If you thought 2016 was bad, just wait for the sequel.
Russian election interference seeped into nearly every aspect of the political landscape two years ago, but many experts are wondering whether upcoming U.S. elections could be worse.
“If we do nothing, if we let the mechanics of voting continue to deteriorate, then I am 100 percent sure that we are going to be attacked again in the fullness of time,” said J. Alex Halderman, a professor of computer science at the University of Michigan. “And it’s going to make 2016 look quaint by comparison.”
Forty-three states used computer voting machines that were at least 10 years old in 2016, Halderman said. Russian cyberattacks or other activities were detected in at least different 21 states, in what were generally considered hacks probing for vulnerabilities that could be exploited more later.
A potential worst case scenario this year or in 2020 could make that look like a picnic.
The way we vote
The actual nuts and bolts of how Americans vote are vulnerable for a number of reasons.
Older computerized voting machines run older software, which makes them more exposed to potential vulnerabilities. In the case of many states that either use a completely digital or partially digital voting system, they’re ripe for hacking.
“I have in my office, sitting on my desk, a touchscreen computer voting machine of a type that’s still used in several states that my research group hacked ten years ago in order to make a silent vote-stealing attack,” Halderman said.
Such machines are still in use in some states and are “badly, badly vulnerable,” he said. “They can be attacked remotely by sophisticated attackers to make them lie about the election outcome.”
Five states use a touchscreen voting system that leaves no paper trail to detect a hack, and nine others use a mix of paper ballot and digital counting methods that also don’t leave a trail.
That elections are run at the state and county level is another aspect of the system under scrutiny. Many jurisdictions don’t adequately staff their information technology security staff, says Harri Hursti, an election security expert featured in the HBO documentary Hacking Democracy.
Government officials often contract out election management and software to companies that people don’t realize are, in some cases, “12 people in a strip mall,” he said.
Still, because computers make the election process so much quicker and cheaper, many voting jurisdictions and elected officials weren’t quick to adopt strictly paper methods.
“I think there’s a lot of people who don’t understand how computers work,” said Marian Schneider, the president of the election accuracy nonprofit Verified Voting. “They feel like if you can order a hoagie at Wawa [on a touch screen] then you ought to be able to do something like that with voting.”
Twenty years ago, or even 10, it would have been impossible to guess that social media would be one of the biggest storylines coming out of a national election.
Nevertheless, thanks to a broad and targeted misinformation campaign that’s been pinned to Russian operatives, that’s where America is.
The social media giants of the world, the Facebooks and Twitters, continue their global takeover despite the regulatory lens of the U.S. government, and the critical glare of the news media, trained on them.
Over the past year, the companies have been slowly disclosing how Russian operatives used their platforms to exacerbate already-existing divides in American culture leading up to the 2016 election, both by buying ads and by promoting organic content through phony accounts.
Facebook revealed in October that more than 120 million users may have seen content “that originated from the Russian operation.” And Twitter recently said that more than 677,000 users interacted with posts from more than 50,000 automated “bot” accounts associated with Russia.
“I think [the companies] really are trying to have their houses in order so they are not the topic of conversation leading into the midterm elections,” said Philip Napoli, a professor of public policy at Duke University who researches media regulation.
Facebook is rolling out a new algorithm that it says will emphasize posts made by friends and family, and decrease the amount of content from businesses, brands and media. Twitter says it increased its detection rate of automated content creators by 60 percent just from October to December 2017.
And some lawmakers have pushed for greater disclosure of who is paying for political ads on social media, as is done in TV and newspapers.
Still, it’s unclear how any changes made will effectively halt polarizing messaging by nefarious actors. The use of social media by Russian bots and trolls never stopped. It is incredibly cheap and clearly effective.
“Whenever a solution is implemented, the workarounds begin,” Napoli said. “I just don’t know how you maintain the scale at which these platforms operate and not be a porous platform where significant amounts of misinformation can still slip through.”
After initial denials, Facebook has begun to accept that its platform wields an incredible amount of power. Less than a decade ago, social media was being hailed for helping fuel a civil resistance in Tunisia. Now it’s under fire for eroding democracy.
“And that’s not an uncommon pattern that we see with new communications technologies — from Utopian to apocalyptic in a fairly short turnaround time,” Napoli said.
Just as in 2006, no one had heard of Twitter, by 2020, and 2024, there will be completely new social tools and companies that people will be using to share information.
More than the ballot box
When it comes to hacking voting infrastructure, one danger is more subtle than literally changing peoples ballots after they’re cast.
“Maybe the threat model is not only that somebody wants to win or that somebody wants to boost their favorite candidate to win, it might just be to cause havoc and undermine trust in the system,” says Hursti.
In short, an attacker might disrupt an election by disrupting everything else associated with an election.
“All of a sudden, an attack where you would go to voter registration systems and randomize a party affiliation, making primaries a complete disaster is what the attacker might want to do,” he said.
The Help America Vote Act of 2002 required each state to implement a “centralized, interactive computerized statewide voter registration list,” which would contain the name and registration information for every legally registered voter in each state.
While the rule may have made voting more efficient, it also introduced a wealth of new vulnerabilities. The new requirement, combined with a lack of adequate funding for increased security, “created the possibility of coordinated attacks where this possibility never existed before,” wrote Emily Shaw, for the nonpartisan Sunlight Foundation.
Many jurisdictions have begun also digitizing how registered voters are checked in at their polling places. Electronic poll books, in most cases laptops or tablets, have begun replacing the three-ring binders that local elections workers use in each district or precinct. As of March 2017, 32 states had jurisdictions that used e-poll books, according to data from the National Conference of State Legislatures.
In many cases, the e-poll books can scan a person’s driver’s license to allow them to vote, a process that avoids data entry errors — but Hursti says it’s an example of another technology that introduces an entry point where a malicious actor could introduce a cyber-threat.
“The driver’s license was never intended to be used in this type of environment, the bar code can be used to inject an attack,” Hursti said. “I actually think this is a place where technology can do a lot of good for democracy, and can make a lot of the process easier, it just has to be brought in a very responsible way otherwise it will be a low hanging fruit for an attacker to cause havoc.”
Campaigns are targets too
Whereas the security of voter rolls and ballot boxes is regulated by the government, if not always strictly enforced or well-funded, cybersecurity in the campaign world goes just about completely unregulated.
In 2016, the reams of emails that became public from the Democratic National Committee as well as Hillary Clinton’s campaign staff dominated whole weeks of news cycles and public conversation.
The types of phishing attacks that garner data like that are cheap, effective, hard to track and perfect for the American electoral system, says Nicholas Weaver, a researcher at the International Computer Science Institute.
“Phishing is unreliable — you might send out 500 phishing emails and only get a couple of responses,” said Weaver. “But when you have  House races, each with dozens of potential staffers as targets, you’re going to see a lot of these low-level attacks that are remarkably effective when you just use the law of large numbers.”
It’s mostly up to each individual campaign to police and enforce its own cybersecurity, and force staffers to do things like two-factor authentication.
“Campaigns need to think like they are a target,” Weaver said. “Because they are.”
The thing that ties all these strategies together is messaging.
Even without actually changing any ballots, the attacks of 2016 exposed the possibility that voting systems could be hacked in a way that could go undetected.
So a long-term risk for the United States is that the voting public loses faith in the concept of a fair democratic system if it can’t be sure the system wasn’t manipulated — especially if elected officials, without evidence, complain about illegal votes.
“That’s, unfortunately, the situation we’re in, where experts like me cannot reassure people that the system is foolproof, because it’s not,” said Halderman.
“With every year that goes by without significant new investment in voting technology, the system becomes weaker, and our basis for confidence in election results unfortunately deteriorates,” he also explained.
All that is to say, in 2018 or 2020, Russia or another hostile party could toss support behind the Democrats in an effort to create a divided and gridlocked government, or just mix up voter registrations to sow confusion and frustration in a public that is clearly prone to further polarization already.
“It may have been Russia in 2016 but in the future it could be China, it could be North Korea, it could be any number of other countries that are developing sophisticated cyber-offensive capabilities,” said Halderman. “The fact is, interfering in elections through cyber-means is cheap and it can be very effective. ”