Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Will Congress Lose Midterm Elections to Hackers?

Bill Seeks $380 Million for States, But DHS Says Most Lack Security Clearances
Will Congress Lose Midterm Elections to Hackers?
Homeland Security Secretary Kirstjen Nielsen testifies March 21 before the Senate Intelligence Committee.

State and local officials will not have the full range of much-needed cybersecurity practices and equipment in place for the November 6 U.S. midterm elections. But efforts underway might deliver much-needed improvements in time for the 2020 elections, Homeland Security Secretary Kirstjen Nielsen told a Senate committee Wednesday.

See Also: Spear Phishing: Top 3 Threats

At the Senate Intelligence Committee hearing on election security, Republican and Democratic senators blasted Nielsen for the poor state of the country's cybersecurity election preparations following Russia's meddling in the 2016 presidential election.

During the hearing, Nielsen revealed that of the 150 state officials - three per state - with which DHS wants to share intelligence, only 20 officials so far have the necessary clearances to receive it.

Those efforts are part of a much broader push by DHS to assist state and local election officials. That includes working with voting machine manufacturers to design more secure systems, getting these systems rolled out across states - especially to replace machines that offer no paper backups - as well as securing other systems and processes used to organize elections, among other initiatives. All of this "will require a significant investment over time," Nielsen said.

In other words, with less than eight months to go before the U.S. midterm elections, don't expect cybersecurity miracles.

Ttwo states already have held primaries this month. One of them was Illinois, which saw its systems get breached by attackers in 2016. Next month, 11 more states are set to hold primaries.

Threat 'Remains High'

The nation's intelligence chiefs have been unanimous in their appraisal that Russian efforts to shape U.S. political opinion since 2016 have not diminished and may indeed be escalating (see Anatomy of a Russian Information Warfare Campaign).

Nielsen echoed those warnings, telling senators that the foreign threat to U.S. elections "remains high."

Senators pressed her on why the Department of Homeland Security and the Trump administration aren't doing more to combat the threat.

"The issue is urgent," Sen. Richard Burr of North Carolina, the committee's Republican chairman, said at the hearing. "If we start to fix these problems tomorrow, we still might not be in time to save the system" by this year's midterm elections.

Sen. Susan Collins, R-Maine, said she failed to hear an election cybersecurity "sense of urgency" from the federal government. "We're already in an election year," she added.

"The threat is real; the need to act is urgent," said Virginia Sen. Mark Warner, the top Democrat on the committee. "Perhaps most of all, we need a president who will acknowledge the gravity of this threat and lead a whole of society effort to harden our defenses and inoculate our society against Russia's malicious interference."

On Tuesday, the committee released a report calling for six measures to battle election interference, including better information sharing, better securing election-related systems and rapid replacement of old and vulnerable voting systems. "At a minimum, any machine purchased going forward should have a voter-verified paper trail and no WiFi capability," the report says.

Nielsen Defends Response

Nielsen, however, defended the federal government's efforts, which are being led by DHS but also include the Department of Justice, the FBI and the Office of the Director of National Intelligence. She says DHS is prioritizing election cybersecurity over other critical infrastructure protection efforts and attempting to more quickly distribute intelligence.

"We're expending not only extraordinary resources to provide any support at the request of states," she said. "If we have intel, we will read in the appropriate state officials that day, so we're not waiting for clearances."

Nielsen said there is also a separate initiative underway to combat foreign interference "through messaging, propaganda and manipulation," which is being led by the Justice Department, FBI and Department of State.

As part of a Congressional omnibus spending bill which faces a Friday deadline - or else a government shutdown will be triggered - lawmakers have included provisions that would offer $380 million in election technology grants to states. In addition, $307 million has been budgeted to help the FBI battle Russian hackers, NPR reports.

Simply allocating the funds, however, might not be enough. Since 2016, Congress has budgeted $120 million to help the State Department combat foreign propaganda efforts. To date, none of that money has been spent (see State Department Spends $0 of Anti-Propaganda Allocation).

'Hacking' Public Opinion

During the committee hearing, Burr noted that beyond the hack of Illinois systems, 21 states' election systems were probed in 2016, but he contended that no votes were changed.

But those seeking to destabilize a country's democracy need not directly hack voting systems.

Take the efforts of the propaganda arm called RT, formerly known as Russia Today. "From August to November 2012, RT ran numerous reports on alleged U.S. election fraud and voting machine vulnerabilities, contending that U.S. election results cannot be trusted and do not reflect the popular will," according to Open Source Enterprise, a U.S. government agency that collates open-source material for use by other agencies (see Russian Interference: Anatomy of a Propaganda Campaign).

No Interference Talk With Putin

President Donald Trump called Russian President Vladimir Putin this week to congratulate him on winning his fourth presidential election. During the call, however, Trump reportedly did not press Putin on Russia's U.S. election interference.

During Wednesday's committee hearing, Sen. Warner called that omission "extremely troubling."

Trump made his call during another escalating diplomatic crisis over a nerve agent attack against former double agent Sergei Skripal and his daughter, Yulia, in England. The U.K., U.S., German and French governments strongly suspect was sanctioned by the Russian government, and the U.K. government has expelled 23 Russian diplomats, leading to a tit-for-tat expulsion by Moscow of 23 U.K. diplomats.

Trump also did not address the never agent attack in his call with Putin.

State Officials Still Seek Help

Some state officials have said they aren't getting the election help they need from the federal government, including intelligence about attacks as well as a coherent plan of action for combatting propaganda efforts by the likes of Russia and China (see States Seek Federal Help to Combat Election Interference).

"The threat of interference remains, and we recognize that the 2018 midterm and future elections are clearly potential targets of Russian hacking attempts," Nielsen said during the Wednesday hearing. "To be clear, there has been a learning curve on the sharing of information."

Former Homeland Security Secretary Jeh Johnson testifies before the Senate Intelligence Committee on March 21.

States also remain leary of potential power grabs by the federal government. In 2016, the Obama administration sought to classify voting systems as "critical infrastructure." But many states reacted with alarm at that move, Jeh Johnson, who headed DHS for President Barack Obama during the 2016 election, told the committee. As a result, Johnson said, he backed off, in favor of having states request federal assistance.

"Those who expressed negative views stated that running elections in this country was the sovereign and exclusive responsibility of the states, and they did not want federal intrusion, a federal takeover, or federal regulation of that process," Johnson said. "This was a profound misunderstanding of what a critical infrastructure designation would mean, which I tried to clarify for them."

Trump's 'Election Integrity' Commission

Subsequently, last May, Trump signed an executive order creating the "Presidential Advisory Commission on Election Integrity," chaired by Vice President Mike Pence, which was formed to investigate supposed voter fraud during the 2016 presidential election. Trump has alleged that such fraud caused him to lose the popular vote.

Critics contended the commission was a move to disenfranchise voters as well as to perpetuate the myth of voter fraud, which many experts say is not statistically significant.

Trump ordered the committee to be dissolved on January 3, blaming states for failing to participate.

In the meantime, it's not clear that the Trump administration has developed or authorized any plans designed to directly combat current and future Russia's propaganda efforts.

The administration did, however, last week announce sanctions against five Russian entities and 19 Russian individuals for "for interference with the 2016 U.S. elections." They include individuals and organizations that have been indicted by Special Counsel Robert Mueller's as part of his ongoing investigation into that interference (see US Finally Sanctions Russians for Hacking).

Prescription: Offense, Defense, More

To counter foreign interference, much more needs to be done, many information security experts say (see Russian Meddling: Trump Hasn't Ordered Direct NSA Response).

"Deterring foreign propaganda will take offense, defense and special teams," says Patrick McBride, co-founder of cybersecurity firm Claroty, which develops defenses for industrial control systems.

"Offensively, the full government apparatus needs to be activated to significantly increase the cost of propaganda activities to the bad actors - from public naming and shaming to sanctions for those involved and the institutions they work with," he says. "Defensively, beyond fixing voting machine and ensuring paper trails, holding social media to account and ensuring these platforms provide transparency to users being targeted is a good start. Our special intelligence teams need to have a clear charter and take aggressive actions to support both."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.