U.S. elections are vulnerable to cyber attack in 2018

The 2018 mid-term elections are vulnerable to attack from what the Russians may have learned from their probing cyber attacks on state election systems during the 2016 election.

NBC News reports, U.S. intel: Russia compromised seven states prior to 2016 election/span>:

The U.S. intelligence community developed substantial evidence that state websites or voter registration systems in seven states were compromised by Russian-backed covert operatives prior to the 2016 election — but never told the states involved, according to multiple U.S. officials.

Top-secret intelligence requested by President Barack Obama in his last weeks in office identified seven states where analysts — synthesizing months of work — had reason to believe Russian operatives had compromised state websites or databases.

Three senior intelligence officials told NBC News that the intelligence community believed the states as of January 2017 were Alaska, Arizona, California, Florida, Illinois, Texas and Wisconsin.

The officials say systems in the seven states were compromised in a variety of ways, with some breaches more serious than others, from entry into state websites to penetration of actual voter registration databases.

While officials in Washington informed several of those states in the run-up to the election that foreign entities were probing their systems, none were told the Russian government was behind it, state officials told NBC News.

All state and federal officials who spoke to NBC News agree that no votes were changed and no voters were taken off the rolls.

After NBC’s report on the compromised states aired Tuesday night, Department of Homeland Security (DHS) Acting Press Secretary Tyler Houlton challenged its accuracy in a series of tweets. “NBC’s reporting tonight on the 2016 elections is not accurate and is actively undermining efforts of the Department of Homeland Security to work in close partnership with state and local governments to protect the nation’s elections systems from foreign actors,” wrote Houlton.

“As we have consistently said, DHS has shared information with affected states in a timely manner and we will continue to do so. We have no intelligence — new or old — that corroborates NBC’s reporting that state systems in seven states were compromised by Russian government actors. We believe tonight’s story to be factually inaccurate and misleading.”

On Wednesday morning, however, Michael Daniel, the top White House cybersecurity official at the end of the Obama administration, told NBC News that the government’s assessment when he left the White House in January 2017 was that networks in seven states were compromised. He said he could not account for whether that assessment had changed in the past year.

Daniel, who is now president of the Cyber Threat Alliance, an industry group, said it was the intention of the Obama administration to inform those states, “but clearly it didn’t happen the way that we wanted it to.”

“This continued debate about whether or not the states were notified is actually distracting from the larger point, which is that we need to build the relationship between the federal government and state governments in the electoral area to improve cybersecurity,” he said.

“It is also easy to get lost in the cybersecurity industry’s ability to parse words, and the differing definitions of malicious cyber activity. But between what the states themselves detected and what the federal government detected through law enforcement and intelligence, it clearly showed a really broad-based Russian campaign to probe and figure out how they could gain access to different components of our electoral systems.”

According to classified intelligence documents, the intelligence community defines compromised as actual “entry” into election websites, voter registration systems and voter look-up systems.

NBC News reached out to all seven states that were compromised, as well as 14 additional states that DHS says were probed during the 2016 election.

To this day, six of the seven states deny they were breached, based on their own cyber investigations. It’s a discrepancy that underscores how unprepared some experts think America is for the next wave of Russian interference that intelligence officials say is coming.

Eight months after the assessment, in September 2017, the Trump administration’s DHS finally contacted election officials in all 50 states to tell them whether or not their systems had been targeted. It told 21 states they had been targeted, and U.S. officials acknowledged that some of those attempts had been successful.

* * *

The Trump DHS, like under the Obama administration, has declined to share the intelligence assessment of which states were actually compromised, according to state election officials.

This month, in an exclusive interview with NBC News, Jeanette Manfra, the current head of cybersecurity at DHS, said that “an exceptionally small number” of those 21 states “were actually successfully penetrated.” But Manfra declined to answer questions about the classified intelligence assessment, or to say specifically how many states had been penetrated.

Top election officials from all 50 states met in Washington this month for a National Association of Secretaries of State conference and received temporary security clearances for a classified threat briefing from intelligence officials. According to two officials present, one from the intelligence community and the other a state official, the actual intelligence on state compromises was not shared.

While numerous state election officials told NBC News that the Department of Homeland Security has been stepping up communications with them, many say they’re worried they are still not getting enough information from Washington.

Illinois itself had detected a “malicious cyberattack” on its voter registration system in the summer of 2016 and reported it to DHS, saying its voter rolls had been accessed but nothing had been altered. It is the only state to acknowledge actual compromise.

The other six states from the January 2017 assessment, however, say that when DHS told them last September that their systems had been targeted, it still did not tell them that their systems had been compromised. All six [including Arizona] also say that based on their own cyber investigations, they believe their election systems were never compromised.

Fears of a repeat in 2018

Nearly 16 months after the presidential election, and more than eight months before the critical midterms, many state and federal officials are convinced the Russians will be back. They’re concerned that 2016 was laying the groundwork for a possible future attack.

“We have an extreme sense of urgency on insuring security of the 2018 elections, because you don’t get a chance to do it over,” said Alex Padilla, California’s secretary of state, who said there was no evidence of a successful hack in California.

Several state election officials, including Padilla, told NBC News they think they should have been told that U.S. intelligence agencies believed they’d been breached whether or not that turned out to be true.

“It is hugely imperative that intelligence be shared with state elections officials immediately in order to protect our election infrastructure and the integrity of election results,” Padilla said.

Reluctance to share the information may be due, in part, to the classification of the intelligence itself. Multiple intelligence officials told NBC News that determining the Russian government was behind the hacks depended on “exceptionally sensitive sources and methods” including human spies and eavesdropping on Russian communications.

No state election official at the time had a security clearance sufficient to permit access to such sensitive information, according to DHS.

* * *

A spokesperson for the Arizona secretary of state, Matt Roberts, said the state had still not been informed of a successful hack, and had seen no evidence of one. Roberts said the state had not been told that “ANY Arizona voting system has been compromised, nor do we have any reason to believe any votes were manipulated or changed. No evidence, no report, no nothing.”

Oh Really? Back in August 2016 it was widely reported, Officials: Hackers breach election systems in Illinois, Arizona:

According to Matthew Roberts, director of communications for the Arizona secretary of state, in late May, Arizona officials took the statewide voting registration system offline after the FBI alerted the Arizona Department of Administration that there was a credible cyber threat to the voter registration system.

Although The Washington Post reported that Roberts attributed the database breach directly to a Russian hacker, when pressed by CNN, he said that the Arizona secretary of state’s office learned of Russian involvement from internal IT and cyber security staff. “We indirectly heard that the credential and username posted online was from a known Russian hacker,” Roberts said.

When they took the system offline to review any vulnerabilities, they discovered that a county election official’s username and password had been posted online publicly. It’s believed that a worker may have inadvertently downloaded a virus which exposed the username and password. In this instance, the username and password information posted would only give individuals access to a localized, county version of the voting registration system, and not the entire state-wide system.

Roberts says there is no evidence that any data within the system was compromised and there was no evidence of malware present in the database.

Bradley Moss, a lawyer specializing in national security, tried to lift the veil and find out what U.S. intelligence knew about the Russian attempts to compromise the voter system. He sued for disclosure of government files and won last week, receiving 118 top-secret pages from the intelligence community. The pages referred to “compromises” and other breaches but the pages were almost completely blacked out for security reasons.

Said Moss: “The spreadsheets show that there were documented breaches of election networks. That there were documented, numerous documented instances of attempted breaches of state election networks, and that there was a widespread concern among several agencies in the intelligence committee about the sanctity and the integrity of these election networks.”

In a statement, DHS said it has been working with state and local officials for more than a year on the issue.

“This relationship is built on trust and transparency, and we have prioritized sharing threat and mitigation information with election officials in a timely manner to help them protect their systems,” DHS acting press secretary Tyler Houlton said.

“In addition to granting state officials clearances to give them access to classified information, we work to declassify information rapidly and have the ability to grant one-day waivers when necessary to provide state officials with information they may need to protect their systems.

“We are committed to this work and will continue to stand by our partners to protect our nation’s election infrastructure and ensure that all Americans can have the confidence that their vote counts — and is counted correctly.”

A statement from the Office of the Director of National Intelligence said only: “The declassified Intelligence Community Assessment of January 6, 2017, found that Russian actors did not compromise vote tallying systems. That assessment has not changed.”

Next steps

At a Senate hearing on Tuesday, the National Security Agency director, Adm. Mike Rogers, acknowledged that the White House has not directed him to try to stop Moscow from meddling in U.S. elections.

Sen. Claire McCaskill, D-Mo., said that was “outrageous” and asked whether the U.S. was in a position to stop Russia from “doing this again.”

“We’re taking steps but we’re probably not doing enough,” Rogers said.

“I want to know, why the hell not?” McCaskill shot back. “What’s it going to take?”

While the FBI and the Department of Homeland Security say they are taking steps to shore up cyberdefenses, FBI Director Christopher Wray told Congress this month that the instructions did not come from the top.

When Sen. Jack Reed, D-R.I., asked Wray if the president had directed him or the bureau to take “specific actions to confront and blunt” ongoing Russian activities, Wray said, “We’re taking a lot of specific efforts to blunt Russian efforts.”

Sen. Reed then asked, “Specifically directed by the president?” Wray answered, “Not as specifically directed by the president.”

For the future, Zarate suggests taking a lesson from the past.

“After 9/11, the walls between law enforcement and intelligence sources had to be broken down in order to connect the dots,” Zarate said. “There has to be a whole-of-government and whole-of-nation approach to dealing with what is an assault on American democracy.”

Pro Publica reports at Salon, Election security a high priority — until it comes to paying for new voting machines:

Machine malfunctions are a regular feature of American elections. Even as worries over cybersecurity and election interference loom, many local jurisdictions depend on aging voting equipment based on frequently obsolete and sometimes insecure technology. And the counties and states that fund elections have dragged their heels on providing the money to buy new equipment.

A ProPublica analysis of voting machines found that over two-thirds of counties in America used machines for the 2016 election that are over a decade old. In most jurisdictions, the same equipment will be used in the 2018 election. In a recent nationwide survey by the Brennan Center for Justice, election officials in 33 states reported needing to replace their voting equipment by 2020. Officials complain the machines are difficult to maintain and susceptible to crashes and failure, problems that lead to long lines and other impediments in voting and, they fear, a sense among voters that the system itself is untrustworthy.

While election equipment needs to be replaced more often, election administration remains a low funding priority, a ProPublica review of state and local budgets nationwide found.

* * *

While elections may be the cornerstone of a functioning democracy, funding them is an uphill battle. A 2014 report by the Presidential Commission on Election Administration reported that election administrators viewed themselves as the “least powerful lobby in state legislatures and often the last constituency to receive scarce funds at the local level.”

In 2015, The Brennan Center estimated that 43 states, along with the District of Columbia, used polling place machines that were no longer manufactured. Wendy Underhill, director of elections and redistricting at the National Conference of State Legislatures says “Some voting equipment today works with old operating systems — Windows XP or Windows 2000 — and data storage devices we wouldn’t even know what to do with today.”

Finding the necessary software and hardware has election administrators sifting through technology graveyards.

* * *

Buying machines online from non-certified vendors can heap additional security risks on top of the risk already posed by antiquated, vulnerable equipment. For over a decade, experts have warned of the risks of voting machines that store all information electronically, because voters cannot verify their votes and there’s no way to properly audit these machines.

A recent report on election security by the Center for American Progress says “conducting elections with paper-based voting systems is one of the most important steps states can take to improve election security.” Paperless machines are still used in 14 states.

* * *

[E]lection officials are still concerned about systems’ vulnerability to hacking by bad actors who gain access to individual machines on Election Day, and about the public’s ability to draw a distinction between small-scale in-person hacks and large-scale remote ones. There is no shortage of demonstrations of the former. Over a long weekend last summer, hackers at a conference in Las Vegas, DefCon, managed to breach all five models of paperless voting machines, as well as an electronic poll book. The hack received a great deal of media attention. One machine, called a WINvote by Advanced Voting Solutions, was hacked in under two hours and reprogrammed to play Rick Astley’s 1987 song “Never Gonna Give You Up.”

Masterson considers the Defcon hack a poor indicator of the security of real systems, describing the exercise as giving hackers “unlimited access to old systems.” Some relied on undetected physical access, a difficult feat in a polling place. The equipment in the experiment was chosen because of its easy availability on eBay, not because of its prevalence in actual elections. The WINvote machine has not been used in any U.S. election since 2014.

For others, though, the DefCon report was a resounding signal to end the use of paperless voting machines.

Much of the rest of the Pro Publica report delves into the lack of funding issues.

And if all of this does not make your butt pucker, read Kim Zetter’s lengthy investigative report at the New York Times about The Myth of the Hacker-Proof Voting Machine: many critical election systems in the United States are poorly secured and protected against malicious attacks.

Back in January 2017, the Department of Homeland Security Designated Election Infrastructure as a Critical Infrastructure Subsector. Federal, state and local governments have failed to adequately fund critical election infrastructure.