The greatest threat to the 2020 presidential election may not be hacking of voting systems, but the hacking of the Americans' faith in their elections, security insiders said at a cybersecurity summit in Washington, D.C. this week.
"If we keep telling voters that elections are screwed up then they're going to start believing us and stop voting," said Ohio Secretary of State Frank LaRose.
"Having American citizens occupied with that narrative is what foreign autocracies want. They want Americans to lose faith that their vote counts," he added.
During the 2016 presidential election between Hillary Clinton and then-candidate Donald Trump, Russian-backed agents launched a sweeping attempt to penetrate and disrupt the U.S. election system from all angles, including sowing discord through social media and probing state voter registration databases, according to intelligence community assessments and Senate Intelligence reports.
There is no evidence the hackers, which included Russian military cyberattack units, according to the report by special counsel Robert Mueller, penetrated any non-internet connected systems during the 2016 race, especially actual voting or tabulation machines. There is no evidence of a single vote being changed.
But the information about the penetration attempts as well as the steps taken to fix them can have the unintended consequences of shaking Americans' faith that their vote counts when that news is amplified and distorted by partisans and bad actors, speakers at the summit warned. That's especially true if voters aren't happy with how the vote turned out.
"Forty percent of voters will feel a vote was not fair if their candidate loses," said David Becker, executive director and founder of the nonprofit Center for Election Innovation and Research.
While shaken voter confidence is of paramount concern, security experts warned of very real ongoing threats to the election process in the U.S. and other global democracies.
Threats include social media disinformation, cyber espionage against key participants, hack and leak operations, and attacks on critical infrastructure to tamper with or alter votes, said Katelyn Marie Bailey, an intelligence analyst with cybersecurity firm FireEye, which has a partnership with the Department of Homeland Security to share actionable information.
While the firm has seen "limited indication" of successful attempts on election systems themselves, it has observed numerous instances where actors have targeted related organizations and entities, including election commissions and state boards of elections, "conducting recon, potentially to look for logins and pivot" to be able to intrude into other systems," said Bailey.
For PACS, social media platforms, and news organizations, the firm has observed that "actors target and try to obtain info for hack and leak campaigns and attempts to sway public opinion," she said.
The need for voting machines with paper ballot backups was stressed by many speakers, including Chris Krebs, director of Cybersecurity and Infrastructure Security Agency, the recently created new Federal agency under DHS tasked with protecting the nation's critical infrastructure. Recently, election systems were designated as "critical infrastructure."
"I want the receipts," said Krebs. "I like the physical, I want the ability to go back and touch" the ballots.
Krebs also warned that the recent spike in ransomware attacks could extend to internet-connected voter registration databases.
While states have fallback plans, including same-day registration in some states, it could cause some confusion and delay at the polls.
Federal agencies, states, local municipalities, private companies, and academic researchers are sharing information, while respecting each others' roles and responsibilities, in a completely new way since 2016, participants stressed, a vast improvement.
Sometimes that response could even include U.S. forces acting on intelligence to stop threats from malicious actors, "before they reach the homeland," said Secretary of Defense Mark Esper, describing an aggressive cybersecurity doctrine termed "defending forward" by the Defense Department.
During the recent 2018 midterm elections, a newly empowered U.S. Cyber Command temporarily cut off the internet access for the Internet Research Agency, the Kremlin-linked "troll farm" that spread millions of divisive messages using false online personas before, during, and after the previous presidential election. It was a warning sign, and a proof of concept.
"Just as we do on land, at sea, and in the air, we must posture our forces in cyberspace where we can most effectively accomplish our mission. Defending forward allows us to disrupt threats at the initial source before they reach our networks and systems."
That's music to the ears of the states and localities in charge of actually running the elections.
"'Defend Forward?' To me that sounds like 'offense," said West Virginia Secretary of State Mac Warner.
States, which have the constitutionally guaranteed right to determine the "time, place and manner" of their elections, unless Congress legislates otherwise, have found themselves thrust to the front lines of defending against dedicated malicious hackers backed by the overwhelming resources of adversarial foreign governments.
"The U.S. is finally taking some offensive operations for what happened in 2016," said Warner. "That was the first good news to hear."
Basic and cheap cybersecurity practices can go quite a long way to limit many cyberattack risks, participants said. That can include using physical key two-factor authentication across equipment and accounts, including front-facing websites and social media communication accounts.
The challenge is getting that message down to and executed across the more than 8,800 election jurisdictions in the United States.