Secure 2018 US Elections: It's Too LateFacebook's Ex-CSO Says That Ship Has Sailed; Look to 2020
With less than three months to go until the U.S. midterm elections, it's understandable if you're wondering whether a raft of still-in-progress federal government proposals for securing the Nov. 6 elections might be too little, too late.
It's also unclear if the proposals might be sufficient to counter coordinated information warfare campaigns or further probes by other nations of states' electoral systems, as 21 states experienced in 2016.
"The United States ... risks allowing its elections to become the World Cup of information warfare."
At stake in the midterms is control of Congress, which could potentially swing from Republican to Democrat. In the bigger picture, however, the stakes are even higher: The integrity of the country's democratic institutions is on the line.
But Alex Stamos, who until recently served as Facebook's CSO, on Wednesday published an assessment of U.S. election security readiness and found it lacking, to put it mildly.
The title of his assessment says it all: "It's Too Late to Protect the 2018 Elections. But Here's How the U.S. Can Prepare for 2020."
Stamos, who now serves as a fellow at the Center for International Security and Cooperation, says unless the U.S. sharpens its approach to protecting elections, "it risks allowing its elections to become the World Cup of information warfare, in which U.S. adversaries and allies battle to impose their various interests on the American electorate."
The problem, Stamos says, is that Russia's GRU military intelligence agency, as well as industrial troll farms such as the Internet Research Agency, have given the world a playbook for messing with U.S. elections as well as the country's electorate.
"The uniformed officers of the GRU and the jeans-wearing millennial trolls of the private Internet Research Agency turned American technology, media and this country's culture of discourse back against the United States," Stamos writes. "Stymied by a lack of shared understanding of what happened, the government's sclerotic response has left the United States profoundly vulnerable to future attacks."
Now anyone can do it.
Stamos has plenty of blame to apportion. He says the Obama administration's weak response to Russian interference didn't help. Nor have "Republican efforts to downplay Russia's role," he says. Finally, the efforts of tech giants such as Facebook and Twitter fell far short, he acknowledges.
Ongoing Influence Operations
Meanwhile, campaigns against the U.S. remain varied and ongoing.
On Tuesday, Microsoft said it had sinkholed six domains that Russia's GRU appears to have planned to use to target conservative think tanks and the U.S. Senate as part of espionage operations. Microsoft said that action means it has now shut down a total of 84 GRU websites.
On Wednesday, Facebook, Twitter and Google announced that they'd removed pages and suspended accounts that had been tied to two separate influence operations - one run by Iran, the other by Moscow.
DHS Promises Stronger Defenses
The U.S. government says it's working overtime to strengthen election defenses.
In particular, the Department of Homeland Security says it's been working with states and voting machine manufacturers to coordinate election defense; it says it's been hard at work since last year.
DHS has also begun offering intelligence briefings to states' election chiefs, as well as up to two more state officals that each one nominates, after they obtain a security clearance.
Reuters reports that 92 out of 150 eligible state election officials now have clearance to receive such briefings.
But some intelligence experts question the briefings' usefulness.
"People always think access to classified information is the magic answer, but in the vast majority of cases that intel is irrelevant to practical defense and/or state and local officials have no capacity to use it effectively," Susan Hennessey, a former National Security Agency attorney who's now a national security fellow at the Brookings Institution and Lawfare editor, says via Twitter.
In addition, Homeland Security Secretary Kirstjen Nielsen earlier this year told Congress that some of the much-needed election security defensive measures it's pursuing will not be ready until at least the 2020 elections (see Will Congress Lose Midterm Elections to Hackers?).
Some states have also been adopting more secure voting machines or, instead, switching to paper ballots - the No. 1 recommendation of many security and cryptography experts.
Meanwhile, some secretaries of state have criticized the DHS effort as being too little, too late, and have said they are receiving no guidance on countering Russian propaganda campaigns.
Clearly, more needs to be done. Stamos, who joined Yahoo in 2014 as its CSO and later moved to Facebook where he helped battle nation-state campaigns, has four specific recommendations for improving U.S. election security.
- Create legal standards: "Congress needs to set legal standards that address online disinformation," Stamos says. Those standards should regulate not just social networks but also "the massive online advertising industry," which he says has largely been overlooked.
- Create a national cybersecurity defense agency: The U.S. needs a new, defense-only cybersecurity defense agency "with no intelligence, military or law enforcement responsibility," he says. Both France and Germany have such agencies and appear to have used them to coordinate election defense on a national level (see Au Revoir, Alleged Russian 'Fancy Bear' Hackers). Stamos notes that while DHS coordinates critical infrastructure defense, the FBI helps everyone else - and that responsibility doesn't square well with its mission.
- Bolster states' election security: Colorado and some other states have built statewide election security teams. But Stamos says all states must do so.
- Investigate all attacks: All attacks must be immediately investigated by the federal government, and the president should be prepared to bring all cyberattack capabilities to bear against offenders.
Clearly, these are big-picture rethinks of how the U.S. government might approach election security. They also require action by Congress, which has yet to tackle election security - never mind data breaches or cybersecurity - in a meaningful way.
Failing that, U.S. citizens must elect new lawmakers who will pledge allegiance to ensuring the integrity and trustworthiness of the nation's electoral system.