When President Donald Trump emerged from his long-awaited bilateral meeting with Russian President Vladimir Putin on the sidelines of the G-20 Summit in Hamburg earlier this month, he proudly proclaimed that the two leaders had agreed to create “an impenetrable cyber security unit” to prevent future election hacking. Lawmakers on both sides of the aisle immediately slammed the idea. “It’s not the dumbest idea I’ve ever heard,” Republican Senator Lindsey Graham told Meet the Press. “But it’s close.” Florida Republican Senator Marco Rubio tweeted that “partnering with Putin on a ‘Cyber Security Unit’ is akin to partnering with Assad on a “Chemical Weapons Unit.’”
President Trump is “literally the only person I know of who doesn’t believe Russia attacked our election in 2016,” Graham went on to say. But to the rest of the world, these tactics have become synonymous with Russia and Putin. Over the last ten years, cyber attacks and election hacking have become Putin’s favorite instruments in the Kremlin’s national security toolbox. Russia honed such methods as far back as 2007, launching denial-of-service attacks on state election systems and defacing the websites of government political parties in Estonia and Georgia.
By the time our presidential election took place last year, Russia had moved on from DDoS attacks and website defacements to a much more sophisticated campaign. In January 2017, the U.S. intelligence community concluded with high confidence that Putin had ordered an extensive, multi-pronged propaganda effort “to undermine public faith in the U.S. democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency.”
And the Russians were hardly done there. Encouraged by their ability to disrupt the American election, Russian hackers turned their sights on France’s presidential election earlier this year. Two days before the May vote, hackers leaked nine gigabytes of emails from candidate Emmanuel Macron’s campaign, in an unsuccessful attempt to swing the race in favor of the Kremlin’s preferred candidate, Marine Le Pen.
There was more. On July 4, the heads of Germany’s interior ministry and domestic intelligence service warned that Russian hackers had targeted the German foreign, finance and economic ministries in an attempt to influence the September 24 parliamentary election, in which Chancellor Angela Merkel, a longtime Putin nemesis, is seeking a fourth term.
Meanwhile, we have since learned from a classified NSA report that Russia’s cyber attack on the U.S. electoral system during the 2016 presidential campaign was far more widespread than had been publicly revealed. According to the May 2017 report, “Russia’s part went beyond allegedly hacking email to serve a propaganda campaign, and bled into an attack on U.S. election infrastructure itself.” Hackers, under the direction of the Russian General Staff Main Intelligence Directorate, and part of a team with a “cyber espionage mandate specifically directed at U.S. and foreign elections,” focused on parts of the system directly connected to the voter registration process, including a private sector manufacturer of devices that maintain and verify the voter rolls.
In June, Bloomberg reported that the Russian cyber campaign included incursions into voter databases and software systems in almost twice as many states as previously reported. In Illinois, “cyber intruders tried to delete or alter voter data,” according to the Bloomberg investigation. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database. In all, the Russian hackers hit systems in a total of 39 states.
A Politico investigation ahead of last month’s special congressional election in Georgia’s sixth district raised concerns of unaddressed vulnerabilities in the U.S.’s patchwork of voting technologies. Last year, a cyber security researcher discovered that a database containing registration records for the state’s 6.7 million voters, election worker instructions, and software files for voter registration verification were publicly accessible via an unsecure website.
America’s federal election system is highly decentralized, and voter processes and technologies differ not only from state to state, but often from county to county. There is currently no government entity with either the responsibility or the authority to safeguard elections. A Federal Election Commission (FEC) spokesperson recently clarified that the FEC “does not have jurisdiction over voting matters as well as software and hardware in connection with casting votes.”
The recent leaked NSA report concluded that the 2016 presidential election “demonstrates that countries are looking at specific tactics for election manipulation, and we need to be vigilant in defense.” But little has been done to close the vulnerabilities in American voter systems or to standardize the process. Meanwhile, Russian hackers will continue to build on their knowledge of our voting systems ahead of both the 2018 midterms and the next presidential election.
And while the Russians are the ones who turned election hacking into an art form, they will hardly be alone in targeting future elections. For example, German security officials recently announced that Chinese and Iranian-linked hackers have targeted government networks ahead of the September parliamentary election. We should expect an unruly coalition of hackers, ranging from state-sponsored to activist collectives – and even candidate-backed groups – to attempt to disrupt federal, state, and local elections. And until we rise to meet this threat, election hacking poses an existential threat to democratic governments.