Certain scenarios keep security professionals up at night. For Lisa Monaco, that scenario has disastrous implications for American democracy and the systems it uses to collect voter registration information.

“So if you’re a state and local entity, and your voter registration database is housed in the secretary of state’s office and is not encrypted and it’s not backed up, and it says Lisa Monaco lives at Smith Street and I show up at my [polling place] and they say ‘Well, we don’t have Ms. Monaco at Smith Street, we have her at Green Street,’ now there’s difficulty in my voting,” said Monaco, a former White House homeland security advisor, in an interview with the U.S. Senate Select Committee on Intelligence.

“And if that were to happen on a large scale, I was worried about confusion at polling places, lack of confidence in the voting system, anger at a large scale in some areas, confusion, distrust,” she explained. “So, there was a whole sliding scale of horribles when you’re talking about voter registration databases.”

Monaco was not alone in sharing her worst-case scenario fear with the committee. Michael Daniel, former assistant to the president and cybersecurity coordinator for the National Security Council, echoed Monaco’s thoughts in his interview with the senators about the ramifications of an incident on election day in the United States.

Daniel shared that in 2017 a policy group was looking at three possible ways to sow chaos on election day. The first scenario he highlighted was changing voter registration databases, as Monaco feared, to prevent people from using the proper voting system.

“A second one was to do a variant of the penetrating voting machines, except this time what you do is you do a nice video of somebody conducting a hack on a voting machine and showing how you could do that hack and showing them changing a voting outcome,” Daniel explained. “And then you post that on YouTube, and you claim you’ve done this 100,000 times across the United States, even though you haven’t actually done it at all.”

The third scenario involved conducting a Denial of Service attack on the Associated Press, which provides most of the reporting on election day that is referenced by other media outlets.

“It doesn’t actually change anything, but it gives the impression that there’s chaos,” Daniel said.

Monaco and Daniel were just two of the numerous experts the committee interviewed during its ongoing investigation into Russian interference in the 2016 U.S. presidential election.

Like previous intelligence reports, the committee said that the Russian government “directed extensive activity, beginning in at least 2014 and carrying into at least 2017, against U.S. election infrastructure at the state and local level,” according to the first volume of the committee’s declassified report. However, the committee stressed that it had no evidence that any votes were changed or that voting machines were manipulated due to Russian interference.

The committee said that great strides have improved the security of U.S. elections after 2016, but systems remain vulnerable. In addition, the U.S. Department of Homeland Security (DHS) said voting systems are still under attack.

DHS assessed that “numerous actors are regularly targeting election infrastructure, likely for different purposes, including to cause disruptive effects, steal sensitive data, and undermine confidence in the election,” according to the committee’s report (Report of the Select Committee on Intelligence United States Senate on Russian Active Measures Campaigns and Interference in the 2016 U.S. Election, Volume 1: Russian Efforts Against Election Infrastructure with Additional Views).

 What Happened

As early as 2014, the Russian government began laying the groundwork to conduct a variety of intelligence-related activities targeting the American voting process, including undermining confidence in U.S. democratic institutions. Russia has denied this activity.

One approach the Russians used was to scan state election systems; their activities were first identified in 2016 in the lead-up to election day in November.

“In mid-July 2016, Illinois discovered anomalous network activity, specifically a large increase in outbound data, on an Illinois Board of Elections voter registry website,” according to the committee. “Working with Illinois, the FBI commenced an investigation. The attack resulted in data exfiltration from the voter registration database.”

The FBI then issued an unclassified FLASH alert—a notification about potential cyberthreats—to state technical-level experts about suspect IP addresses the Bureau had identified from the attack on Illinois. However, the alert did not attribute the attacks to a specific actor.

After the FBI issued the alert, DHS through its Multi-State-Information Sharing & Analysis Center (MS-ISAC) requested that states review their log files to see if the IP addresses from the FLASH had accessed their infrastructure. Twenty additional states then confirmed that those addresses had made connections.

In another state, referred to as State 4 in the report, a cyberactor successfully targeted a county employee via a phishing email, stealing the employee’s credentials and posting them online.

“Those stolen credentials were used in June 2016 to penetrate State 4’s voter registration database,” according to the report. “The actor used the credentials to access the database and was in a position to modify county, but not statewide, data.”

Other states reported that Russian threat actors scanned their systems, and Daniel said that “eventually we get enough of a picture that we become confident over the course of August of 2016 that we’re seeing the Russians probe a whole bunch of different state election infrastructure, voter registration databases, and other related infrastructure on a regular basis.”

Eventually, DHS would determine that all 50 U.S. states were targeted by Russian threat actors using various ways.

“What it mostly looked like to us was reconnaissance…. I would have characterized it at the time as sort of conducting the reconnaissance to do the network mapping, to do the topology mapping so that you could actually understand the network, establish a presence so you could come back later and actually execute an operation,” Daniel explained.

Daniel also told the committee that in his “professional judgment,” the United States should operate under the assumption the Russians “tried to go everywhere, because they’re thorough, they’re competent, they’re good.”

In addition to their cyber prowess, the Russians also took advantage of a reporting structure between the U.S. federal government and state and local election officials to issue actionable alerts on threats.

In 2016, DHS became increasingly aware of the activity the Russians were engaging in and that the department was not poised to provide the support states needed to address it. According to Monaco, DHS was also concerned that any action it might take could create panic that would further undermine election security.

“I know we tried very hard to strike a balance between engaging state and local officials and federal officials in the importance of raising cyber defenses and raising cybersecurity,” she said. “And not sowing distrust in the system, both because we believed it to be true that the system is in fact quite resilient because…of its diffuse nature; and because we did not want to…do the Russians’ work for them by sowing panic about the vulnerability of the election.”

And when federal officials did raise the alarm, states were not given enough context to address the threat, or the information was not communicated to the right personnel to act.

For instance, when the FBI issued the previously mentioned FLASH alert, it did not mention that it involved a nation-state actor.

“Given the lack of context, state staff who received the notification did not ascribe any additional urgency to the warning,” according to the report. “To them, it was a few more suspect IP addresses among the thousands that were constantly pinging state systems. Very few state IT directors informed state election officials about the alert.”

States were also skeptical of DHS’s efforts to discuss activity it was seeing related to election systems infrastructure, the department’s offers of help through conference calls, and other measures.

“Most state officials found the conference calls lacking in information and were left wondering exactly what the threat might be,” according to the report. “Several states said the DHS representatives could not answer any specific questions effectively.”

Addressing the Problem

In 2016, then-U.S. Secretary of Home-land Security Jeh Johnson knew that the U.S. election infrastructure was vulnerable, and that DHS was not in the best position to address it.

In August 2016, he floated the idea of designating election infrastructure as critical infrastructure. This designation would provide states with a priority for services from DHS to address vulnerabilities and give them protections under international cyber norms. His idea was immediately met with objections from state officials, who saw the move as a federal takeover of a state- and local-run process.

As months went by and Johnson learned more about the Russians’ activity, he decided in January 2017 to move forward, officially classifying election infrastructure as critical infrastructure.

“This designation recognizes that the United States’ election infrastructure is of such vital importance to the American way of life that its incapacitation or destruction would have a devastating effect on the country,” according to a DHS statement.

Included in the definition of election infrastructure are voter registration databases and associated IT systems; IT infrastructure and systems used to manage elections; voting systems and associated infrastructure; storage facilities for election and voting system infrastructure; and polling places to include early voting locations. It does not include national political parties, campaigns, or the candidates themselves.

Following the designation and the release of additional information about Russia’s activities in the lead-up to the 2016 election, DHS moved to rebuild trust with its state and local partners.

Spearheading this work is a new agency under DHS, the Cybersecurity and Infrastructure Security Agency (CISA)—which was established in November 2018.

“For us, a top priority at CISA has been to improve and ensure the proper communications channels are in place and that information is shared, timely and actionably, to state and local officials so that they can manage risks to their systems,” says Matthew Masterson, senior advisor on election security at CISA.

“It’s not an exaggeration to say that in 2016 DHS—in part because they had never worked an election before—didn’t know who to contact, how elections were run,” he adds. “Since that time, we’ve established points of contact in all 50 states of who to contact if we have information that needs to be pushed out to that state specifically, or across the state.”

DHS also created an information sharing and analysis center specifically for elections, dubbed the E-ISAC. All 50 states are participating, along with almost 2,000 local jurisdictions, daily pushing out information about risks and threats specific to elections.

“It could be general information around what is ransomware, how do you protect against it, what SQL injection is, what steps you can take to mitigate risk there, to very specific technical indicators—like what were shared in 2016,” Masterson explains. “But now we know are going to reach those state and local officials, and their IT leads, to ensure that they can take action.”

CISA also provides the states with best practices for securing their systems and recommendations for voting machines, such as that voting systems should be easily auditable—preferably with a system that provides a paper trail.

Additionally, CISA has worked with the intelligence community to make information sharing on elections more efficient so data can be pushed out to state and local officials quickly.

And all 50 states have now deployed Albert sensors—intrusion detection devices designed to identify malicious activity on networks—on their election infrastructure. These sensors are supported by DHS and provide alerts on known technical indicators.

“That’s a level of visibility and understanding of activity targeting election infrastructure that we certainly didn’t have in 2016,” Masterson says. “We’ve increased that understanding exponentially in having it across all 50 states.”

CISA also conducted tabletop exercises in 2018 and 2019 with its state and local partners on responding to a cyberattack. Masterson says the agency plans to host another tabletop in 2020 following the success of the 2019 exercise, in which 46 states and three territories participated, along with four federal partners.

“We’ll do another one again in 2020, all with an eye towards, ‘Hey, how do I detect if something’s on my system? If I find that there’s an issue, who do I contact?’” he adds.

As an additional level of support, CISA offers incident response services—a team of experts who will go out to a state or local office to work with employees to address an identified problem.

Alexander Joves, CISA Region 5 director, says the agency offers the same type of services to address physical security concerns to voting systems, and that outreach has been done to all 50 states.

In an interview at Global Security Exchange (GSX) in September 2019, Brian Harrell, CPP, assistant director for infrastructure security at CISA, says this coordination has made America’s election systems much more secure since the 2016 election and that we are in a “much better position on election security.”

However, the scope of what CISA can do is limited because all of its services are voluntary; election officials are not required to take any steps that CISA recommends for enhancing cybersecurity.

This is why U.S. Senator Ron Wyden (D-OR) continues to advocate that the federal government should regulate the security of the state and local election infrastructure.

“America is facing a direct assault on the heart of our democracy by a determined adversary,” Wyden said in a written minority statement attached to the Senate committee’s report. “We would not ask a local sheriff to go to war against the missiles, planes, and tanks of the Russian Army. We shouldn’t ask a county election IT employee to fight a war against the full capabilities and vast resources of Russia’s cyber army. That approach failed in 2016, and it will fail again.”

Instead, Wyden said Congress should create mandatory, nationwide cybersecurity requirements for election infrastructure.

“Absent an accessibility need, most voters should hand-mark paper ballots. For voters with some kind of need, ballot marking devices that print paper ballots should be available,” Wyden added. “Risk-limiting audits must also be required. Currently, however, only Virginia, Colorado, and Rhode Island meet these requirements.”

The U.S. House of Representatives addressed Wyden’s concerns by passing the Securing America’s Federal Elections (SAFE) Act (H.R. 2722)—225 to 184, with one Republican voting for the bill.

But the Senate has not taken up the bill and is unlikely to do so under U.S. Senator Mitch McConnell’s (R-KY) leadership; he previously blocked the measure this summer.

“Clearly this request is not a serious effort to make a law,” McConnell said in a report by The Hill. “Clearly something so partisan that it only received one single solitary Republican vote in the House is not going to travel through the Senate by unanimous consent.”

The politicization of enhancing election security hinders the effort, says John Dickson, principal at cyber firm Denim Group who has consulted with election officials in Texas.

“We’ve fully transitioned out of the world of technical and objective to an entirely political realm, and I mean that in a negative way,” Dickson explains. “Now you’ve got not just the president and his spokespeople, but also Senator McConnell. It’s so wrapped up in politics it’s almost become a litmus test of if you think the Russians were meddling.”

And this infighting will only embolden the Russians to conduct similar efforts against the 2020 elections.

“When you’re dealing with the [Russians], I’m assuming you’re doing basic blocking and tackling. This is an information operation,” Dickson says. “The technical part of it is purely a means to an end. The real focus is around the ability to undermine confidence—and that can be done purely through social media. You don’t have to break the election system.”

Megan Gates is senior editor at Security Management. Contact her at [email protected]. Follow her on Twitter: @mgngates.