It was only a month ago, but things move fast in an election year, and change quickly, so few may remember this:
Donald Trump dared a foreign government to commit espionage on the U.S. to hurt his rival on Wednesday, smashing yet another taboo in American political discourse and behavior.
“Russia, if you’re listening, I hope you’ll be able to find the 30,000 emails that are missing,” he said, referring to deleted emails from the private account Hillary Clinton used as secretary of State. “I think you’ll probably be rewarded mightily by our press.”
Other than that, it was just another typical day with Trump:
Trump made the taunt during a lengthy and unusual news conference in Doral, Fla., in which he also suggested the Geneva Convention treaties protecting prisoners of war are outdated, told a reporter asking a question to “be quiet” and said the fact that the Democratic National Committee may have been hacked was because foreign leaders lack respect for the U.S. government.
He also called President Obama “the most ignorant president in our history,” alleged that Russian President Vladimir Putin had disparaged Obama with “the n-word” and inaccurately paraphrased Obama speaking in a stereotype of African-American dialect.
He was on a roll, but that first thing bothered a few folks:
The comments urging Russia to hack Clinton immediately drew widespread attention because they lend the impression that Trump is actively encouraging another country to commit a crime against the U.S. to directly affect the presidential election. If the emails are hacked and Trump wins, it also could make him appear beholden to foreign interests.
But it didn’t matter in the end. The FBI recovered the emails, not the Russians, but still, some were worried:
The unprecedented comments in a campaign that has pushed multiple boundaries came after days of increased interest in Trump’s relationship with Russia, his statements that he might renege on U.S. commitments to defend NATO allies against Russian aggression and his frequently espoused admiration for Putin.
That concern is over. Trump dumped his campaign manager, Paul Manafort, who had previously worked for Russia’s guy in Ukraine who was ousted and now lives in Moscow, thanks to Vladimir Putin. Stuff came up – documents showing Manafort involved in a disinformation campaign to justify Russia grabbing Crimea. That was too close for comfort, but the invitation to Russia, to hack our systems to hurt Hillary, was never rescinded:
Allies of Trump, including former House Speaker Newt Gingrich, asserted that the candidate was joking. But Trump, given the chance to clarify while he was still in front of reporters, did not back down when asked whether it concerned him that another government may have Clinton’s emails.
“No, it gives me no pause,” he said, adding that what gives him pause is Clinton’s destruction of the messages.
“If Russia or China or any other country has those emails, I’ve got to be honest with you, I’d love to see them,” he added.
He saw no problem with Russian hacking – he loved it – but one month later he may have to change his tune:
Hackers targeted voter registration systems in Illinois and Arizona, and the FBI alerted Arizona officials in June that Russians were behind the assault on the election system in that state.
The bureau described the threat as “credible” and significant, “an eight on a scale of one to 10,” Matt Roberts, a spokesman for Arizona Secretary of State Michele Reagan (R), said Monday. As a result, Reagan shut down the state’s voter registration system for nearly a week.
Perhaps they found Hillary’s emails boring, but the damage this time was limited:
It turned out that the hackers had not compromised the state system or even any county system. They had, however, stolen the username and password of a single election official in Gila County.
That’s not much, but something is going on:
The Arizona incident is the latest indication of Russian interest in U.S. elections and party operations, and it follows the discovery of a high-profile penetration into Democratic National Committee computers. That hack produced embarrassing emails that led to the resignation of DNC Chairwoman Debbie Wasserman Schultz and sowed dissension on the eve of Hillary Clinton’s nomination as the party’s presidential candidate.
The Russian campaign is also sparking intense anxiety about the security of this year’s elections. Earlier this month, the FBI warned state officials to be on the lookout for intrusions into their election systems. The “flash” alert, which was first reported by Yahoo News, said investigators had detected attempts to penetrate election systems in several states and listed Internet protocol addresses and other technical fingerprints associated with the hacks.
In addition to Arizona, Illinois officials discovered an intrusion into their election system in July. Although the hackers did not alter any data, the intrusion marks the first successful compromise of a state voter registration database, federal officials said.
They’re knocking on the door:
“This was a highly sophisticated attack most likely from a foreign (international) entity,” said Kyle Thomas, director of voting and registration systems for the Illinois State Board of Elections, in a message that was sent to all election authorities in the state.
The Illinois hackers were able to retrieve voter records, but the number accessed was “a fairly small percentage of the total,” said Ken Menzel, general counsel for the Illinois election board.
State officials alerted the FBI, he said, and the Department of Homeland Security also was involved. The intrusion in Illinois led to a week-long shutdown of the voter registration system.
The FBI has told Illinois officials that it is looking at foreign government agencies and criminal hackers as potential culprits, Menzel said.
At least two other states are looking into possible breaches, officials said. Meanwhile, states across the nation are scrambling to ensure that their systems are secure.
They have to do this, because the consequences are serious:
Until now, countries such as Russia and China have shown little interest in voting systems in the United States. But experts said that if a foreign government gained the ability to tamper with voter data – for instance by deleting registration records – such a hack could cast doubt on the legitimacy of U.S. elections.
“I’m less concerned about the attackers getting access to and downloading the information. I’m more concerned about the information being altered, modified or deleted. That’s where the real potential is for any sort of meddling in the election,” said Brian Kalkin, vice president of operations for the Center for Internet Security, which operates the MS-ISAC, a multistate information-sharing center that helps government agencies combat cyberthreats and works closely with federal law enforcement.
But the bad guys deleting registration records may not be that serious:
Tom Hicks, chairman of the federal Election Assistance Commission, an agency set up by Congress after the 2000 Florida recount to maintain election integrity, said he is confident that states have sufficient safeguards in place to ward off attempts to manipulate data.
For example, if a voter’s name were deleted and did not show up on the precinct list, the individual could still cast a provisional ballot, Hicks said. Once the voter’s status was confirmed, the ballot would be counted.
Hicks also said the actual systems used to cast votes “are not hooked up to the Internet” and so “there’s not going to be any manipulation of data.” However, more than 30 states have some provisions for online voting, primarily for voters living overseas or serving in the military.
That may be the real problem:
This spring, a DHS official cautioned that online voting is not yet secure.
“We believe that online voting – especially online voting in large scale – introduces great risk into the election system by threatening voters’ expectations of confidentiality, accountability and security of their votes and provides an avenue for malicious actors to manipulate the voting results,” said Neil Jenkins, an official in the department’s Office of Cybersecurity and Communications.
Private-sector researchers are also concerned about potential meddling by Russians in the U.S. election system. Rich Barger, chief information officer at ThreatConnect, said that several of the IP addresses listed in the FBI alert trace back to a website-hosting service called King Servers that offers Russia-based technical support. Barger also said that one of the methods used was similar to a tactic employed in other intrusions suspected of being carried out by the Russian government, including one this month on the World Anti-Doping Agency.
“The very fact that [someone] has rattled the doorknobs, the very fact that the state election commissions are in the crosshairs, gives grounds to the average American voter to wonder: Can they really trust the results?” Barger said.
That’s the real problem, as Josh Marshall notes here:
For years, I’ve generally poo-poo’d claims about how elections had been or could be hacked. Mainly this is simply an evidence-based criticism. Back in the aughts “Diebold” became the Dems equivalent of GOP “vote fraud” claims, an amorphous and generally evidenceless explanation for why your party is losing elections you wanted to win. People get confused sometimes and believe that arguments that something can happen is proof that something has happened. Logic is hard.
There is one huge and incredibly important difference: none of the black-box voting folks ever proposed solutions targeted at making it harder for one class or race of people to vote, which is what the GOP’s “vote fraud” nonsense is entirely about. So I’m not equating the two. The proposed remedies for combating electronic or cyber-attack-based election tampering may not be as necessary as some claim. But they don’t do any harm. We should make these things as secure as possible.
Look at it this way:
If a political party, or people working on its behalf, want to hack an election that is not only an inherently difficult thing to do. More importantly, it’s hard to do without leaving evidence. It also involves a lot of little explored complexities: to know what’s going to be a ‘reasonable’ shift in the totals you need some real time idea of what the actual results are. It’s a complicated proposition that would likely involve a number of people working in concert and thus difficult to keep secret.
But here’s the thing. If foreign hackers of any source or domestic hackers for that matter want to disrupt an election, that’s much simpler. Perhaps you’ve hacked into the servers in advance and then you simply erase the data late in the day? Or shift it to all-Clinton or all-Trump. If it’s being done from somewhere in Senegal or Bangkok you’re never going to track down and apprehend the culprits. And the changes to the numbers don’t need to be credible to severely disrupt the election. Complete hypothetical: what if 10 critical precinct tallies in Florida and Ohio are simply erased or tampered with so that the numbers bear no confidence? What do you do then? We’re not in a high-trust climate in our politics where something like that could be easily resolved. Precisely because we are already in such a low-trust political era, even a tiny number of demonstrated cases of cyber-tampering would cast a penumbra of doubt over the whole process, especially for the losing party.
The point is that disruption doesn’t really require hiding your tracks. It’s enough to disrupt, delete, alter. It can also be done by people who don’t have any particular concern with the actual election outcome, have no need to make the results credible and have none of the legal or reputational vulnerabilities that might deter people within the political system itself from trying to tamper with election results.
We may be in some trouble here:
The country has enough things to freak out about as a country. I’m not saying we should start wigging out about this. But it’s definitely worth being concerned about and hopefully one that federal law enforcement authorities are focusing on and proactively working with local authorities to prevent. And it’s something qualitatively easier to pull off for bad actors whose aim is disruption rather than winning.
Dana Milbank, however, takes a different view, noting that these guys aren’t very good at this stuff yet:
Last week, we learned something else: The Russians aren’t just hackers – they’re also hacks. It turns out that before leaking their stolen information, they are in some cases doctoring the documents, making edits that add false information and then passing the documents off as the originals.
Foreign Policy’s Elias Groll reported last week that the hackers goofed: They posted both the original versions of at least three documents and their edited versions. These documents, stolen from George Soros’s Open Society Foundations, were altered by the hackers to create the false impression that Russian anti-corruption activist Alexei Navalny was funded by Soros. A pro-Russian hacking group, CyberBerkut, had inserted Navalny’s name, bogus dollar amounts and fabricated wording.
That’s comically inept, but Milbank thinks that sloppiness might not last:
Are Vladimir Putin’s operatives planning to dump edited DNC documents on the eve of the presidential election?
Perhaps they’ll show that the Clinton Foundation has been funding the Islamic State, or they’ll have Hillary Clinton admitting that she didn’t care about those Americans who died in Benghazi after all. Maybe they’ll show that she really did lose most of her brain function in that fall several years ago and is now relying on Anthony Weiner to make all of her decisions.
Russian “dezinformatsiya” campaigns such as this go back to the Cold War; the Soviet portrayal of AIDS as a CIA plot was a classic case. But this type of cyberwar – email hacking and, now, the altering and release of the stolen documents – is a novel escalation. It’s tempting to wonder how differently the Cold War might have gone had there been cyber-hackers back then. We’ll never know, of course, because the Soviet Union crumbled before Al Gore invented the Internet.
Ha, ha – but Milbank is serious:
It’s clear that Russia’s disinformation wars are as active as ever. On Sunday, Neil MacFarquhar wrote in the New York Times about Russian attempts to undermine a Swedish military partnership with NATO.
The campaign is spreading false information that there’s a secret nuclear weapons stockpile in Sweden and alleging that NATO soldiers could rape Swedish women with impunity. This Russian use of “weaponized information” helped to cause confusion in Ukraine in 2014, when conspiracy theories spread by the Russians about the downing of a Malaysian Airlines jet helped Russians justify their invasion of Crimea.
Paul Manafort may have had a hand in that, and all of this could point to a Putin-sponsored October surprise:
Putin has meddled in domestic politics in France, the Netherlands, Britain, and elsewhere, helping extreme political parties to destabilize those countries. He appears to be doing much the same now in the United States, where, in addition to the DNC and state voter system hacks, there have also been reports this summer about Russia hiring Internet trolls to pose on Twitter and elsewhere in social media as pro-Trump Americans. Trump and Putin have expressed their mutual admiration, and even after the departure of Trump campaign manager Paul Manafort, Trump and several top advisers have close ties to Moscow.
It is time to worry:
The hyper-competitive American media environment is vulnerable to the sort of technique the Russian hackers used in the Soros case – stealing documents, altering them, then releasing them as the original. If Putin’s hackers were to release such a doctored document smearing Clinton in, say, late October, it’s likely that competition would lead outlets to report on the hacked documents before they had a chance to see whether and how they were altered.
We don’t know what, if anything, Putin’s hackers have planned for this fall. But the doctored Soros documents could be a clue.
That is an issue, but at the Atlantic, Kaveh Waddell argues that electronic voting itself could undermine the election:
For years, security researchers and academics have urged election officials to hold off on adopting electronic voting systems, worrying that they’re not nearly secure enough to reliably carry out their vital role in American democracy. Their claims have been backed up by repeated demonstrations of the systems’ fragility: When the District of Columbia tested an electronic voting system in 2010, a professor from the University of Michigan and his graduate students took it over from more than 500 miles away to show its weaknesses; with actual physical access to a voting machine, the same professor – Alex Halderman – swapped out its internals, turning it into a Pac Man console. Halderman showed that a hacker who has access to a machine before Election Day could modify its programming – and he did so without even leaving a mark on the machine’s tamper-evident seals.
But it wouldn’t even take a full-fledged cyberattack on an electronic voting system to throw a wrench in a national election. Even the specter of the possibility that the American electoral system is anything but trustworthy provides ammunition to skeptics to call foul if an election doesn’t go their way.
That’s ammunition for Trump:
That’s the argument that Dan Wallach, a computer-science professor at Rice University, put forward in an essay earlier this month titled “Election Security as a National Security Issue.” Nicholas Weaver, a professor and security researcher at the University of California, Berkeley, expanded on Wallach’s thesis in Lawfare this month. “Voting systems need to convince rational losers that they lost fairly,” Weaver wrote. “In order to do that, it is critical to both limit fraud and have the result be easily explained.”
And one must assume that Donald Trump won’t be a rational loser, which means paper works best:
Paper ballots are harder to fudge than votes stored in bits and bytes: A manual recount can help assuage fears of a rigged election. Even voting machines that spit out voters’ choices on a piece of paper before submitting them are verifiable. But machines that record votes directly without providing a physical receipt aren’t terribly easy to audit if accusations of fraud begin to fly.
The more that voters’ faith in electronic systems is shaken before November the higher the likelihood that voters might question the outcome of an election that includes electronic ballots. Donald Trump has already made repeated predictions that the general election will be “rigged,” even going so far as to recruit volunteer “Trump Election Observers” to monitor polls. And election-related security issues may already be on voters’ minds after two email hacks this summer, one that targeted the Democratic National Committee, and another that targeted the Democratic Congressional Campaign Committee.
Go with paper:
Spying on voter-registration data isn’t the same thing as manipulating election results, of course. Most of the information in voter rolls is publicly available, even if cumbersome to assemble, or is available from data brokers for a cost. But the attacks in Arizona and Illinois suggest that foreign hackers are targeting election data – and raise the prospect that they may also try to manipulate votes come November.
Wallach, who says he was invited to testify about voting security before the House Science, Space, and Technology Committee next month, says the attacks on the state election data heighten the urgency for states to adjust their approach to voting before November.
Weaver went further. “This is yet more ammunition in the contention that pure electronic voting is simply too dangerous: We must use paper, either directly filled out by the voter or as a voter verifiable paper audit trail,” he wrote in an email.
“Especially with the problem of the ‘irrational loser’: Trump can point to this and go ‘See, the system is rigged,’ and I personally worry that such language might inspire some fraction of his followers to commit a violent act.”
That may be what Putin has in mind, a bit of civil war in November as each side claims that “they” really won the election and one side decides to get violent about it. That would be chaos and Putin could then go about reassembling the old Soviet Union without anyone bothering him. And who invited this chaos? That would be Donald Trump, one month ago, although he probably didn’t realize that was what he was actually doing. Does he ever?