Why the threats to our elections are more sophisticated and widespread than ever
By Andy Kroll | RollingStone Magazine | February 2020
Anthony Ferrante had just arrived for work at the Eisenhower Executive Office Building, next door to the White House, when the first attack hit. Around 7 a.m., internet service went out across the United States and parts of Europe. Reddit, Netflix, and The New York Times website wouldn’t load. Ferrante couldn’t check Twitter for updates because that was down too. “No one knew what it was,” he says. “It was definitely chaotic.”
It was Friday, October 21st, 2016. In two weeks, Americans would pick a new president. When Ferrante, a director in the White House’s cybersecurity team, realized the internet had gone dark across the country, he feared the worst. Ferrante thought he was witnessing a dry run for an attack on the election.
A native of Portland, Maine, with pale Nordic features and a sharp widow’s peak, Ferrante hacked his first computer when he was 10 and studied computer science at Fordham. He was destined for a cushy career as a cyber expert in the private sector when the September 11th attacks happened. He quit corporate America, joined the FBI, and specialized in tracking terrorists on the internet; in his first case at the bureau, he helped foil the terrorist plot to blow up the PATH train tunnel between New York and New Jersey. Over the next decade, he rose to become one of the FBI’s top cyber-security agents and helped write President Obama’s directive that created the first chain of command in the event of a major cyberattack on U.S. soil.
In late 2015, Ferrante moved to the White House to run the National Security Council’s Cyber Incident Response Desk, a small team whose job was to lead the government’s response to a major cyberattack. But by the summer of 2016, his focus had narrowed to a single but growing threat: Russian interference in the election. He and his colleagues had received intelligence reports about strange activity targeting state election websites. At first, the details were sketchy and there wasn’t enough data to draw any connections. Then, in July, the head of elections for Illinois noticed a huge amount of data flowing out of his voter registration system. The FBI discovered that Illinois had been hacked; the culprits accessed databases with information on hundreds of thousands of voters and stole an unknown quantity of data.
The FBI sent an urgent alert to state election chiefs, encouraging them to search their systems for any digital breadcrumbs that matched data from the Illinois breach. Ferrante came to work each morning to find that several new states had been targeted with the same sorts of tools and techniques that Illinois had experienced. With the FBI’s help, his team concluded that Russian-based hackers had penetrated two state voter databases (Illinois was one, the other was not publicly named) and scanned election websites in every state. “We knew at that point we were dealing with a large-scale coordinated campaign,” Ferrante says.
President Obama wanted a national cybersecurity preparedness plan for the upcoming election, and Ferrante was put in charge of creating it. He and his team spent months researching every detail of American elections and running different scenarios. What if a million people showed up to vote in Florida only to be told there was no record of them as a voter? What if a cyberattack took down the division of the Associated Press that supplies election-night reporting data to major news organizations like CNN? What if the internet crashed on Election Day?
That last scenario felt a lot less hypothetical on October 21st as Ferrante scrambled to figure out why the huge swaths of the internet were dark. He called his counterparts at the FBI, CIA, Department of Homeland Security, and National Security Agency; they were just as confused as he was. By midday the outage was international news, spreading from the East Coast to the West. It was only after the third wave of attacks, Ferrante says, that the FBI made contact with an internet-domain company in New Hampshire called Dyn. The company eventually shored up its servers that day, and the internet was restored.
Ferrante and his team had by that point conducted perhaps the most exhaustive study of the potential threats to our convoluted voting system. There were the cyberthreats they had envisioned and prepared for: hacked voter registration databases, disruptions to the flow of information on election night, faulty voter equipment. By Election Day, these threats weren’t all speculative: Two teams of Russian hackers, known as Fancy Bear and Cozy Bear, had broken into the Democratic National Committee and stolen reams of data. The Dyn attack, resulting from a massive botnet that exploited flaws in internet-connected gadgets and appliances such as home security cameras and WiFi routers, showed it was possible to wreak havoc on the internet itself. (To this day, the culprit of that attack remains unknown. The FBI hasn’t announced any arrests and won’t comment on its investigation.)
For Election Day, Ferrante created the first-ever cybercommand post in the White House Situation Room. From six in the morning until the election was called for Donald Trump, he and his colleagues monitored the vote, but the day passed without incident. The sense of accomplishment he felt was outweighed by a sinking feeling over what he knew Russia had already done. By hacking the Democratic Party, spreading disinformation on social media, and compromising confidential voter data, it had proved to the rest of the world it was possible to successfully interfere in a U.S. election and come away largely unscathed.
Obama hit Russia with new sanctions and expelled 35 of its diplomats in his final days in office, but it would be up to his successor to protect against future election attacks. Soon after Trump took office, a team of cyber experts who worked in the Obama White House met with a group of Trump aides including Joshua Steinman, a cybersecurity aide to the new national security adviser, Lt. Gen. Michael Flynn. (Steinman is now the cybersecurity adviser to the president.) According to people familiar with the meeting, when the Obama staffers told Steinman they wanted to talk about Russian interference, they were met with a blank stare.
Nothing happened, was Steinman’s reply: Russia didn’t interfere in the election.
The Obama team was stunned. Inside the Trump White House, the election security issue “was taboo,” says Andy Grotto, an Obama-era holdover who wrote Trump’s 2017 cybersecurity executive order. Grotto got calls from intelligence agencies asking if they were still allowed to work with their European counterparts on interference issues. (The Trump White House didn’t respond to a request for comment for this story.) Ferrante had seen enough. Three months into Trump’s presidency, he handed in his resignation.
Obama’s Cyber Expert: Anthony Ferrante worked from the White House to try to secure the 2016 election. Afterward, he briefed the Trump team on the threat but they refused to admit Russian meddling. Ferrante was told there’s no “there” there. Photograph courtesy of Anthony Ferrante
Four years ago, for an embarrassingly modest price, Russia pulled off one of the more audacious acts of election interference in modern history. The Internet Research Agency, the team of Kremlin-backed online propagandists, spent $15 million to $20 million and wreaked havoc on the psyche of the American voter, creating the impression that behind every Twitter avatar or Facebook profile was a Russian troll. Russian intelligence agents carried out the digital version of Watergate, infiltrating the Democratic Party and the Clinton campaign, stealing tens of thousands of emails, and weaponizing them in the days and weeks before the election. Russian-based hackers tested election websites in all 50 states for weak spots, like burglars casing a would-be target. “The Russians were testing whether our windows were open, rattling our doors to see whether they were locked, and found the windows and doors wide open,” says Sen. Mark Warner (D-Va.), the top Democrat on the Intelligence Committee. “The fact that they didn’t interject themselves more dramatically into our election was, I think, almost luck.”
Did Russia’s hack-and-leak operation and disinformation blitz tip the election to Trump? Kathleen Hall Jamieson, a communications professor at the University of Pennsylvania, argues in her book Cyberwar that Russia helped Trump win, but the debate over that question rages on to this day. What’s not in doubt, however, is how unprepared and vulnerable the U.S. was.
We can’t say we weren’t warned. European allies raised the alarm for years about Russian aggression and cyberattacks in Estonia and Ukraine on internet infrastructure, election-reporting systems, and the power grid. In the spring of 2015, a panel of experts testified before Congress about “Confronting Russia’s Weaponization of Information.” One of the witnesses was Peter Pomerantsev, a propaganda expert who experienced President Vladimir Putin’s war on truth and reality from the inside as a Russian TV producer. In the post-Soviet global order, Pomerantsev explained, Russia’s leaders knew they couldn’t compete militarily or economically with the West, so they needed “revolutionary powers and asymmetric responses,” as one Kremlin official put it. Russia’s mastery of propaganda dated back to Stalin, but under Putin’s leadership, the country adapted these tactics for the digital era. It would wage an information war on Western democracies. “We always ask, ‘What does Putin want?’” Pomerantsev testified. “He sees the 21st century that is going to be like this — endless subversion, disinformation, economic manipulation — and he might be right.” He went on, “This is permanent war.”
Any member of Congress who heeded Pomerantsev’s warning would have seen Russia’s 2016 interference coming. But only five or six out of 44 lawmakers attended the hearing. C-SPAN didn’t bother to show it.
We were, in other words, caught with our pants down. Four years later, the Russians are more crafty than ever. According to recent reports, they’re now using encrypted communications and recently hacked the Ukrainian natural-gas company at the center of the Trump impeachment scandal to potentially find damaging material about the Biden family. Other foreign nations, including Iran, North Korea, Saudi Arabia, and China, are getting in on the act. They’ll be joined, analysts say, by domestic actors — American consultants and candidates and click merchants borrowing and adapting Russia’s tactics to influence an election or make a quick buck. “The most important piece that I tell everybody,” Ferrante says, “is now that it’s been done once, everybody can do it.”
Are we prepared going into the 2020 election? After seven months of reporting, interviewing more than 40 experts as well as current and former government officials and reviewing thousands of pages of records, the reality is this: We’ve made progress since the last election — but we’re much less secure than we should be. To use Sen. Warner’s analogy, the windows and doors are no longer wide open, but the burglars are more sophisticated, and there are a lot more of them than there were four years ago. They may try to break into our voting systems; they may push online propaganda to merely create the impression of an attack as a way to undermine our faith in the electoral process. “The target is the minds of the American people,” says Joshua Geltzer, a former counterterrorism director on the National Security Council. “In some ways, we’re less vulnerable than we were in 2016. In other ways, it’s more.”
Nearly every expert agrees on this: The worst-case scenario, the one we need to prepare for, is a situation that causes Americans to question the bedrock of our democracy — free and fair elections. If such a catastrophe occurred and the integrity of a national election came into doubt, Michael Daniel, the former cybersecurity coordinator in the Obama White House who now runs the Cyber Threat Alliance, isn’t sure the country would ever be the same. “How do we deal with that?” he asks. “How do we recover from that?”
Each morning, Kammi Foote gets in her car and begins her 40-minute commute to the front line of an invisible war. Foote lives and works in Inyo County, a vast expanse of eastern California snug along the Nevada border, home to the lowest point in the continental U.S. and the highest, with the hottest recorded temperature in the nation and some of the coldest. There are as many square miles — 10,000 — as there are voters.
In a small county like Foote’s, local public officials tend to wear many hats. As Inyo County’s clerk recorder and registrar of voters, Foote issues birth and death certificates, officiates 50 or so weddings a year, and oversees elections. Voting is like a religion in her family. As soon as she turned 18, she got her voter registration card and volunteered as a poll worker. Her parents used to call her every Election Day to make sure she’d voted; when she got elected in 2010, her family couldn’t have been prouder. Running the election was now her job.
She realized that her job was about to change in a dramatic way when an FBI agent contacted her in the fall of 2016. The agent asked Foote if she’d seen anything suspicious related to the upcoming election. Was something about to happen, she wondered. Were her local elections under attack? When she asked for more details, the agent wouldn’t confirm anything. Even if there were an issue, he said, he couldn’t share that information because it was classified. Foote’s first call with the FBI left her more confused than ever.
Democracy in Danger: The worst-case scenario, according to experts, is one that causes Americans to question the bedrock of our democracy. “The target is the minds of the American people,” says a former counter-terrorism head of the NSA. Photo credit: Jahi Chikwendiu/The Washington Post/Getty Images
Inyo County is one of roughly 8,000 jurisdictions in the country that administer elections. The distributive and localized design of the American system has long been seen as an asset: There is no central database or voting system to attack, no uniform set of voting software or polling-place equipment. Someone planning a widespread attack on U.S. election infrastructure would, in theory, have their work cut out for them.
The 2016 election flipped that logic on its head. The possible compromise of a few counties in a razor-thin race was enough to create doubt, if not inflict real damage, on voters’ perception of the election — and in the age of social media and the instantaneous flow of information, perception was reality. Classified documents leaked by NSA whistleblower Reality Winner revealed that Russian hackers tried to do just that, targeting a voting software company called VR Systems and local government offices right before the election. Today, thousands of county and state election offices are prime targets that need protection. “People will say the way we vote is so distributed and diverse and that makes it more resilient,” says Ferrante, the former FBI cybersecurity expert. “But it also introduces a lot of risk and creates a much larger attack surface.”
What makes things complicated is that the federal government traditionally leaves the running of elections to states and municipalities. When the Obama administration considered designating voting equipment as critical infrastructure, like power plants, dams, and highways, in the fall of 2016, a small but vocal group of state and local election officials saw a federal takeover in the works and resisted. A few months later, Brian Kemp, a Trump ally who was then Georgia’s secretary of state and governor-elect, accused DHS of trying to hack into his state’s voter registration database. (This was false.) Not until January 2017, in the final days of Obama’s presidency and after the intelligence community published its conclusion that Russia interfered in the 2016 election, did state officials agree to a critical infrastructure designation. Congress soon passed a bill to create the Cybersecurity and Infrastructure Security Agency at DHS to help county clerks and secretaries of state protect election infrastructure. “We went from an environment in 2017 and the beginning of 2018 where quite literally states are accusing the Department of Homeland Security of trying to hack them to having relationships with all 50 states,” says Matt Masterson, a DHS cyber-security adviser.
Experts who study election systems in the U.S. say many flaws remain. Some counties and states still use outdated voting equipment and insecure election software: At the 2018 DEFCON hacker conference, an 11-year-old hacked into a copycat version of Florida’s state election website and changed vote totals in less than 10 minutes. Only three states conduct mandatory, scientifically rigorous post-election audits to ensure the final vote count is accurate. “We’re still in a situation going into 2020 where there are significant gaps left in the security of election infrastructure,” says J. Alex Halderman, a University of Michigan computer science professor who studies voting equipment. “Until we ensure that all of the doors are locked, there will be ample opportunity for foreign adversaries to disrupt or, in the worst-case scenario, change the outcome of close elections.”
And the federal government is in no hurry to fill those gaps. As Halderman likes to say, there are more federal guidelines and requirements on whiskey and plastic bottles than voting equipment. While Congress has funded nearly $900 million in election security in the past two years, it let states spend the money however they pleased. “We would never say to our power grid companies, ‘We’re not going to have any rules of the road at all — you just self-regulate,’” Sen. Warner says. “Money without some requisites means states could print bigger ‘I Voted’ stickers instead of actually improving their systems. That’s a huge error.”
Local election officials like Kammi Foote find themselves thrust into a global battle without borders, clear enemies, or rules of engagement, a daily struggle to protect the integrity of elections and to reassure Americans their democracy is safe. Foote’s relationship with the feds has dramatically improved since the FBI first called in late 2016. Inyo County is now part of an information-sharing network backed by DHS that pushes out technical alerts. Foote says she and her team receive intel about new threats almost every day. Twenty-four hours after a U.S. drone strike killed Iran’s top military general in early January, DHS briefed election officials on potential retaliatory cyberattacks by Iran. Another DHS tool, called an Albert sensor, alerts her IT team to malware attacks. Foote knows who to call at the FBI or DHS if an attack happens.
Foote says she’s never felt more prepared for protecting her small slice of the vote in November. But she also recognizes there’s only so much she can do. The number of personnel in her office hasn’t grown since the mid-Nineties, and the local board of supervisors recently denied her request for an additional election staffer dedicated to cybersecurity. She worries about ransomware, a form of attack employed by hackers to infiltrate a network and lock out users from their computers or phones until they pay to regain access. A December 2019 confidential alert by the FBI obtained by Rolling Stone said reports of an especially vicious type of ransom-ware attacking municipalities, called Ryuk, had recently spiked by 400 percent. Foote says she’s troubled about what would happen if a ransomware attack happened during an election and interfered with her ability to do her job.
“I’m the person who’s supposed to be defending against these nation-state actors,” she says. “It’s not that we’re not up to the task. But there are certain things we are unable to defend against. When someone has unlimited resources, they have unlimited power to try to find vulnerabilities in the system.”
On the eve of the 2018 midterm elections, a strange website appeared out of nowhere with an ominous message. Claiming to be the American division of the Internet Research Agency, the Kremlin-backed disinformation factory, the site said the IRA had thousands of Facebook, Twitter, and Reddit accounts pushing propaganda as well as “allies and spoilers” embedded in various campaigns. The website then posted a list of all Senate races and said the outcome was already decided well before all votes had been cast. It also published a spreadsheet that listed dozens of social media accounts that were supposedly part of the IRA’s campaign to disrupt the midterms. There were obvious errors in the list of “rigged” elections — Sen. Jeff Flake (R-Ariz.), who had announced his retirement, was listed as winning — but the social media accounts looked real, from Jordan Peterson fan pages to Instagram accounts named “Redneck Army” and “Proud to Be Black.”
The point of all this, it seemed, was to cast fresh doubt on the midterms. “We control the voting and counting systems,” the supposed IRA statement read. “We are choosing for you.”
Only it didn’t work. By the time the list of social media accounts was released, most of the accounts were inactive. Acting on a tip from the FBI a few days before the election, Facebook had investigated and removed the suspicious accounts.
Heading into the 2016 election, the major tech companies either pretended the disinformation problem didn’t exist or that there was nothing they could do about it. Foreign influence operations ran wild. An infamous example was the IRA-run Twitter account @TEN_GOP, which was apparently registered to a Russian cellphone number. “It was the Wild West,” says Ben Nimmo, director of investigations at Graphika, a social media analysis firm. “Across the major platforms, they had very broad latitude to get away with stuff.” Mark Zuckerberg denied Facebook had a Russian interference problem even after the election — until his company did its due diligence and Zuckerberg was hauled before Congress and apologized.
On the Front Lines: Since 2016, Inyo County Clerk Kammi Foote has been on guard: “It’s not that we’re not up to the task. But there are certain things we are unable to defend against. When someone has unlimited resources, they have unlimited power to try to find vulnerabilities in the system.” Photo credit: Michele Hartshorn
“In 2016, we missed the threat and weren’t ready,” Nathaniel Gleicher, Facebook’s director of cybersecurity policy, tells me during an hourlong interview at the company’s sprawling D.C. office. Gleicher joined Facebook in early 2018 and built a team to combat disinformation that numbers several dozen people worldwide. Facebook’s new rules have led to a dramatic increase in the number of takedowns — from one in 2017 to more than 50 in 2019. By the midterms, the three biggest social media platforms — Facebook, Twitter, and Google, which owns YouTube — had created internal teams devoted to rooting out disinformation and influence operations. Gleicher mentions the “IRA in the USA” takedown as an example of the level of cooperation between government and tech companies that didn’t exist four years ago. “That is a really good sign of how things have changed,” he says.
Yet in the ways they’ve chosen to police their platforms, the tech companies have left plenty of openings for disinformation to spread. In Facebook’s case, Gleicher says the company has chosen to root out bad actors — whether they’re Russian trolls, e-criminals from Iran, or clickbait profiteers here in the U.S. — not by the content they post but the behavior of the people running the accounts. The company looks for what it calls “inauthentic behavior,” which includes creating fake accounts, masking the true identity of the person or group operating a Facebook page, and using a network of pages in close coordination to game Facebook’s algorithm and reach a larger audience. “We have articulated a set of behaviors that are deceptive, that mislead users, and that violate our policies,” Gleicher says. “At its core, it doesn’t matter who’s doing it. It doesn’t matter what content they’re sharing. It doesn’t matter what they believe or don’t believe.”
But that position relieves Facebook from any obligation to police much of the content that appears on its platform. (The company has strict policies for hate speech, terrorist propaganda, and other dangerous material.) And Congress has yet to act, despite lawmakers offering a slew of proposals to regulate social media companies and rein in disinformation, foreign and domestic. One proposed solution is treating social media companies like TV stations, with the same rigorous transparency rules. Another would make tech companies liable for certain types of content published on their platforms. Right now, Facebook is under no such obligation to remove a misleading ad or meme if it doesn’t violate the company’s behavior-centric guidelines.
Facebook’s critics call this a cop-out, and the company’s announcement last year that it would not fact-check ads by elected officials and political candidates even if they contained blatant lies only fueled that criticism. These critics say the company is afraid of angering conservatives who are quick to cry censorship (despite no evidence to back them up) while putting the billions to be made in political advertising