Wednesday night, at a brief, hastily arranged press conference at FBI headquarters, four top US national security officials announced solemnly that they had evidence that two foreign adversaries, Iran and Russia, had obtained US voter data and appeared to be trying to spread disinformation about the election.
It was the latest—and most troubling—episode in a week that has seen near-daily events set off potential alarms about how the US will hold up on and approaching Election Day. In the final hours last Tuesday before the voter registration deadline in Virginia, an accidentally cut fiber-optic cable knocked out access to the state registration portal. The next morning, the New York Post published an odd, inconsistent, and poorly sourced story about Hunter Biden and the Ukrainian energy company Burisma that reeked of a ham-handed information operation. A day later came an extended outage of Twitter. Neither the Virginia cable cutting nor the Twitter outage was nefarious, though US officials continue to argue over the origins of the Burisma leaks.
This week, voters in states like Alaska and Florida began reporting threatening emails, purportedly from the white supremacist group Proud Boys, saying that the targeted Democratic voters should support Donald Trump—or else. National security officials soon confirmed that the emails appeared to originate with Iran—a revelation that led to Wednesday’s press conference.
FBI director Christopher Wray used the event to highlight how united and focused the nation’s security leadership is on protecting the election. “We are not going to let our guard down,” Wray said. Yet the emails and other episodes suggest that the presidential election is sure to be filled with more unexpected surprises and tense moments—and served as reminders of the myriad ways that the election could go wrong in the remaining weeks, days, and hours of the campaign.
Interviews and conversations with numerous election, law enforcement, and intelligence personnel over the past year have highlighted a dozen specific scenarios that particularly worry them as Election Day nears. The concerns roughly break down into two categories: technical attacks on data or access and online information operations.
Such attacks would aim to accomplish one of three goals, which election security officials sometimes describe as subversion, disruption, and defamation. Those respectively cover attempts to outright change the outcome of vote totals, to limit or impede citizens’ ability to vote in the first place, and to undermine voters’ confidence in the election’s legitimacy.
While many such attacks remain theoretical, some of the scenarios have already played out in other circumstances in recent months or in other elections overseas. In addition to the apparent Iranian email campaign, US officials have feared that the Trickbot botnet could be used to deploy a wave of ransomware against election targets in the weeks ahead. US Cyber Command—which as WIRED outlined in its November issue has been unleashed by the Trump administration to defend the country aggressively online—and a consortium of private sector partners, including Microsoft, launched apparently separate attacks against the Trickbot botnet earlier this month, with mixed success.
The first US presidential election since Russia’s unprecedented—and wildly successful—2016 attack was always going to be fraught, in part because other countries might follow Russia’s lead. Warnings—some dire—have come steadily from US officials that foreign actors, criminals, or even domestic groups might try to launch attacks on the integrity or legitimacy of the election.
If trouble does come, it’s unlikely to look exactly like the 2016 attack. Social media companies have gotten better at spotting bad actors on their platforms; Facebook took down a disinformation network tied to Russian intelligence late last month, and Twitter has dismantled Iranian efforts as well. But not only have attackers' tactics evolved, other foreign adversaries have clearly learned from Russia’s playbook. As Senator Mark Warner has repeatedly stated, such interventions might make smart financial sense; Russia spent only a few million dollars on its 2016 attack—a small fraction of the cost of even a single F-35 fighter—an incredible return on investment for its national strategic interests.
It’s not all bad news. In many ways the 2020 election is uniquely positioned to be resilient; election administrators, as underfunded and overworked as they are, have worked hard in the past four years to shore up the most vulnerable systems and expand the use of paper backups. Similarly, national security agencies and Congress have poured hundreds of millions into election security, and US Cyber Command has engaged with election threats in a way it never even tried to in 2016. “I think it was just a blind spot for us,” one former Cyber Command official told me about the 2016 attack. “I don't remember anyone turning to us and saying we need to do something to help make this not happen.”
While the novel coronavirus pandemic has further complicated this year’s election, at least 33 million Americans have already voted with less than two weeks remaining before Election Day, far outpacing 2016 early voting. That huge advance turnout will greatly reduce the risk, and effectiveness, of any attacks aimed at November 3 itself.
This list is hardly comprehensive. In certain instances, WIRED is withholding reporting on specific election vulnerabilities that are not widely known, to avoid the possibility of providing ideas to potential adversaries. But the following scenarios outline the different types of threats that election security officials are particularly concerned about in these final weeks of the campaign.
Attacks on Data, Access, and Availability
1. Ransomware: Throughout this year ransomware has topped the threat assessments of election security officials. Numerous local and state entities, from cities like Atlanta and Baltimore to two-dozen Texas towns, have been hit with ransomware attacks from organized criminal groups in recent months, underscoring the fragile and outdated state of much of the nation’s local government IT infrastructure. While the attacks thus far have been financially motivated, there were roughly 1,000 such strikes over the course of 2019 against states, municipalities, election vendors, health care providers, and other public entities; this year is likely to be even worse once the victims are totaled up.
The global threat and challenge from ransomware has grown dramatically this year amid the pandemic, as tens of millions of workers rapidly switched to working from home and companies were forced to expand their IT infrastructure and open up systems, and IT and security resources were interrupted or stretched thin. While so far these attacks appear to be primarily for-profit targets of criminal opportunity, it’s not much of a leap to imagine a November 2020 ransomware attack with political undertones.
A ransomware attack that freezes up local voter databases could be conducted as either a coercive for-profit attack—forcing election bodies to pay steep ransoms on tight timelines to ensure the smooth functioning of the election—or fully destructive, paralyzing systems with no hope of unlocking them, as with Russia’s NotPetya ransomware attack in June 2017. Similarly, an attack targeting a campaign’s get-out-the-vote operations, email lists, or internal networks could cost a candidate the one thing they don’t have as the clock ticks down: time.
The fears of an election-focused ransomware attack were a major reason for last week’s concerted attack on Trickbot, the world’s largest botnet and a purveyor of Ryuk ransomware. Officials feared that doing it any earlier might give the network time to reboot and reorganize.
Even so, Cyber Command’s efforts appear to have made little dent in the criminal gang. Even after Microsoft and other security companies attacked, portions of the Trickbot network remain functional.
One simple way that the CISA is recommending election officials minimize the threat of ransomware is to embrace a particularly old-fashioned technology: Print out voter rolls and poll books.
2. Advance Voter Data Manipulation: One clear way to throw sand in the gears of the election would be to access and change voter registration databases in advance—for instance changing names, street addresses, or zip codes in ways that would cause confusion at polling places. “A pre-election undetected attack could tamper with voter lists, creating huge confusion and delays, disenfranchisement, and at large enough scale could compromise the validity of the election,” John Sebes, the chief technology officer of the election-technology-focused OSET Institute warned last year.
Russian hackers are known to have penetrated the voter systems of at least two Florida counties in 2016, though they do not appear to have changed anything. At least one other jurisdiction, Riverside, California, saw unknown hackers apparently tamper with voter party affiliation data in 2016, leading to confusion at the polls and voters being turned away. The episode remains unconfirmed publicly by federal or state officials—only the county district attorney has spoken about it openly—and the hackers’ intent is unclear, since the data tampering apparently included both Republican and Democratic voters. “I’m very concerned,” Riverside County district attorney Mike Hestrin told NBC earlier this month. “I think that our current system has numerous vulnerabilities.”
Problems with voter registration data would almost certainly lead to eligible voters being given so-called “provisional ballots,” which allow them to cast a vote while the underlying eligibility is double-checked. Such ballots, a standard part of all elections, introduce their own complexity, particularly if they end up needing to be used in large numbers, since they would delay the final count and could introduce opportunities for court challenges of individual ballots. One strength of the US system here is just how decentralized these voter rolls actually are; hackers might be able to hit a single jurisdiction or even a handful, but it’s not like there’s a single national voter database that could muck up voting for everyone.
3. Day-of-Vote Interruption: The Covid-19 pandemic will mean that there are fewer polling places open in many parts of the country, all of which rely on a wide assortment of voting technologies. That increases the chances that technical gremlins could freeze up systems, slow down lines, and discourage voters from participating. Already this year, citizens in Georgia faced lines on the state’s first day of early voting that stretched to 10 hours or more after bandwidth challenges slowed the pace of its check-in system to as few as 10 voters an hour. “The system would kick us out, or make us log back in, or was slow responding — you didn’t know what was going to happen really,” one county election director told The Washington Post. It took until Wednesday to implement technical fixes that got the system back up to speed.
Security journalist Kim Zetter has called those voter check-in devices, known as “electronic pollbooks,” the “security hole everyone ignores.” They adhere to no uniform standards or federal certifications, and a leaked NSA document showed that Russia targeted at least one e-pollbook manufacturer as part of its 2016 attack.
While the pollbooks can’t be used to alter someone’s vote, Georgia shows how problems with the devices’ connectivity could discourage voters from participating in the first place. Moreover, just as with problems introduced into the underlying voter data, check-in challenges could lead to an increase in provisional ballots, slowing the final vote count and increasing the number of votes that could be challenged in court or a recount.
4. Actual Vote Manipulation: In 2016, as it watched Russian intelligence probe US voting networks, the US government communicated what it saw as a clear “red line”: The US would not stand for any attempt by Russia to change actual vote totals in the election. Here again, the decentralized nature and diversity of America’s voting systems serves as a protection. Given how many different technologies one would have to master and how many different jurisdictions would have to be targeted, it would be enormously hard to affect enough votes to change the outcome of the election.
Fears have long existed about the insecurity of the myriad voting technologies used by the nation’s thousands of independent election systems, and news stories in recent weeks have pointed out the physical vulnerabilities of the storage facilities where voting machines sit in between elections. Concern is particularly high about so-called “ballot-marking devices,” touchscreen machines that print out a receipt that is then scanned by another machine. These devices will be in widespread use this year, but they are considered uniquely problematic, because the proprietary barcodes used on the receipts make it challenging for voters to double-check that their votes were recorded as intended. Does that random series of lines on your receipt look like a vote for Biden or Trump?
University of Michigan professor J. Alex Halderman has for several years been raising concerns about the weaknesses and vulnerabilities inherent in the centralized electronic systems used in certain states. “If Russia or other attackers can break into a state’s election management system, they can spread malicious software to voting machines throughout that jurisdiction, and potentially change all of the digital records,” Halderman said in a radio interview this summer. “That’s the threat that really keeps me up at night.”
A Pennsylvania election in 2019 showed how much can go wrong even without outside interference. Electronic records in Northampton County showed the Democratic judicial candidate winning just 164 votes out 55,000 ballots. Luckily, the jurisdiction had paper backups and was correctly able to retally the votes. No one has yet figured out what went wrong, but officials blamed a software bug.
While a nationwide vote-changing operation would be all but logistically impossible, election watchers still fear a single targeted attack, or even the appearance of one. If someone were to release a video online that appears to show a voting machine being hacked in Broward County, Florida, that could potentially undermine confidence in results more broadly. It could also easily be a fake; old voting machines are freely available for purchase. The FBI and CISA similarly warned voters in September of what they called “false claims of hacked voter information likely intended to cast doubt on legitimacy of US elections,” pointing to how voter data can be purchased through publicly available sources and thus appear to be stolen or manipulated when it’s not.
5. Messing With Reporting: Rather than attempting to change the actual votes, hackers could also target those reporting on the vote totals on election night—attempting to manipulate the results on state secretary of state websites or the vote totals tallied by wire services like the Associated Press. Such an attack, if carried out subtly, could undermine confidence in the final results as Americans question strange election night swings or changes in the initial unofficial vote totals.
Even simpler, in some ways, would be just hijacking news organization websites or social media accounts to send out false results or news bulletins. There’s precedent: In 2013, the AP’s Twitter feed was hacked to send a tweet reporting an explosion at the White House, a report that quickly wiped out $136 billion in stock market gains that day as nervous investors worried about a terror incident. It took just six minutes. The Justice Department later charged the Syrian Electronic Army over the act of cyber vandalism.
The following year, as WIRED’s Andy Greenberg outlines in his book on the Kremlin’s hacking efforts, Sandworm, a pro-Russian group of hackers known as CyberBerkut attacked Ukraine’s Central Election Commission just before its presidential election and planted fake results on its website showing the ultra-right candidate had won. Russian state media amplified the fake results, helping to sow confusion. CyberBerkut, Greenberg reports, was later linked to the GRU group known as Fancy Bear, which attacked the US election in 2016. More recently, a Russian disinformation operation broke into Eastern European news organizations to publish its own misleading stories about NATO on legitimate websites.
And in July, hackers used social engineering to gain access to dozens of high-profile Twitter accounts and push a bitcoin scam. The spiraling security incident took Twitter hours to control and eventually led to the platform temporarily blocking all verified accounts from posting at all. The idea of such an attack playing out on Election Day or amid a tense period after the polls close, with high-profile politicians or news accounts tweeting out alarmist or contradictory messages, could quickly spiral into a national crisis. Twitter has since taken steps to harden high-profile accounts against such attacks, but it remains to be seen whether that’s enough.
6. Distributed Denial-of-Service Attacks: At the end of September, CISA and the FBI issued a joint announcement specifically warning about the possibility that DDoS attacks could disrupt election infrastructure. The statement came almost exactly four years after the last time the US government feared such an election attack. Many forget that amid the confusion over the precise nature of Russia’s attack in 2016, US government and industry officials speculated that the rise of the Mirai botnet that fall might be a “rehearsal” for an Election Day attack. US government officials stood ready to take swift action against portions of the Mirai network if it was turned against the election. Last year, separate DDoS attacks targeted websites used by both the Labour Party and the Conservative Party amid the UK’s general election.
In a tight election that unfolds over a fixed period of time, knocking a website offline or slowing access to it for even a few hours could stymie a campaign’s get-out-the-vote efforts, lead to voting delays at certain polling places, or slow the reporting of results. However, CISA and the FBI underscored that even amid a DDoS attack, the underlying voter data or vote tallies would remain untouched. As the announcement said, “The FBI and CISA have no reporting to suggest a DDoS attack has ever prevented a registered voter from casting a ballot, or compromised the integrity of any ballots cast.”
7. Infrastructure Attacks. While the perennial bogeyman in cyber scenarios is always an advanced attack on physical infrastructure—an attack on the power grid, pipelines, water, or other key systems—the good news is that such attacks remain both incredibly rare and largely the domain of only a handful of advanced foreign adversaries.
There are all sorts of normal tech hiccups around elections as it is—as the unintentional Virginia cable-cutting demonstrates—and localized power outages from storms or construction mishaps regularly end up affecting polling places, but the remote possibility remains that such outages or disruptions could be introduced nefariously to Election Day. The security firm Cybereason last year ran a series of tabletop exercises specifically looking at how real-world attacks might impact Election Day. One exercise focused on a hacktivist group—known in the exercise as Kill Organized Systems (K-OS), pun intended—that disrupted traffic lights and brought the election to a standstill by paralyzing the city’s transportation system.
“If you can prevent people from getting to the polls … if you can effectively disenfranchise certain segments of the population, that’s far more disruptive to the republic than taking out a few voting machines,” Cybereason’s Sam Curry said after the exercise.
Again, pulling off such an attack would be exceedingly unlikely, and the nature of US infrastructure would make it basically impossible to pull off at scale. But a sophisticated attacker could certainly attempt to cause trouble in a critical city in a swing state.
8. Hack and Dump: This week’s New York Post series on Hunter Biden sets off nearly every warning alarm about a possible hack-and-dump-style information operation, akin to the Russian thefts of emails from the Democratic National Committee and Hillary Clinton campaign chair John Podesta.
Presidential campaigns have long been targeted by foreign intelligence services—China hacked the campaigns of both John McCain and Barack Obama in 2008—but it wasn’t until Russia’s attack in 2016 that a foreign adversary thought to weaponize such campaign espionage and turn it into public information dumps. This year has seen repeated warnings that campaigns are being targeted by hostile actors looking to gain access to staffers and leadership—Microsoft says it has detected attacks against both Joe Biden’s campaign and Donald Trump’s from actors linked to Russia, China, and Iran—although it’s unclear whether those attacks have been for pure intelligence purposes or to collect embarrassing information that could be dumped closer to the election.
While the news media is trying to handle these stories more maturely than it did in 2016, a hack-and-dump of legitimate, newsworthy information would be all but irresistible. In 2017, French presidential candidate Emmanuel Macron came up with a tactic for combating a hack-and-dump right before election day: His campaign told reporters that they had seeded their own internal servers with fake documents and emails. The duplicity helped discourage reporters from covering the stolen files since they couldn’t be sure what was real and what wasn’t. Have Biden and Trump and other key officials followed that lead?
9. Misleading Voting Information: Voting amid this year’s pandemic will force millions of Americans to change their routines. Polling places are moving, and more states are embracing vote-by-mail, introducing unfamiliar procedures that people will need to follow closely in order for their ballots to count. Those new logistical complexities introduce the chance for adversaries—using social media, websites, or even old-fashioned postcards and mailers—to confuse or misdirect voters.
The FBI and CISA have raised warnings that standard “phishing” techniques—like spoofed web domains and misleading URLs—could be used to actively mislead voters searching online for information about voting deadlines, polling places, results, or any of the myriad questions that arise amid the logistics of casting a ballot. Twitter, Facebook, and other social media website have also been uniquely aggressive in taking down misleading information about the election—even sanctioning the president’s own tweets.
10. Voter-Targeted Disinformation: Election-related disinformation has almost certainly arrived as a permanent problem for candidates, tech platforms, and security officials. While misleading mailers, push polls, and other misleading tactics have long been a part of off-line campaigning, the Internet Research Agency’s meme-filled attempt to sow division in the 2016 campaign among everyone from Black voters to Trump MAGA-ites provided a road map for other foreign and domestic actors.
As Stanford’s Internet Observatory revealed in a recent report and op-ed, “The Russians are now perfecting these techniques worldwide—mostly to shape public discourse on topics of geostrategic interest to Russia, such as the ongoing Syrian civil war.” The GRU has created a variety of false entities such as the Inside Syria Media Center, a nonexistent think tank that successfully pushed pro-Assad and anti-Western narratives, and people linked to Internet Research Agency were evidently behind a website called Peace Data that used real US journalists and writers to target left-wing Americans.
While one much-hyped threat this cycle—deepfakes—has failed to materialize, Trump campaign associates have shown the possible damage from so-called cheapfakes, crudely manipulated and edited videos that mislead viewers. As the blog Lawfare noted, in just two days at the end of the summer, Republican congressional whip Steve Scalise, White House social media guru Dan Scavino, and the Trump campaign each tweeted different misleading videos.
11. Social Media Threats: One of the oft-forgotten aspects of North Korea’s 2014 attack on Sony Pictures Entertainment and Seth Rogen’s comedy The Interview was the series of terror threats against movie theaters that were set to show the movie. North Korea’s hackers posted a message on Pastebin invoking 9/11 and saying, “We will clearly show it to you at the very time and places ‘The Interview’ be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to.” Ultimately, it was those threats that led to the release of the movie being canceled—no theater chain was willing to risk showing it.
Recent days have already borne out those fears, as the Iran-linked emails purporting to be from the white supremacist Proud Boys target and threaten voters in key battleground states like Florida and Alaska. Officials worry that if such threats were broadcast online, they could be used to discourage voters either nationally or in targeted swing precincts—or that threats that lead to increased security at polling places might exacerbate long lines and depress turnout.
At the same time, given the heated rhetoric and protests that have already unfolded on the nation’s streets this year—with spring right-wing protests over pandemic stay-at-home orders followed by a summer of protests over police brutality and racial justice—there are also worries that social media threats or rumors could lead to armed civilians attempting to self-police polling places. This summer, false online rumors of pending invasions from Antifa led to armed gangs assembling to “defend” communities, and rumors in November of either intended violence at polling places or ballot fraud could provoke similar armed confrontations at voting precincts between civilians and law enforcement.
12. The Tweeter-in-Chief: While no government officials will say it publicly, one of the biggest fears in election security circles is @realdonaldtrump himself and the second- and third-order effects of how an incumbent president with a history of grievance and insecurity might respond to any of the above incidents unfolding.
The president and vice president have both refused to commit to a peaceful transition of power, and the president has repeatedly in recent days pressed for an “army” of his supporters to monitor polling places and prevent fraud. Trump has spent much of the year already raising questions about the legitimacy of election results and would almost certainly seize upon any major disruption at the polls to call the entire election into question, perhaps even before the results are known.
Indeed, the primary damage from almost any cyberattack on the election would likely come not from the strike itself, but in how it would raise questions in the public’s minds—and particularly in the minds of the losing candidate’s supporters—about whether the result was valid, free, and secure.
This, after all, was perhaps the biggest lesson of Russia’s attack on the 2016 election: After years of the cybersecurity industry focusing on securing critical infrastructure, from electrical grids and water systems to air traffic control networks and pipelines, the first major cyberattack—the long-feared “Cyber Pearl Harbor”—centered on a piece of our free society that had long gone unprotected: America’s confidence in itself.
Now, four years later—even as the US has shored up its technical defenses—it’s clear that the political discord and division that the Internet Research Agency seized upon and stoked in 2016 is only worse, more polarized, more partisan, and more violent. And that’s not a problem that cybersecurity expertise, the NSA, the FBI, CISA, or local election administrators can solve.