Post-Election Day: US on Guard for Hacking, MisinformationTime is Ripe for Interference, But US Projects Confidence
After weeks of rising anxiety, Election Day proceeded in the U.S. with no public indications of interference. But experts say misinformation campaigns are still likely, and there’s plenty of time for malicious activity as the vote tallying proceeds.
U.S. officials, who have been closely tracking the rising cyber activity by Iran and Russia, have been warning that some states will not have final tallies for days or weeks later due to voluminous mail-in ballots cast due to the COVID-19 pandemic. That opens a door for miscreants seeking to cause doubt whether the outcome is legitimate.
Christopher Krebs, the director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, tweeted on Tuesday that now is the "prime time" to expect to see four types of disruptive attacks.
As polls close & *unofficial* results post, it's prime time for the 4 Ds of Election Night Reporting (ENR) disruption:— Chris Krebs #Protect2020 (@CISAKrebs) November 3, 2020
Demand - legit overdemand causes outage
Defacement - changing website content
Denial of Service - bad guys cause outage
Disinfo - fake news abt results
U.S. voting infrastructure is distributed and decentralized, and experts say it’s unlikely that foreign actors could influence vote tallies in a significant way. But there are a variety of other types of attacks that could inject anger and doubt into what has been a volatile and messy campaign.
After 2 a.m. Eastern Time on Wednesday morning, President Donald Trump claimed at a news conference at the White House: “Frankly, we did win this election.” At that time, Trump was just a handful of votes behind Democratic candidate Joe Biden in the Electoral College.
“Millions of people voted for us tonight, and a very sad group of people is trying to disenfranchise that group of people, and we won’t stand for it,” Trump said.
Trump implied that continuing to count votes that might overturn his early lead in key states such as Georgia, Michigan and Pennsylvania would amount to fraud. He said his administration would petition the Supreme Court, saying it wanted all voting to stop.
“This is a major fraud on our nation,” Trump said.
Misinformation Kicks Off
As Krebs notes, misinformation includes that which is spread on social media, distributed denial-of-service attacks against state and county election websites or defacement of those sites. It’s also possible that legitimate demand for election websites could cause those sites to not function properly, which could incorrectly raise suggestions those sites were attacked.
There’s also always a chance of ransomware throwing a spanner in the works. In early October, Hall County in Georgia saw a voter database that’s used to confirm ballot signatures get infected. Election officials use those signature databases to verify mail-in ballots (see: Ransomware Knocks Out Voter Database in Georgia).
The lowest-hanging fruit is misinformation and doubt spread on social media, says Saryu Nayyar, the CEO of security vendor Gurucul. “Social engineering is much easier than performing a technical attack against infrastructure,” she says.
Facebook, Google and Twitter have developed new policies for dealing with misinformation. Facebook, which owns Instagram, is displaying a Voter Information Center within its apps that directs people to Reuters for authoritative information about election results.
Facebook has said that if violence breaks out in the U.S., it will use at-risk tools it has used in other places such as Sri Lanka and Myanmar. That includes a stricter content banning policy and slowing the viral spread of posts. Facebook has also banned all new political ads after Election Day, although ones that have already been approved can still run.
Google is blocking certain auto-complete suggestions for searches about the election. At the top of search results, it is also directing people to the Associated Press and Democracy Works, which is a nonpartisan nonprofit organization that provides information on how to vote.
Twitter has stepped up its efforts to ban or label misleading election posts, including some that suggest without proof that mail-in ballots pose risks of fraud. Twitter altogether banned political advertising last year.
It was clear Twitter was taking action on Tuesday. As an example, it added a labels to several posts by Mike Roman, who is Trump’s director of election day operations.
In one tweet, Roman posted a video of a woman who claimed that when she went to vote in Pontiac, Michigan, someone approached her with a completed sample ballot favoring Democrats and gave her $5.
One of our volunteers in Pontiac MI was outside a polling location when a Democrat operative approached her with a sample D ballot and offered her $5 to vote for Joe Biden.— Mike Roman (@mikeroman) November 3, 2020
This must stop. pic.twitter.com/XB9X7NK0pt
Twitter added a label at the bottom of the post: “Learn about US 2020 election security efforts.”
Roman also tweeted an allegation of illegal campaigning inside a Philadelphia polling place, claiming the photos showed Democrats were stealing the election.
Philadelphia’s District Attorney’s Office took issue with another Roman tweet, which implied that an election poster favoring Democrats was too close to the polling area. The DA's Office said it had investigated and concluded Roman’s tweet was “deliberately deceptive.”
Members of our Election Task Force have investigated this allegation. This polling place is located in an interior room and the sign in question is further than 10 feet from it. This tweet is deliberately deceptive. #PhillyVotes #Election2020 https://t.co/szKgxoigVm— Philadelphia DAO (@philadao) November 3, 2020
Behind the Scenes
From a cybersecurity perspective, the election may seem calm. But that doesn’t mean there isn’t offensive and defensive activity going on behind the scenes that could become public later.
“It's almost certain that attacks are underway now against the voting infrastructure and communications channels,” Nayyar says.
The chief suspects have been Iran and Russia. The U.S. government has tied Iran to an email campaign last month that sent thousands of intimidating emails to registered Democrats advising them to vote for Trump "or else."
The FBI and the Cybersecurity and Infrastructure Security Agency have released more details about the email campaign, adding that the Iranian group successfully obtained voter registration data from at least one state that it did not identify (see: Election Interference: Feds Detail Iran's Alleged Campaign).
Also, the FBI and CISA warned that Russia had exfiltrated data from two servers belonging to local government agencies, although it did not identify those affected. The Russian group is a long-known group called Berserk Bear or APT 28. It’s believed to be run by Russia's Federal Security Service, which is known as the FSB (see: US Officials Blame Data Exfiltration on Russian APT Group).
Tom Kellerman, head of cybersecurity strategy at VMware, and who served as a cybersecurity adviser to former President Barack Obama, says the warning about Berserk Bear was “unprecedented.” That shows “our watchers on the wall are in hand to hand combat with Russian cyber militias," he says.
“Unlike 2016, the [U.S.] Cyber Command, CISA and the FBI are successfully thwarting this malign influence operation,” Kellerman says.
Indeed, U.S agencies have been projecting confidence. Gen. Paul M. Nakasone, director of the National Security Agency and commander of U.S. Cyber Command, tweeted late Tuesday that the agencies “are working around the clock to defend our nation, making it harder for adversaries to conduct malicious cyber campaigns.”
When you combine the insights and expertise of a preeminent cryptologic agency with the capabilities of a military combatant command, you get a powerful united effort that helps defend our Nation and secure the future.— General Paul M. Nakasone (@CYBERCOM_DIRNSA) November 3, 2020
Managing Editor Scott Ferguson and News Editor Doug Olenick contributed to this report.