Hacking the midterms is still pretty easy

On Friday morning, Secretary of Homeland Security Kirstjen Nielsen proclaimed: “This is going to be the most secure election we’ve ever had.” Despite such promises, little has changed since 2016. U.S. elections remain highly vulnerable to hacking, experts said.

Election monitors point to a host of reasons: The Kremlin’s increasingly sophisticated and hard-to-track meddling efforts; a patchwork U.S. electoral system, riddled with insecure voting machines and vulnerable websites; and flailing social media giants, who despite promises to avoid a repeat of 2016, have yet to stop the widespread dissemination of highly partisan disinformation.

"It's way too soon to say that American elections are secure from online attacks," Paul Barrett, the deputy director of the Center for Business and Human Rights at the NYU Stern School of Business, told VICE News.

Memories of 2016 continue to haunt the Democratic National Committee, which experienced Russia’s attack firsthand.

“Everyone treats being hacked or being phished as a bogeyman. We are all really concerned about it and there is a lot of PTSD from 2016,” said Raffi Krikorian, the DNC’s chief technology officer.

Yet it's unclear how much has been learned from all the bad memories. Many campaigns remain highly vulnerable to attacks and questions persist over whether the DNC has done enough to prevent a repeat.

Krikorian was brought in from Uber in December 2016 to lead a team of 35 people who have “not slept for a month.” Recently, they've been responding to an increasing number of attacks on their systems and those of their candidates.

So far, he says, his team has been dealing with relatively run-of-the-mill attacks, such as the sort of spearphishing emails designed to get staffers to click on links to malicious websites designed to pilfer passwords and login credentials. Similar attacks led to John Podesta’s private emails being hacked and later made public by WikiLeaks in 2016.

But Krikorian warned that even though people are much more aware this go-around, hackers could still slip through.

“Remember, a super-sophisticated attack might be something that flies under the radar, so just because we are not seeing something ultra surprising doesn't necessarily mean nothing has happened,” Krikorian said.

He’s got reason to be concerned. Despite reports suggesting Russia is taking a back seat in 2018, experts and law enforcement officials believe the Kremlin’s hacking efforts remain active but have become harder to track.

To cover their tracks, Russian trolls are now consistently using VPN (virtual private networks) to mask their location and to avoid obvious markers, they are posting content on social media when Americans are active instead of operating on Moscow time.

In October, the Department of Justice charged Russian national Elena Alekseevna Khusyaynova for managing the financing of an elaborate online interference effort focused on the 2018 midterms.

Khusyanynova was the chief accountant for the campaign — known as Project Lakhta — that spent $12 million in 2017 alone and relied on social media ads to “inflame passions" surrounding divisive political issues like gun control, immigration, and racial tension. The project only saw increased funding in 2018, with Khusyaynova allegedly spending $10 million in the first six months of the year.

”This case serves as a stark reminder to all Americans: Our foreign adversaries continue their efforts to interfere in our democracy,” FBI Director Christopher Wray said while announcing the charges.

Before the 2016 vote, just one state — Pennsylvania — had undergone a risk-and-vulnerability assessment by the Department of Homeland Security to gauge how vulnerable its voting systems were to attack.

In 2018, 21 states, 13 counties, and one election technology company will have conducted the test ahead of voting on Tuesday, according to the DHS. According to a recent study by the Center for Strategic and International Studies, basic cybersecurity best practices have been implemented across most states, and more than $800 million has been allocated to harden election systems against cyberthreats.

But such efforts are only good if they’re well-received, and regional election officials don’t appear all that enthusiastic. Case in point: Though the Albert Sensor, which monitors incoming online traffic in real time to help identify potential attacks, is available in all 50 states, according to DHS officials who spoke to Vox, just 1,300 of the 10,000 jurisdictions are actually using the sensor, leaving the vast majority of systems unprotected.

Weak adoption of available technology is only part of the concern. More pressing, perhaps, is the country’s patchwork election infrastructure, which is the work of various private vendors who are not working in a coordinated fashion.

This hodgepodge is made worse by a lack of government oversight.

“Vendors of election software and equipment play a critical role in the U.S. election system, and the Committee continues to be concerned that vendors represent an enticing target [f]or malicious cyber actors,” according to a Senate Intelligence report from May.

Despite this threat, state and federal authorities continue to “have very little insight into the cybersecurity practices of many of these vendors,” the report says.

The most severe risk comes not from hacked voting machines or compromised voter databases but from attacks on campaigns and candidates “where cybersecurity practices remain inconsistent but [where] our adversaries have focused their attacks,” according to the CSIS report.

So far in 2018, at least a dozen races have been targeted by such attacks.

In July, Democratic Sen. Claire McCaskill of Missouri saw her Senate staff targeted with a sophisticated spear-phishing campaign. She was also one of three midterm candidates Microsoft identified as being targeted by coordinated attacks from inside Russia.

On Thursday, Democratic Sen. Joe Manchin — who is in one of the most hotly contested Senate races — revealed that his social media accounts had been hacked.

Threat actors from Russia and Iran have also tried to penetrate campaigns’ networks, created dummy websites to try to trick staffers to input their passwords, hacked email accounts, and attempted (in one instance) to rob a Senate campaign of thousands of dollars.

“The adversaries have learned that our electoral infrastructure is something that is vulnerable and potentially offers opportunities for them to pursue their national goals,” Michael Daniel, head of the Cyber Threat Alliance and a former White House cybersecurity coordinator during the Obama administration, told VICE News. “I think we have to be prepared for the fact that those adversaries and those nations will continue to do that.”

Platforms like Twitter and Facebook have tirelessly promoted their election security efforts in the run-up to the 2018 elections, vowing to avoid a repeat of 2016, when their platforms were weaponized by foreign actors, including the Kremlin’s troll factory: Internet Research Agency based in St. Petersburg.

Facebook has even set up a “war room” inside its Menlo Park headquarters and produced a number of slick ads boasting of their efforts to secure elections around the world.

But there’s little proof their efforts are working.

“There have been small improvements in campaign security, but we have not seen the kind of massive upgrade in campaign infrastructure that you would need to stand against a professional hacking agency like [Russia’s],” former Facebook security chief Alex Stamos said last month.

Indeed, just this week a VICE News investigation laid bare one major shortcoming in Facebook’s current design, showing how they can be easily gamed to promote misleading content.

Twitter displayed similar problems this week when its new U.S. midterms news hub — designed to show “the latest news and top commentary” on the election — was overrun with conspiracy theories and fake news.

When it comes to social media, barring radical change, election monitors don’t expect things to improve anytime soon.

“Twitter and Facebook have done a lot, but the nature of the threat will continue to evolve,” Barrett said. “And many attackers may be just keeping their powder dry for 2020.”

Cover image: People stand cast their ballots ahead of the Tuesday, Nov. 6, general election at Jim Miller Park, Saturday, Oct. 27, 2018, in Marietta, Ga. (AP Photo/Mike Stewart)