Will We Be Safe From Election Hacking in 2020?

hosting the voter database was running on overdrive. Something was jamming the system, so he took a look at the request coming in. What's normally a trickle of orderly requests like five times per second was suddenly more like a flood. It was shortly after that that I believe I got called over there. It didn't take long for Matt's team

to realize they were under attack. Within an hour they found him fixed the security hole that the hackers used to get into their system, and then for good measure, they took the whole system offline while they started looking for the culprits of the hack. Breaking news out of Washington, twelve Russian intelligence officers indicted. Today, we now know this is part of Russia's attempt to meddle with the sixteen elections here in the United States, which of course has

dominated our headlines. Ever sank into and while we continue to talk about what happened back then, the next election is just around the corner, facing off government backed hackers from Russia, Iran, North Korea, and even China. Our states and municipalities ready for the next one. Am Ito, you're listening to Decrypted stay with us? So, Cardike, you are a cybersecurity reporter here at Bloomberg, brand new to our tech team. Welcome to the show. Thanks so much. You're

just getting started on an incredibly complicated beat here. I am it's been about a month. I am totally overwhelmed, and I think I think I should be, because there's just so much to understand in the world of cybersecurity. Um, there's so many threat actors that pose risks to companies

and states and political parties. Fortunately, my focus will be on election security and so I can narrow down my attention reporting on that, and hopefully we'll have a lot of interesting conversations to have in the weeks to come. So this is the thing that you're going to dedicate the next year to the next year. I hope to be your guy on election security for our listeners who don't quite remember all of the details of what happened

back in and this actually includes me. Can you go over what Russian hackers actually succeeded in doing back then? What they succeeded in most was disinformation and we're going to set that aside. What we're going to talk about are the three major hacks of election systems in the United States. We are learning more about the hat into the Democratic National Committee, including the first was of the Democratic National Committee, which I think everyone knows the most

about on believe of the convention. Wiki leaks released thousands of emails from the time. There are a number of emails in which senior officials can be seen conspiring against Bernie Sanders, the chair of the d n C, Congresswoman Debbie Wasserman Schultz, has announced her resignation. It comes after those leaked emails. We actually ran an episode about this three years ago, so our listeners are well versed, very good. The other two hacks they may not know as much about.

Justin Governor Rhonda Santis now says Russian hackers gained access to voter databases into Florida counties ahead of the presidential election. The first one is Florida, which nobody knows much about. The DHS and the state officials have been a secretive about this one. The governor can't say the names of the counties involved because he signed a confidentiality agreement with

the FBI. Hackers sent phishing emails to county officials. Two of them clicked on the links and allowed Russian hackers access to their database. All we know is that votes weren't changed. Then there's Illinois, which you know in a lot more about because they've been forthcoming about what happened. And briefly, what happened was that in the middle of June of two thousand sixteen, hackers found an unlocked door in the voter registration database, got in and downloaded as

much information as they could. After three weeks of unloading and trying to change information, they said, Hi, Illinois, we've been here all along, and they shut down their system. This was the thing that Matt Emmons and his colleagues

discovered all the way out in July. That's right. So three weeks after they got in in the middle of July in two thousand and sixteen, Matt Emmons and his colleagues discovered that Russian hackers have been in their system all along, trying to gain access to social security numbers, driver's license numbers, names addresses, phone numbers, anything related to

your voter registration information. They found that seventy six thousand people's data had been accessed by Russian hackers in a way that they could relate these data points to actual people, and do these people know who they are? They do so. They all received notifications in the mail shortly after the hack informing them that their data had been compromised. Nothing that's followed indicated that Russia did something with these names,

but they do have the information. But they do have the information, that's right, So Illinois says nothing happened, No data was changed because Russian hackers only had read access to the data. They could download as much of it as they wanted to, but they couldn't actually change anything. They didn't have right permissions. The Department of Homeland Security told the Senate Intelligence Committee earlier this year on the report that we saw that they could have done more,

and they stayed quote. Why they didn't is an open ended question. Yeah, it's weird. If if they were able to go further, why wouldn't they The answer to that is pure speculation, both on my part and the Department

of Homeland Security. They don't know the answer. But the worst case scenario there is that they were seeking intelligence for the future so that next time they really want to access a database and change something they know how to, or that they were there to drop secret malware that they can trigger in the future when they want to. Officials on both the federal and state level believe that

there is no malware in the Illinois voter registration database. Theoretically, if hackers decided to do more than just download names and addresses from the voter database, if they actually made changes to that database, what could they do Because this is different from going into the voting machines, for example, and changing the ballots themselves. So the worst case scenario here is that when you arrive to vote, the poll book that has all the voter registration information wouldn't match

up with your own information. You couldn't verify that you are the person who registered to vote, and you may not be able to vote immediately, or you may have to cast a provisional ballot that might be verified and might not in the future. And why would hackers from say Russia wants something like that. Well, there's a couple of reasons. One, it's a form of voter suppression. There might be fewer ballots cast if the registration system has been altered b you, so mistrust in the election system.

There are fewer people coming out to vote if they believe that even by registering to vote, when they arrive they can actually vote or vote in the way that they expect to. So they're creating roadblocks and mistrust in democracy. So what is Illinois doing this time to better protect

their systems? So all states got a portion of million dollars from the federal government in grants and they match that with a small portion of their own, So thirteen million in federal funds and five million from the state to hire a new staff. The biggest hiring push has been in a program called cyber Navigators, which is probably the coolest name in election security since in the it

is kind of nerdy election security as Canton nerdy. So they've spent a large chunk of change hiring these nine cyber navigators who oversee different pockets of Illinois, and a lot of these counties don't have much I T support, so these individuals are meant to be the front lines for these counties and ensuring that any vulnerabilities that currently

exist are plugged. So they're going to go through cycles of assessment between now and over and over again to ensure that there are no new vulnerabilities between now and an election day. Are they doing anything else? Illinois has a couple of things going on. They have what are called Albert sensors installed. They allow both state and federal officials to monitor Illinois voting apparatus, so if there's any outside infiltration, both the state and the Department of Homeland

Security will know and should be able to respond. They also have the National Guard on call and and what the National Guard do. The National Guard is available in the event of a hack on election day, so if a remote county in Illinois is infiltrated, the National Guard can call on their cyber warriors to get in a chopper and fly to DeKalb County to respond to any hack to protect the integrity of the election. We'll be

right back. So before the break Cardike. You walked us through the different things that Illinois is doing to better protect itself. It actually sounded like quite a bit to me. I guess the big question is will that be enough? I talked to a lot of people in the last month and a half and it's a little more complicated than just yes or no. One expert I talked to is an analyst at fire Eye. His name is Luke McNamara.

I think you have with the states and many of them playing catch up with the resources they have, and I think it's a very difficult place to be in when trying to reach a more coroactive footing to deal with this threat. As the threat evolve, are these states in a perpetual cycle of playing catch up? I think some are are putting the right resources in place, that putting the right investments in place, But it is a very difficult problem to address, uh. And there's there's some

amount of irony here in that. A lot of the threat vectors, a lot of the methodologies that we see, even some of the more advanced threat actors utilizing, are

very simple in nature. When we look at how the majority of intrusions begin, the majority of attacks begin, they begin with spear fishing for the most part, and I think even helping those county clerks, those election administrators understand how to look for signs of spearfish and how to identify that that I think can pay dividends and that doesn't necessarily need to involve the deployment of expensive technology.

By the way, Luke's employer, fire I is helping at least fifteen states along with municipalities and counties, the bigger counties that can actually afford to pay fire EYE prepare for And so we just heard Luke talk about spear fishing. This is when hackers send county officials an email with an attachment something like a click here exactly. They shouldn't be clicking, but when they do, they allow the infiltraders access to their networks. So fire I is trying to

make sure that county clerks aren't clicking. One of the other things they're doing is offering intelligence to local officials about their attackers. Fire I believe is that the best way to prepare foreign adversary is to understand your adversary, to know exactly why they want to infiltrate your system

and how they'll do it. I think certainly Russia, from what we've seen UM they are have shown themselves to be the most aggressive and going after democratic institutions and processes, and I think as a result, it's very important for us to pay attention to what we see, particularly with European elections between now and UM. But I think that maybe more hasn't been said about that there are other

threat groups that are active in the space. We've seen China target elections Cambodia last year, certainly the case probably as well for Iran. What's at stake when we talk about election hacking? Are you worried about hackers hijacking election results? Are we talking about the credibility of results? Or is it something else altogether? Yeah? I think in many respects it's the activity that falls short of actually compromising votes

that concerns me more. Um, they could do a repeat of what we've seen them do in Ukraine in previous years, where they compromised the central election commissioned website and then posted out erroneous results. None of the actual results themselves were changed, but it was sufficient enough to cause some people probably to question what is is really real in

the situation. So I think those sorts of intrusions, those sorts of attacks, the sorts of disinformation campaigns that maybe fall short of actual compromising and deletion or destruction of voter data, but I can still be effective at causing infusion. Those are things that we should heavily consider and be prepared for. Okay, So to sum it up, the good news is that we now at least know to prepare

for this, which is a big step. And we also know that the hackers gained access in pretty simple ways, which means the defenses could be pretty simple too. But then the bad news is that the hackers might step up their game this time, and there are now more potential adversaries than just Russia. Does that sound like a good summary. That's about right, and that's probably pretty daunting on its own. But that's only part of the problem.

And so I called Illinois Governor J. B. Pritzker I riser Governor fritzger Good afternoon to talk through the other challenges he's facing. And the biggest one is probably the fact that he's trying to solve a federal security crisis on a state budget. It's a national security issue, um, and the federal government should be at the forefront. And I'm finding, at least for our state, that the state is at the forefront and the federal government is there

for uh less than the leadership role. I'm not viewing myself as dependent upon Washington d C. I would say the states would like more help, and we are. Um, you know, we've expressed that by more help, is he talking about federal money. Yeah, he wants Congress and the Trump administration to approve new grants to give to states. So far, Illinois received thirteen million dollars in two thousand

and eighteen. They matched five million of their own. But what they really say they need is a hundred and seventy five million dollars to gut their election apparatus and build a system they believe is safe and secure, not just for but for the future. So that's a major shortfall. There's a massive gap in what they have and what

they need. And so aside from the shortfall and resources to rebuild the state's election infrastructure, state and local governments also don't have the money to hire the best engineers

to protect their systems. Look think about what someone like Ron Garry, a with his background was probably earning in the private sector Ron Garry, A, by the way, is the state's Chief Information Officer and the Secretary of Innovation and Technology, And so he used to be the c i O at Farmers Insurance and Toyota of North America, and then in Illinois the you know the showeries which are published. So I'm not revealing anything that isn't publicly out.

Got a salary that we're offering to a c i OH is in the neighborhood of a hundred and seventy thousand dollars a year. And I don't think that typical salaries that are offered for chief information officers or chief information security officers for state government are commencer with being competitive in any way with the private check Do you get the sense that the governor thinks Illinois is writing nonetheless?

I don't think the governor of Illinois is going to put a target on his back and say, we're not prepared to come hack us, please please come hack us. No. Now, I think I think, uh, they've hired some some good people with their limited resources. The I T technician with the Illinois State Board of Elections, Met Emmons. What's he

doing today? He's running the I T Department for the State Board of Elections, and they are working with the Department of Homeland Security and their own internal staff too pepper their system with tests to ensure that there's nobody in their system now who shouldn't be, and there's no malware in their system now. He spent the last month and a half reporting on this topic. Is America ready for?

It's so hard to say is America ready for? Because the truth is that you have fifty states and all the counties within those states that are now tasked with defending the integrity of the presidential election. Is every county ready? We certainly know that Illinois has done everything they can in the last three and a half years to prepare for, but there's all these smaller swing states and counties that may not have the resources that a big state like

Illinois has to prepare. The DHS is traveling the country to inform these and educate these county clerks, but to what extent are they going to take action to respond? And so is the entire country ready? Probably not, But there's time between now and November, and everyone with a stake in the game is probably doing everything they can to prepare. Card K Rotra. Thank you for your story today,

Thank you for having Me Decrypted. Is produced by Meat and Ethan Brooks, Emily Buso and Ann vander May are story editors. Francesca Levi is the head of Bloomberg Podcasts. We'll see you next week. No Came.