Cybersecurity Expert: What the Media Miss on America’s Election Risks

As the U.S. presidential election inches closer, fears of interference and security threats are reaching a crescendo. David Mussington, Director of the Center for Public Policy and Private Enterprise at the University of Maryland, where he teaches cyber policy issues and risk management, joined the Institute for New Economic Thinking to discuss what’s needed for a safe and fair election. Mussington, a leading expert on cybersecurity, critical infrastructure protection, and cyber risk management, has previously held leadership roles on the White House National Security Council staff and at the Office of the Secretary of Defense, as well as in the private sector. He analyzes where the biggest election threats lie and what media reports may be missing.

Lynn Parramore: Before we dive into the current scene, let’s start with a brief bit of history. Historians point out that from the beginning, America has wrestled with the challenge of fair and transparent mass elections. How have the challenges transformed in the Internet Age?

David Mussington: The incidence of risk is the biggest change since the onset of the Internet Age, which I date to a little after the year 2000, or even a little later, when cheaply available smart phones became a fixation. The ability to compromise an election system at a distance becomes the biggest concern, I think. The notion that remote access to network election machinery can be undertaken without easy detection, and can be undertaken for long periods of time without detection, is the biggest differentiator from the past.

Bush v. Gore in 2000 was the first time that you got massive notice of the fact that we use vulnerable technologies in elections. In fact, it’s kind of a perverse story, because we had a technology failure (the whole “hanging chads” on punch card ballots issue) that led to people thinking that using newer technology to solve that failure would, in fact, make things better.

What followed was the introduction of a generation of Direct Record Electronic (DRE) technology that actually, I think, made things qualitatively worse because you had the deletion of paper records for elections in a number of states. So, in a sense, a technical flaw creates the appeal for a technical fix — which creates its own new flaws.

LP: What kinds of threats to the 2020 U.S. election worry you, and how is this year different from 2016?

DM: What we saw in 2016 is back in at least equivalent or worse form. What’s also true, however, is that we are more prepared. We have federal, state, local, and commercial defenses and risk mitigations in place that allow to fight against intruders, sometimes successfully.

Recently, there were some indictments of Russian cyberoperators who were part of the so-called “NotPetya” attacks on transportation infrastructure a few years ago. Well, the same attack groups were present in 2016 in our election.

It’s important to recognize that hackers are present and have been detected this 2020 cycle against our infrastructure, and that Microsoft has attributed their presence, in addition to the presence of cyberoperators from China and Iran as well, both probing infrastructure for vulnerabilities and playing the disinformation game, which was really the differentiator in 2016.

Additional things we have are Facebook and Twitter facing actions against threats that were theoretically present in 2016 – misuse of access to Facebook’s API (application programming interface) to enable fine grained targeting of subgroups in the U.S. electorate for deceptive and divisive messages designed to promote discord and potentially, violence.

LP: You’ve discussed the dangers of disinformation and opinion manipulation on social media platforms like Facebook. How does one sort out foreign from domestic threats?

DM: It depends on one’s perspective. If one wants to defend high-integrity access to the ballot and a free, clear, and open civil discourse on U.S. politics where facts can be exchanged, then you don’t necessarily have to differentiate between the two. What we want is authentic speech from identified sources that have some credibility. Obviously, our constitutional protections on speech ensure than anybody can say almost anything as long as it isn’t injurious to someone — financially or in terms of safety.

Relative to foreign threats and disinformation campaigns associated with foreign intelligence services, we have a national strategy which states that we want to prevent these activities from influencing our politics. U.S. Cyber Command(CyberCom), the National Security Agency (NSA), and others are active in attributing causation of foreign behavior and countering it in the ways available to them, using open source information so that you can tell who’s who without compromising sensitive sources and methods.

Over the last few weeks, we saw CyberCom and Microsoft’s combined action in the takedown of Trickbot [a malware network used to steal sensitive data thought to pose a threat to U.S. elections]. We’ve seen other cases, such as 2018, when the [Russian] Internet Research Agency was targeted prior to that election. We have a national policy that says we are going to interdict these efforts of foreign-origin disinformation activities designed to interfere in our political system. Now, there are obviously foreign actors who can mimic being Americans. That’s sort of become a fixed feature in our elections. For domestic actors, you want to identify legitimate speech and those who want to manipulate. Politics being what it is, campaigns and advocates are free to dissemble and shape messages to appeal to their supporters. Not much can be done about that. For foreign actors – the small number of nation states identified — you need to use all source intelligence to effectively direct countermeasures.

LP: Do you see domestic disinformation threats as significant on social media this time around?

DM: I do, but I see it as a little bit more nuanced than what is typically reported on. Conspiracy theories like the QAnon conspiracy generally displace factual reporting and factual exchange online, making it more difficult for citizens to judge a fact from a rumor. Reporting on QAnon and reporting on conspiracies also sort of provoke or encourages a both-siderism that I see as a real sort of impairment of the quality of civil discourse. This is something that predates 2016, but that appears to be worsening since then.

LP: Since 2016, states have been taking steps to boost election security. They can also get assistance from Albert, the Department of Homeland Security (DHS)-controlled Intrusion Detection System, designed to provide network security alerts when malware is detected and to monitor malicious traffic. Interest in the system increased dramatically in 2017 and it’s now used in 50 states. How effective is Albert?

DM: The question is, what are one’s expectations? I think that as far as detecting behavior on networks that support voter registration, it’s quite good. But all it does is log behavior. It doesn’t do anything else. It provides data for other people to do things like attribute behavior based on cyber and other information. It doesn’t name names. It doesn’t attribute to foreign actors or anything else. So, the Intrusion Detection System is a basic approach to networks and other infrastructures that’s kind of proven as a way to track basic behavior. It isn’t the same as automated defenses, which we don’t have. Automated defenses could take the form of a blocked list of IP (internet protocol) addresses from which network connections would be refused. This functionality is already built into commercial intrusion prevention systems – and is a logical next step in election infrastructure defense.

There’s a constitutional problem with the latter option, however,because the federal government doesn’t really have the authority to go and impose defensive requirements on all states.

LP: As a native of Canada, how do you compare the U.S. election system with that of your home country?

DM: I’ve lived in the U.S. since 1991, so my perspective is probably no longer authentically Canadian at this point, so I apologize for that. But I think that elections here are more complex because we simply have more frequent and numerous elections. The U.S. has ballot initiatives, which are rare in Canada. The U.S. also has more complex ballots, because we have all sorts of issues and questions that we decide through elections. We also have different partisan divisions.

Canada has a national election agency that runs its elections, but we don’t. Canada also has a parliamentary system rather than a congressional/ presidential system that we have, and in Canada, voter registration, per se, is not required because if you’re a citizen and a resident, then you’re on the voter rolls. In Canada, ballots are such that if you have a pencil and you fill in a black circle, you’ve voted for your member of parliament or your member of legislature, and that’s it. So, the system is simpler and delivers results more quickly. Usually a Canadian election could be decided on the night that the polls close. Whereas in our country we have a much more litigious system, a more porous system, perhaps a more democratic system — but certainly a more chaotic system.

LP: America has a fraught history with equal access to the ballot and the targeting of minorities for voter suppression. How do you see the U.S. compared to other wealthy industrial countries like Canada in this regard?

DM: I don’t think there’s really a comparison between the U.S. and Canada. In Canada, we do see linguistic and cultural appeals in elections – for example, the French speaking population in Quebec (and elsewhere) is often appealed to by people who are nationalists. In other parts of the country there are certainly ideological splits, but they don’t really reinforce along racial lines, with the exception of First Nation people in the north who have an experience which reinforces those cleavages.

The racial animus in U.S. elections is fairly unique in North America, I think – and complicates resolution of disputes. In Canada, for example, there is fairly independent drawing of constituency lines. It’s not completely apolitical, but it’s much less political than the U.S. process, where if you have a majority in the state legislature, you can jerrymander your way to some very odd-looking constituency lines. That doesn’t really happen outside the United States at all.

LP: How do you view regional variation in American election security? Where do you see things done right?

DM: I happen to think the Colorado system and the Oregon system are sort of “best of breed” to the extent that we have those in the United States. They allow multiple opportunities to exercise your voting rights. They are safe. They are mail-in heavy. They provide much higher turnouts. They have zero or very low levels of fraud. There are allegations from certain political parties right now, but these systems work relatively well and have a decade or so pedigree and they deliver results quite quickly. Regionally, there are very clear historical situations where access to the ballot has been impeded sometimes and that’s a security challenge. So, if you want a sort of rough order judgment, I think the states that used to be under the supervision by the Department of Justice under Section V of the 1965 Voting Rights Act tend to be the more challenged in terms of security.

LP: You’ve noted recently that U.S. elections are at risk in ways that many in the media don’t necessarily understand or feel comfortable communicating. Are we getting the full picture of the risks from the media?

DM: I think we get a picture of the risks from the media that tends to be a little bit shrill, a little bit crisis-oriented, which leaves aside the more endemic, the less sexy risk factors. I think the biggest threat to U.S. elections is the lack of uniformity in security practices. Yet that’s a very boring cybersecurity notion — how to secure a critical infrastructure. I put it to you that prior to 2017, the elections weren’t even treated as a critical infrastructure! So, no one owned them at federal level. Now DHS does, but even now, election infrastructure, which is really voting infrastructure for the purposes of national policy, is inside the government’s facility sector, rather than a free-standing issue area.

That means there aren’t national infrastructure protection standards for elections. Federal authority is not complete anyway – it’s contested by the 10th Amendment and other constitutional restrictions on federal interventions. We don’t have a national election infrastructure strategy or budget. If we did, we might be in a better position.

LP: What other changes or improvements would you like to see if you could wave a wand?

DM: I might also create an agency that had the sole task of assuring election security that wasn’t the DHS. Another thing I would do is inject more dollars into research on election infrastructure cybersecurity as a special discipline of its own. There are details in the nation’s election systems that give them a special character. Engineering and architecture concepts for these special circumstances merit study and prioritized attention.

LP: We hear a lot about the threat of Russian interference in the media. How do you view that and other foreign threats to U.S. elections, such as those potentially posed by China, North Korea, and Iran?

DM: I would say that Russia is the most significant threat, because I think they have had experience and successes – the Research Internet Agency and others, Cambridge Analytica and others – that show structured, well-resourced programs that are savvy about the U.S. political system; and, have created mass mobilization on their behalf, through Facebook and Twitter and so on. That’s a special class of threat on its own.

The others tend to be more person-specific, for example, Iran’s alleged activity against the Trump campaign right now is much more focused on Donald Trump as a candidate than a systemic risk to the system. The Chinese seem more opportunistic. I think that they may be more interested in gaining information about candidates for use later. But the big systemic threat – the older threat, as we say in the trade, is really Russian. Once we show ourselves victimizable by Russia, others may pile on – the North Koreans, for example. Just to show you how this can work, the TrickBot botnet that was taken down by CyberCommand and Microsoft was actually used for cybercrime reasons by the North Koreans last year. So, these tools get used by multiple actors and it’s hard to attribute in those sorts of situations.

LP: When you wake up on November 3rd, what are you concerned about in the period ahead?

DM: I’m most concerned about whether the American peoplehave trust in the results. So less about what people do than what people believe about what’s happened. For example, I think we’re likely to get record turnout if you add in advanced votes through mail and people just showing up and voting in advance and in-person voting. I think that some people might think that’s a great thing—I probably will, but I think other people will say that means we have fraud, with people voting twice. That’s being said now, and I think it will be said after November 3rd. That could feed the propaganda of distrust that people already feel. My biggest fear is that the results will be rejected by some portion of the American people as illegitimate.

LP: You are known to be a science fiction fan, David. Any particular story on your mind right now?

DM: Actually, it’s less science fiction than it is science fact that’s fictionalized, if you’ll bear with me for a second. There’s an author named Peter Singer who writes about near-future cybersecurity from the vantage point of pure competition with foreign countries like China. It’s less about elections than the impact of technology on national security. He’s the one I read for a reality check on what’s likely in the next five years. That reality check means that more technology threats will undermine our civil expectations about the way things work.

LP: How optimistic are you that we can harness technology in a way that works for our democracy?

DM: It’s less a technological question than it is a business model question, I think. For example, even if we thought that we could prevent technology, like artificial intelligence or algorithmic decision making, from being introduced, the big developers of these technologies aren’t in government. They’re in the private sector. So how do we prevent abuse with those same technologies still being available in the private sector for business that we want to foster? I think there’s a real challenge of technological expertise being in the hands of those who don’t have the incentives to safeguard our democratic integrity.

LP: That makes me think of social media platforms like Facebook. It’s a business model based on a technology of targeted advertising which is easily misused by those who want to undermine our democracy.

DM: Right. The biggest problem there is that the techniques validated and perfected by Facebook can be weaponized effectively to manipulate opinion. In the past, many were skeptical that this was possible, but unfortunately, those techniques have been validated by very profitable businesses. So, the real challenge is not technological. It’s a public governance question of what Americans want in terms of their democracy. Do they want it to be a free and open public square? Or do they want one that’s woven with dysfunction like the current one we have?