The year is 2018.
Tens of millions of people show up to vote in the midterm elections to discover their names are no longer on the voter rolls. Thousands of voting machines malfunction and do not properly record votes. Tallies are distorted and inaccurate numbers are sent from counties to states. TV networks call races for the wrong candidates. Recounts begin. Lawsuits are filed.
That’s the nightmare scenario for the 2018 elections, and national security and cybersecurity experts warn it’s a very real possibility unless something is done about the country’s outdated election infrastructure — and fast. The hyper-partisan atmosphere on Capitol Hill, however, appears to have frozen any effort to shore up defenses ahead of the midterms, with Republicans wary of giving more attention to the ongoing Russia probes and suspicious that Democrats are only using the issue to attack the president.
And while the Obama administration retaliated against Russia with some sanctions and the Senate recently passed a bill tacking on a few more, Donald Trump’s White House and the Republican-led Congress have done almost nothing to defend against future interference. Trump has repeatedly cast doubt on the intelligence community’s conclusion that Russia was behind the election cyberattacks and has extended an open hand to the country’s president, Vladimir Putin. In fact, Trump tweeted Sunday morning that he and Putin may be partnering on cybersecurity, an idea that lead to widespread criticism from lawmakers. (Trump later backtracked).
But even the talk of a potential collaboration was surprising given that many current and former members of the American intelligence community believe Russia will use cyberattacks to sabotage future elections and that the U.S. is vulnerable to attacks on the most basic function of any democracy. The meddling in last year’s presidential election, which the American intelligence community maintains was coordinated by Russia, could very well be just a taste of what’s to come, and has the potential to infect hundreds of races around the country in 2018.
“They will be back,” former FBI Director James Comey told Congress of the Russians in June. And former Director of National Intelligence James Capper told CNN Thursday that he believed the Russian government is stepping up its spying efforts now in order to “prep the battlefield for the 2018 elections.”
The emerging consensus among national security and cybersecurity experts is that the United States’ election systems remain vulnerable in three main areas: voting machines that do not have paper records, voting registration databases that have weak cyber defenses, and propaganda that’s disseminated through social media.
Old voting machines could be manipulated without a trace of the hacker being detected. Names on voter rolls could be altered and create mass confusion at the polls. And it’s unclear what social media companies are doing, if anything, to combat the proliferation of misinformation disguised as news.
“The United States government sets standards for cybersecurity for banks and audits them, it sets standards for privacy of electronic healthcare information, but there are no cybersecurity standards for its election systems,” said Richard Clarke, the former national coordinator for Security Infrastructure Protection and Counterterrorism in the Clinton and Bush administrations and the author of a new book about oncoming crises, titled “Warnings: Finding Cassandras to Stop Catastrophes.”
“There are ways that you can interfere with the tallying process and cast doubt on election results,” he added. “That creates a disunity in the United States, which is one of Russia’s prime objectives.”
But it’s not just the election infrastructure that could be compromised: People involved with Hillary Clinton’s presidential campaign are also worried that hackers will focus their energies on the campaigns themselves in an attempt to recreate the same kind of frenzy we saw around WikiLeaks’ release of John Podesta’s emails. The breach of the campaign chairman’s emails and the Democratic National Committee’s servers was an enormous coup, and experts believe Russia or others will try to replicate it.
“We have to move quickly in a bipartisan way to better secure our campaigns,” Robby Mook, Clinton’s campaign manager, told VICE News. “Campaigns are the smallest and briefest of startups and lack the budget or expertise for world-class cybersecurity, yet they’re some of the highest targets for world-class hackers.”
Following the primary elections, there will be approximately 936 Democratic and Republican campaigns for the House and Senate in 2018 that could be targeted.
Though there is bipartisan agreement that election infrastructure and campaigns aren’t sufficiently secure, no legislation is being seriously considered to shore it up.
Instead, House Republicans are attempting to cut or entirely defund the Election Assistance Commission without replacing it with anything to help states update their voting systems. The Trump White House — which has been defensive about acknowledging Russian interference in last year’s election —has shown little interest in figuring out how to prevent the sort of meddling that occurred in the presidential election.
Comey testified in June that Trump never had a conversation with him about what the government should be doing to combat Russian interference in the election system. And Attorney General Jeff Sessions also testified in June that he has never attended a briefing or read an intelligence report on Russia’s alleged interference. “I know nothing but what I’ve read in the paper,” he told the Senate Intelligence Committee.
The White House did recently establish a Voting Integrity Commission but that is tasked with investigating voter fraud, not defending against foreign interference. (President Trump has repeatedly claimed without evidence that 3 million to 5 million people voted illegally in November and cost him the popular vote.) The White House did not return a request for comment.
The Department of Homeland Security declared in January that election systems are now classified as “critical infrastructure,” but what exactly that means has been difficult to pin down. The department doesn’t have the power to take over elections or enforce security standards, which means that all of its recommendations are “voluntary,” as Secretary John Kelly said recently.
So Homeland’s tools include things like “offer our cybersecurity services” and “establish mechanisms for engagement,” a DHS official told VICE News in a statement describing their efforts. And even those actions have rankled secretaries of state across the country.
“We are struggling to understand — and implement — the U.S. Department of Homeland Security’s January 2017 Executive Order,” Connie Lawson, Indiana’s secretary of state and the president-elect of the National Association of Secretaries of States, told the Senate Intelligence Committee in June. She also expressed frustration at the lack of information about foreign threats. “No secretary of state is currently authorized to receive classified threat information from our intelligence agencies,” she said.
It’s not known how much social media companies are doing to prepare for another deluge of fake news and bots, and they have so far avoided harsh congressional scrutiny. The Senate Intelligence Committee hasn’t ruled out calling executives from Facebook or Twitter to testify or subpoenaing information from those companies.
At the moment, however, there are just “ongoing conversations with the companies,” according to Rachel Cohen, the press secretary for the committee’s vice chairman, Democrat Sen. Mark Warner of Virginia.
Some Republicans, like Sen. Marco Rubio of Florida, have spoken out about their concern that Russia or another actor could disrupt the 2018 and 2020 elections. But when asked about specific proposals the senator supports to tackle the problem, Rubio’s office pointed only to a statement calling for more transparency from voter machine manufacturers.
The Senate Rules Committee — which has jurisdiction over federal elections — has yet to hold a hearing on the issue, even as the committee’s highest-ranking Democrat, Sen. Amy Klobuchar of Minnesota, has proposed legislation to provide $325 million in grants to state and local election systems. “We must put partisanship aside to protect our elections from future attacks,” Klobuchar said in a statement to VICE News. “This isn’t about one candidate or one party or one election.”
Asked why there have been no hearings, the office for the Republican chairman of the Rules Committee, Sen. Richard Shelby of Alabama, sent VICE News a copy of a letter Shelby had sent to the Intelligence Committee essentially ceding responsibility for election security to the other committee.
“While the Committee on Rules and Administration is charged with the oversight of federal elections generally, I believe that the Committee is not an appropriate venue for the examination of national security and intelligence matters,” he wrote. “We look forward to the results of your investigation.”
The Senate Intelligence Committee’s investigation will almost certainly go through the end of 2017, if not much longer. By the time it concludes, there will not likely be enough time to draft and pass legislation to update America’s election infrastructure.
“We need to do a lot more,” said J. Alex Halderman, a computer science professor at the University of Michigan, who testified in June before the Senate Intelligence Committee about voting machine security. “So far, the federal government has been doing outreach and penetration testing, which is good but also the absolute most basic step we could be taking.”
Halderman presented a letter to Congress in June, signed by over 100 experts in computer science and election auditing, that echoed his calls for “prompt action.” At the top of their list of reforms is the replacement of voting machines that leave no paper record and therefore can’t be audited.
Fourteen states, including Pennsylvania and Virginia, still use such machines, which Halderman says are especially vulnerable to hacking. “It’s entirely within the capability of sophisticated cyber adversaries to change the vote in states like Pennsylvania,” he said.
At the moment, it seems unlikely those machines can be replaced before the 2018 elections. Sen. Angus King of Maine, an Independent who caucuses with the Democrats, has requested $160 million in next year’s budget for the purpose of replacing old machines, but it’s unclear if that request will go anywhere. Even if it did, more money is likely needed and swapping them all might not be possible in 15 months.
Voter registration systems were also a main target in 2016 and they could very well be again. The Department of Homeland Security recently confirmed that hackers targeted such systems in 21 states in the run-up to the November election. In at least one case, hackers attempted to alter information in Illinois’ voter rolls which could have lead to chaos on Election Day as people tried to vote.
The strength of the cyber defenses varies greatly from state to state with no enforced uniform standard. It is still not publicly known how far hackers penetrated into these systems, how much data they stole, and if they successfully installed any malware.
Secretary Kelly called election hacking “the way of the future” in a speech at the Center for a New American Security on June 28, adding an ominous warning: “We have to protect this or we’re not a real democracy anymore.”