June 13, 2019
In the weeks before the 2016 presidential election, a Florida company known as VR Systems fell victim to a Russian spear-phishing campaign. Most Americans have never heard of VR Systems, but it runs poll books—the registries that election workers use to track who is eligible to vote and who has already voted—for counties in eight states around the country.
The hackers used the information they gathered from VR Systems to breach two of the Florida county election systems the company managed. And three years later, new reporting suggests that VR Systems may also have inadvertently put Russians in a position to alter voter rolls in North Carolina, another swing state, on the eve of the 2016 presidential election. By using remote-access software to connect directly to election systems, troubleshooters at VR Systems opened a gap that could have been exploited by hackers already in their system. Only now is a federal investigation into whether that actually occurred underway.
It’s an astonishing example of negligence on the part of a government contractor responsible for critical election infrastructure. But it’s also a lesson for policymakers in how not to handle election interference by foreign governments. The federal response placed secrecy over security left state officials and the public guessing about what happened and what should be done. The lack of effective coordination among federal agencies, and between them and the officials who run our elections, is breathtaking. Early on, federal officials refused to confirm that election systems in Florida had been hacked, even as leaked documents and the Mueller reporthave now made it clear that they knew more than they were saying. Worse, state election officials were repeatedly kept in the dark. It was only in May, almost three years after the attack, that the FBI revealed to Florida’s governor which counties in his state had been targeted—and then required him not to disclose it. Early on, election workers in North Carolina were told that the problems they experienced with voter rolls were the result of user error. Now it seems this may not have been the case.
In one sense, the gaps between the Department of Homeland Security and the FBI aren’t surprising. The two agencies have different roles and mandates. The FBI leads federal investigations of intrusions; it takes a law enforcement approach that prizes confidentiality, often for good reason. But that has, at times, kept it from being forthcoming with the state and local officials who run elections and who would benefit from timely information about relevant threats. DHS takes the lead in protecting voting infrastructure, which is a resilience-building function—one that depends on sharing information with those who need it and warning the public when called for.
Complicating this challenge, election officials often do not have the security clearances that would enable them to access sensitive information in a timely way. As of April, only half the members of the Election Assistance Commission, a four-person federal committee advising states on election threats, had security clearances—the result of a massive backlog. In both 2016 and 2018, no members of the commission had clearances. The lack of appropriate clearances calls into question the ability of the commission to do its job effectively.
States are also seeking more than information: They would benefit from more federal money and expertise for defending against cyberthreats. Last year, Congress appropriated $380 million to the Election Assistance Commission to be given out in grants to states. Because the disbursement came late in the procurement cycle, and because of a matching requirement for federal funds, however, many states haven’t been able to spend it. One possible remedy is the Secure Elections Act, a bipartisan measure that would give DHS primary responsibility within the federal government for sharing information about election cybersecurity incidents and threats. It would also enable the agency to award election system cybersecurity and modernization grants to states. Sadly, partisanship has so far prevented it from becoming law.
Perhaps most importantly, the sloppy handling of the incident revealed that if the federal government does not improve its public messaging on election threats, it risks doing Russia’s work for it. During his tenure as deputy attorney general, Rod Rosenstein noted the importance of effective public warnings. By releasing conflicting information slowly, the government may have decreased public confidence in its ability to secure our elections. Weakening public confidence in the integrity of our elections is one of Russia’s goals, and it’s an objective likely shared by other authoritarian states. Russia need not actually interfere with election results for Americans to believe that it did; the impression alone could be equally as damaging.
Inconsistent messaging about the breach enabled it to become political fodder in Florida’s 2018 Senate race. Then-Sen. Bill Nelson, a Democrat, made a cryptic remark about the Russian intrusion that he declined to elaborate on. That prompted his Republican opponent, then-Gov. Rick Scott, to accuse Nelson of scaremongering during a campaign rally. The campaign trail is exactly the wrong place for information about election threats to be made public: Elected officials should take extreme care to avoid politicizing public warnings. Meanwhile, Congress should institute mandatory reporting requirements that obligate administration officials to inform lawmakers of foreign attacks against U.S. electoral infrastructure.
Sloppy public messaging may also have made it more difficult for Florida’s election officials to advocate for cybersecurity resources to defend the state’s election system. New reports reveal that officials twice requested support from state lawmakers to create a cybersecurity team. The initial request amounted to less than $500,000—a fraction of the state’s $88.7 billion budget. Both requests were denied. Had federal officials shared what they knew with state lawmakers and the public, that might not have been the case.
We know that foreign authoritarian actors plan ahead. With 2020 campaigns already underway, we should assume they are knocking on our doors.