The leak of a classified NSA document confirming that Russian military intelligence interfered with the 2016 U.S. presidential race has reinforced the need to fix vulnerabilities in America's voting infrastructure before the next election cycle, say experts who expressed dismay over the reported intricacy of the Kremlin's campaign.
According to the leaked report, which was dated May 5 and published yesterday by The Intercept, the Russian General Staff Main Intelligence Directorate, or GRU, launched a spoofing attack against an unnamed electronic voting vendor, in order to get access to that company's data and internal systems. Next, the GRU hackers (often referred to as the APT Fancy Bear) sent various government employees spear phishing emails that appeared to be from this e-voting vendor, but in actuality contained attachments that infected machines with malware.
“We have been thinking that Russian hackers primarily targeted our election with cognitive attacks, such as propaganda, doxxing, social media likes, etc., in an attempt to sway voters' opinions. Now it appears they were active at a much deeper level, tactically and technically closer to the actual vote count," said Kenneth Geers, senior research scientist at Comodo Group, and also a NATO Cyber Centre Ambassador and former NSA/NCIS analyst.
J. Alex Halderman, director of the Center for Computer Security & Society at the University of Michigan's College of Engineering, said that Russia's spearphishing plot "raises an enormous number of questions about how far they got [and] if other vendors were attacked that haven't been detected or announced yet, about what they were trying to do, and about whether they succeeded" in their ultimate objective.
Disturbingly, Sen. Mark Warner (D-Va.), vice chairman of the Senate's Select Committee on Intelligence said in an interview with USA Today that Russian attacks on U.S. election systems were even more serious and targeted than was reported in The Intercept.
"I don't believe they got into changing actual voting outcomes. But the extent of the attacks is much broader than has been reported so far," said the senator.
By and large, security experts agree with Warner that there is still no evidence suggesting that Russian hackers actually altered vote tallies. "There would be little time to analyze material exfiltrated, let alone act on it, to develop an attack against voting machines, which would, in any case, be in the process of being distributed to the polling stations in the weeks before the election," said Phillip Hallam-Baker, VP and principal scientist at Comodo. However, "It is possible that the attacks were advance planning for future elections, possibly outside the U.S."
Hallam-Baker did note that the report referenced another campaign designed to impersonate a legitimate absentee ballot service provider. "It is possible to imagine attacks in which such a company could suppress votes of targeted electors by suppressing distribution of ballots or causing cast ballots to be destroyed," said Hallam-Baker. "But there is no reason to believe such attacks are even possible, let alone have been attempted at this point.”
However, Halderman left the door open to the possibility that votes could have been sabotaged. For instance, if an infected state election official has network access to systems used to program voting machines, then the hackers "can potentially spread malicious software to the machines themselves and change votes," explained Halderman, who was among a group of computer scientists who in November 2016 lobbied Hillary Clinton campaign officials to contest certain states' vote counts to ensure voting machines were not compromised.
"We presume that with two Congressional committees also investigating, if new questions present themselves regarding whether vote tallies were altered, one of these investigative bodies will be looking for that kind of evidence," said Kevin Livelli, director of threat intelligence at Cylance.
In light of the leaked report, Sen. Warner is reportedly urging intelligence agencies to declassify even more information – including exactly which states, and how many, were hit in the attack – before midterm elections begin in earnest. Which brings up another question about the leaked NSA document: to what extent are federal agencies still sitting on key intelligence, and should they be sharing more in light of President Donald Trump's refusal to accept evidence that Russia meddled in the elections?
"Sometimes, things can be classified not because the information itself is particularly sensitive, but because we don't want our adversaries to know how we obtained information," said Lawrence Norden, deputy director of the Democracy Program at the Brennan Center for Justice at New York University's School of Law. "I just don't know enough to know what the justifications were here or whether they were sufficient. I do think that generally, from a security perspective, the more information we have about the kinds of attacks Russian engaged in the better,"
Halderman said he would have preferred if U.S. intel agencies had revealed even more information back in their December 2017 Grizzly Steppe report, which resulted in President Barack Obama's sanctions against Russia. "I'm glad that we know this information now, because I think the public and legislators being aware of it is important for making sure we [take steps] to secure voting before the next election," he said.
In its own official statement, the National Association of Secretaries of State requested additional transparency from the federal government, asking law enforcement officials to notify all government workers who were targeted in the email spear-phishing campaign.
While NASS also emphasized that there is no reason to believe votes were changed at the state or local level, the organization did note that the Russian cyberattacks are "an urgent reminder of the need to get more cybersecurity support and resources into the hands of the state and local officials who administer and oversee U.S. elections."
Norden from the Brennan Center agreed with that notion: "Congress has been asleep at the switch for years," he said. "We need to be pressuring local, state and the federal governments to double down on the resources they provide election officials to protect that infrastructure from attack, and to be able to mitigate damage in the event of an attack. That starts with replacing antiquated systems, whether it is old, paperless voting machines or the computers and software that support our voter registration databases."
For future elections, Halderman recommended that every vote should be recorded on paper – out of reach of cyberattackers – and that after the polls close, states should be required to conduct an audit to ensure that hard-copy records match the voting machine data.