21 December 2020

Election Security 2020

by Adam Segal, Connor Fairman, Lauren Dudley, and Maya Villasenor

In the weeks leading up to the 2020 presidential election, the U.S. government and technology companies took several steps to safeguard election security in cyberspace, focusing their efforts on disinformation and cyberattacks. Although there were a handful of incidents, none compromised the integrity of the election, and Election Day passed without any major disruption. As one official from the Cybersecurity and Infrastructure Security Agency (CISA) put it, Election Day was “just another Tuesday on the internet.” Why did things go right this time? A combination of government and private sector action motivated by the lessons of the 2016 and 2018 elections. Still, as the vote count continues, disinformation remains a real threat.

In early October, the Department of Justice (DOJ) seized ninety-two domain names masquerading as news outlets that Iran’s Islamic Revolutionary Guard Corps had been using to distribute propaganda in the United States, Western Europe, the Middle East, and Southeast Asia. Days later, following U.S. Cyber Command strikes against the Russian botnet Trickbot, a U.S. district court in Virginia issued an order allowing Microsoft to seize servers enlisted in the botnet due to concerns that Trickbot could threaten computers used to report on election results and maintain voter registration records.

Later in the month, the DOJ indicted six Russian military intelligence officers believed to be responsible for spreading the NotPetya malware and attacking Ukraine’s critical infrastructure, President Emmanuel Macron’s 2017 election campaign, and the 2018 Winter Olympics. Though Russia has long been widely believed to be behind these incidents, the timing and publicity of the indictment were clearly a warning to the Kremlin against interfering in the upcoming presidential election.

On the eve of the election, CISA prepared a virtual war room to allow election officials to quickly report and address potential cybersecurity threats. The war room could remain in operation until the election is formally certified when electors cast their votes in mid-December. Moreover, U.S. Cyber Command officials informed the New York Times that it sent teams across the globe to identify and undermine foreign hacking groups ahead of the election. This reproduced efforts used before the 2018 elections and exemplify U.S. Cyber Command’s strategy of “defending forward” and persistent engagement

Cyberattacks on Election Infrastructure

Despite considerable efforts undertaken by the U.S. government to prevent cyberattacks from targeting state and local networks before the election, there were nonetheless a handful of incidents. 

The FBI and CISA issued two major advisories on October 22, stating that Iran [PDF] and Russia [PDF] had breached state and local government networks. The week after, the two agencies revealed that Iranian hackers had also probed state election websites. This allowed them to access non-public voter registration data in Alaska, resulting in the mass dissemination of voter information and threatening emails sent to registered Democrats.

There was also one documented case of a ransomware attack that compromised election infrastructure in Hall County, Georgia. After county officials failed to pay a ransom to the attackers, voters’ private information was published on a website belonging to the DoppelPaymer ransomware group, which is believed to be based in Russia. The leaked information included voter names and registration numbers, an inventory of election equipment, and ballots identified to contain mismatched signatures.

Despite these incidents, U.S. officials repeatedly sought to reassure the public that there was no evidence that election integrity had been compromised. Moreover, there appeared to be no major cyberattacks on Election Day, with one CISA official commenting, "For the most part today it's been a little boring and that's a good thing — this is kind of one of those best-case scenarios that we would hope for."

Disinformation 

As the FBI and other government agencies had warned, U.S. voters were targeted with disinformation by foreign and domestic actors often seeking to exacerbate existing social and political divisions and undermine confidence in election security.

Under intense scrutiny from lawmakers, social media companies stepped up their efforts to prevent the spread of disinformation on their platforms. In the run-up to the election, companies including Facebook and Twitter increased information sharing with the U.S. government, removed accounts known to spread disinformation on their platforms, demoted and flagged posts potentially containing disinformation, and accelerated efforts to detect and remove inauthentic coordinated activity. Either because private sector efforts were effective, attackers decided to hold off, or some combination, foreign actors appear to be playing less of a role in the spread of disinformation in this election compared to 2016.

Unfortunately, domestic actors have played an increasingly significant role in the spread of disinformation. President Trump and members of his campaign have been heavily criticized for sowing doubt about the integrity of the election, and U.S. officials warn that foreign actors will amplify these messages. Since Election Day, Facebook, Twitter, and YouTube have aimed to prevent premature claims of victory by flagging posts falsely claiming victory and adding notices to social media feeds to remind users that votes are still being counted.

Unclear Outcome

While the American public likely won’t know the final vote tally for some time, they can rest assured that no cyberattacks seem to have compromised the integrity of the 2020 election. Nonetheless, we are not out of the woods yet. As uncertainty spreads over who will be victorious, controlling disinformation is more critical than ever. It is up to social media platforms and the U.S. government to ensure that the final stretch of the democratic process is protected against false information, both foreign and domestic, that could incite confusion and, possibly, violence.

No comments: