphishing attempts against at least three unidentified campaigns in the midterms. An 11-year-old hacker needed just ten minutes to change the votes on a replica of Florida’s election system at DefCon’s hacking convention, even faster than the year before.
Google, meanwhile, took down more than three dozen YouTube accounts that it said were linked to Iranian intelligence, while Facebook said it had identified and deleted 652 accounts linked to politically charged postings from Russia and Iran. And just a month after his initial warning in France, DNI’s Coats sounded an even more dire alarm in July, saying that “the warning lights are blinking red again;” that same that day, Mueller’s office indicted a dozen more Russian agents in the 2016 attacks against Democrats.
Federal and state officials are hoping that stronger defenses and public awareness this time around can ward off a repeat of 2016. Homeland Security has designated the nation’s election system as a “critical infrastructure” for the first time, alongside nuclear reactors, defense bases, banks and other key sectors. Congress has approved $380 million for states to beef up election security. Many states have begun using specialized “hygiene scanning,” new internal security teams, and other steps to detect intruders lurking in their systems. And federal officials held a second round of briefings in July in Philadelphia for their state election counterparts.
State election officials, who were irked to find that the Obama Administration delayed giving them key information during the presidential campaign, are grateful for their newfound partnership with national security officials in Washington, who they say seem committed to keeping them in the loop. Federal officials “could have done a lot better job of letting the community of election officials know there was something going on” before the 2016 election, said Judd Choate, the director of elections in Colorado. Those frustrations had largely evaporated by the time he and other state election officials sat down for their first classified intelligence briefings in February.
But if the Russian threat has brought federal and state officials together in ways not seen before, it has also created a strange paradox in Washington. The same Homeland Security officials who have been sharing classified intelligence with the states to help defend against Russian attacks work for President Donald Trump, who has repeatedly questioned whether Moscow really interfered in the 2016 election. Admiral Michael Rogers, director of both the NSA and the US Cyber Force, revealed to stunned senators earlier this year that the president had not given him any added authority to confront the Russian election threat in the midterms, forcing the NSA to rely on its existing cyber powers. “We’re taking steps, but we’re probably not doing enough,” Rogers conceded.
The conflicting signals from the Trump Administration confound election experts like Ellen Weintraub, a longtime member of the Federal Election Commission who has pushed unsuccessfully for greater checks on foreign meddling in American elections. “This is an all-hands-on-deck moment for American democracy,” Weintraub, a Democrat, said in a recent interview. “It’s very clear now that there are foreign actors who are very interested in influencing our elections. We really have to do more.”
And that’s without even getting into the parallel propaganda threat that a number of experts believe to be an even greater risk for the nation. Mueller’s team, in an indictment earlier this year of 13 Russians and three groups accused of interfering in the election, revealed that Russia’s well-financed social-media misinformation campaign was much more elaborate — and began much earlier — than Americans had realized. And, even though Russia’s efforts have now come to light, the United States may be ill-equipped to do much about another round of political sabotage by Moscow, some security experts believe. So far, Congressional Republicans have blocked attempts to impose tougher mandatory controls on the social media industry, allowing Facebook and other tech giant to impose their own rules voluntarily. Ann Ravel, a former federal election commissioner, is almost fatalistic about what lies ahead in November.
“Our house is on fire, and we’re just sitting around,” Ravel said. “It’s pretty clear that what we saw from the Russians before is going to occur again in 2018, unfortunately. They’ll just find another mechanism to do it.”
With the midterms just two months away, federal officials said that they have not confirmed any Russian test runs or attempted hacks on American election systems — but they still think attacks are coming.
“Our overall assessment is that we expect Russia to engage in overt and covert means to sow discord and propaganda. That hasn’t changed,” a senior Homeland Security official, who spoke on condition of anonymity, said in an interview.
Federal and state officials say they believe the hard-earned lessons of the 2016 election have left them better defended against perhaps the ultimate fear: attempts by Moscow to manipulate the vote tallies in particular states, which rely on a myriad of different and decentralized systems to count ballots. “It would be nearly impossible to affect an actual outcome undetected,” the senior Homeland Security official said. “I’ll never say impossible … but we really don’t see a scenario where someone could affect the final vote count.”
Other federal and state officials echoed that view. “We are light years ahead of where we were in 2016. There were lessons learned from that,” Thomas Hicks, a commissioner on the U.S. Election Assistance Commission, which has been doling out the new federal funding to state election systems, said in an interview.
But some outside cyber-security and election experts are skeptical, saying the vulnerabilities in the election system remain gaping. Remarkably, five states rely solely on electronic voting tabulations, with no paper backup to verify the results. “Anyone who thinks ‘don’t worry, nothing bad can happen,’” said Jeremy Epstein, a computer scientist and expert on election technology who works with the Verified Voting Foundation, “really has their head in the sand.”