Mystery of the Midterm Elections: Where Are the Russians?

WASHINGTON — Shane Huntley has seen every form of state-sponsored cyberattack, first as an Australian intelligence officer and now as director of Google’s most advanced team of threat detectors.

So when he was asked what surprised him the most about the 2018 midterm elections, his response was a bit counterintuitive. “The answer is surprisingly little on the hacking front, at least compared to two years ago.” He paused, and added: “And that reassures some people, and it scares some people.”

He is right. From the cyberwar room that the Department of Homeland Security runs round the clock in a bland office building in Arlington, Virginia, to Microsoft’s threat-assessment center at the other end of the country, in Redmond, Washington, every form of digital radar is being focused on Russia, especially its military-intelligence unit, formerly known as the GRU.

The National Security Agency, which failed to respond when Russian hackers were first seen inside the Democratic National Committee’s computer systems in the summer of 2015, has now taken to sending messages directly to Russian hackers, reminding them that they are being watched.

And still, the nervousness in all those places is palpable before Tuesday’s election. While some say they believe President Vladimir Putin of Russia is sitting out this election — the scrutiny is intense, the argument goes, and 470 House and Senate races make it just too hard for the Russians to figure out their interests, much less manipulate the outcome.

Still, others find the quiet deeply disturbing, perhaps a sign of a plan to make a last-minute effort to convince voters that their ballots might not be counted, or counted correctly.

“The Russians are too smart to run the same play a second time,” said Dmitri Alperovich, one of the founders of the cybersecurity firm CrowdStrike, who was central to identifying the Russian military inside the DNC, touching off chaos in the Democratic Party. “If they were going to do anything in today’s environment, they certainly wouldn’t want to act until the very last moment.”

Whether a Russian change of tactics is unfolding is just one of many mysteries surrounding this first national election in the United States after the most sophisticated effort ever discovered to divide Americans, and ultimately seek to alter the outcome, by a foreign power.

If there is a lesson from 2016, it was that the U.S. was constantly taken by surprise — by the hacking of the DNC and prominent Democrats, by the publication of internal emails, by efforts to get inside the voter-registration rolls of 20 states. In 2018, there are new and different warning signs: The Iranians have shown up, and states and local governments have done surprisingly little to harden their infrastructure. The Chinese are players, but not in the ways that President Donald Trump and Vice President Mike Pence have suggested.

And the Russians haven’t exactly gone away. While there are few signs of pre-election intrusions into voter-registration systems, the social media campaigns never ended; some accelerated immediately after the 2018 elections. When the United States indicted Maria Butina, a Russian who was accused of running influence campaigns while an American University student, the government suspected Russian groups budgeted millions of dollars for continuing influence campaigns.

“We shouldn’t be surprised by any of this,” Huntley said last week at a Zeitgeist, an annual gathering of the company’s leadership and many of its customers outside Phoenix. “It’s like fighting the last war. When I was in the military academy, people told us all the next wars were going to look like the first Gulf War. They didn’t. And in cyber, the next war won’t look like 2016.”

So in the last days of the campaign, here are six points from the 2018 cyberpolitical battlefield:

In 2016, the Iranians were nowhere to be seen in the U.S. election process. This year, they showed up in such force that Facebook announced last Friday that it was taking down a series of Iranian posts, mostly, it seemed, to demonstrate that the company’s radar, switched off two years ago, is now on high alert.

Intelligence officials and cybersecurity companies say the Iranians mostly appear to be copying techniques that they learned from watching the Russians, especially in social media. But there is a twist: The Russians and the Iranians are clearly not in political agreement here. While both have sought to exacerbate political and social divides, the Russians clearly showed a preference for Trump as Election Day approached, according to the conclusions published after the election by U.S. intelligence agencies.

The Iranians are playing the other side. “They don’t like what happened to the nuclear deal,” Yasmin Green, the director of research and development for Jigsaw, a unit of Alphabet, which is Google’s parent company. Speaking at a TimesTalks event held by The New York Times and Deloitte on Tuesday night in Washington, Green, one of the country’s leading experts on the uses and abuses of social media, noted that Trump’s withdrawal from the 2015 nuclear deal with Iran, and his reimposition of drastic sanctions, has made the Iranians determined to cripple him.

“Not only are they anti-this administration,” she said, they are “pro-liberal.” By comparison to the Russians, the Iranian hackers are still pretty unsophisticated and are largely inept at imitating down-the-street-neighbors when posting to Facebook and Reddit. One ad showed a frowning Trump, and declared him “The Worst, Most Hated President in American History,” the kind of extreme declaration one might expect of Trump himself. Others sought to undercut American confidence in the way Washington operates, by showing two men shaking hands above a conference table and passing money below it. (“We call it bribery — they call it lobbying.”)

The number of these posts appeared small — about 82 Facebook pages, groups and accounts — but they generated more than 1 million followers.

“It’s still early days and while we have found no ties to the Iranian government, we can’t say for sure who is responsible,” Nathaniel Gleicher, the head of cybersecurity policy at Facebook, declared in a blog. In other words, Facebook was making clear that this year it’s awake and the mass purges of deliberate misinformation, nonexistent in the 2016 cycle, will accelerate.

In 2016, the United States’ big mistake was failing to understand what had been happening in Ukraine. Every technique that Putin’s hackers — from the network break-in artists at the GRU to the producers of fake social-media posts at the internet Research Agency in St. Petersburg — used in the U.S., they tested in Kiev and the Donbass, the separatist area where the Russians have stoked civil war.

So it is no surprise, said Tom Burt, the vice president for customer security and trust at Microsoft, that the most active battleground is, once again, Ukraine. In the Microsoft Cybercrime Center, a giant digital map of the world shows cyberattack activity, but the number of attacks are adjusted for the size of the population. Ukraine shows up in bright red. The United States, with 330 million people, or seven times the population of Ukraine, shows up in white, a sign of relative calm.

“We’re seeing activity in the U.S., but we’re seeing it at levels less than we saw in 2016, said Burt, cautioning that Microsoft, with its network of machines using Office software and its Azure cloud computing services, is more likely to see hacking of accounts than social media activity. Still, Burt’s group alerted two senators last year that a hacking group long linked to the GRU had attacked their Capitol Hill offices, unsuccessfully. It was unclear if the goal was to affect their re-election campaigns or get into emails, because both sit on national-security-related committees. One of the senators was Claire McCaskill, D-Mo., who is considered highly vulnerable. Microsoft also detected intrusions on two politically conservative think tanks in Washington in August.

To get a sense of what is coming to the United States, Green and Jigsaw’s chief executive, Jared Cohen, a former State Department official, visited Ukraine in recent weeks and found that it was still Putin’s petri dish, a place where sophisticated new experiments were underway to deluge separatist parts of the country with disinformation before military actions and a presidential election next March. Ukraine is “always on the leading edge,” she concluded.

The question of China’s involvement was raised first by Trump and then by Pence, who said in a speech that “Beijing has mobilized covert actors, front groups, and propaganda outlets to shift Americans’ perception of Chinese policies,” and said a “senior career member of our intelligence community recently told me what the Russians are doing pales in comparison” to Chinese interference.

But Trump and Pence were borrowing the terminology of cyberattacks to describe something very different: Efforts by China to publish policy arguments, often in newspaper supplements that have been paid for by the Chinese government for years, to make its case. There is no evidence, officials and outside experts say, of the kind of hacking that Russia has engaged in, or even much social-media use. (In Asia and Australia, in contrast, the Chinese have been busy on social media.)

When three Democratic senators asked Dan Coats, the director of national intelligence, for an unclassified letter explaining what the Chinese were doing in the 2018 election, to truth-test the administration’s arguments, Coats avoided any potential contradictions with his boss by sending a classified answer.

“You can’t have it both ways,” said Sen. Ron Wyden, D-Ore. Coats, he said, “has an obligation to the American people to provide a public response to our questions, particularly since this is about America’s elections and the security of our democracy.”

If awards were handed out for most-bungled-election-machine-management, Texas would be a strong contender for the top prize. It’s just that the problem is the machines or the voters, not Putin’s hackers.

As early voting began recently, voters who hit the button to choose a straight Republican or Democratic ballot on a certain kind of machine — called a “Hart InterCivic eSlate” — had to wait a few seconds while the check marks filled in next to every name. For most voters, it worked fine. But if a voter touched a certain button and a click wheel, used to select individual candidates, the ballot could change. And there was no way for voters to see it changing.

Bad publicity followed, and Texas blamed voters who couldn’t keep their hands off the machines, which were decades old. But in these nervous times, the incident underscored how susceptible many election machines are to quirks. That is another reason that paper backup for electronic voting machines is so important, so that voters can look over their selections, and so vote-counters have a nonelectronic way of conducting a recount, if the machines cannot be trusted.

One would think that after all the concerns in 2016, states and counties would have raced to update their systems. “Most did almost nothing,” said Douglas Lute, a former U.S. ambassador to NATO and Army general, who has taken up the cause of reforming the election infrastructure. The $380 million that Congress allotted recently mostly went to funding assessments of vulnerabilities.

Yet while states and counties made changes, New Jersey, Delaware, Georgia, South Carolina and Louisiana still use no paper backup, and parts of Pennsylvania, a vital swing state, do not either. That has not changed since 2016, and it is unclear that it will be solved by 2020. The vulnerabilities of voting machines have gotten a lot of attention, especially at the Def Con conference over the summer in Las Vegas, which drew 25,000 hackers. At the conference’s Voting Village, it took an 11-year-old just minutes to hack into a voting machine using a simulation of Florida’s system. The machine’s manufacturers called it a stunt, noting that physical security of the machines at Def Con was nonexistent. Still, the speed of the intrusion was impressive.

Almost all voting machines in the United States are offline and come in many varieties, making it hard to hack them unless you are sitting in front of the machine. But the computers that prepare the ballots are not, and at the conference, J. Alex Halderman, a University of Michigan professor who has published devastating work on the vulnerability of voting machines, held a mock vote that pitted George Washington against Benedict Arnold. Thanks to manipulation of the ballot software, America’s most famous traitor trounced the man who was, until the software was rigged, first in the hearts of his countrymen.

That is only part of the problem. Many counties use old, insecure websites for their voter registration; it would be relatively simple to create “spoofed” alternative sites or break into them, to manipulate data or post notices that polls have been closed or Election Day moved.

There is room for mischief as votes are tabulated and reported to the state, and ultimately to media outlets.

Eric Rosenbach, a former senior Defense Department official who directs the Defending Digital Democracy initiative at Harvard’s Belfer Center, which has provided training in recent months to election officials from 38 states, notes that is exactly what happened in Ukraine, “creating conflicting reporting about who really won.” The effort was intended to sow doubts about whether the entire election had been manipulated.

The Department of Homeland Security said there had been little evidence this year of the kind of “probes” into the voter registration systems that created such fear in 2016. But Election Day hasn’t arrived yet.

It wouldn’t take much to disrupt Tuesday’s vote in a few important swing districts, and that’s what the U.S. government — and many private security experts — are worried about.

The Department of Homeland Security says it will deploy small teams of cyberexperts to important states — presumably those that are most vulnerable, or have close races — just before the election. But it is not hard to imagine different scenarios that could cause disruption, or just create the illusion of disruption.

A last-minute attack on county or state voter-registration systems, just to knock them offline, would create an uproar from voters who might show up at the polls and find they could not vote. A strike at power grids, turning out the lights at polling places, or just disrupting transportation systems could suppress turnout and lead to charges of manipulation. Rosenbach’s group simulated such events in a series of scenarios with election officials, piling one attack upon another in an effort to get them to think ahead about how they would respond, all part of an election “playbook” that the Defending Digital Democracy program has given to campaigns and officials.

And then there is another fear: Come Wednesday, if there are still races that are too close to call, just a rumor campaign about possible election manipulation might be enough to cast doubt about the integrity of the results. And in the end, that’s what election disruption is all about — undermining the citizens’ confidence that their vote counts.

In 2016, the evidence of the extent of Russian operations on social media did not become clear until months after the election was over — and then, time and again, Facebook had to admit it missed all the warning signs. Mark Zuckerberg, a company founder, moved from arguing that to think fake news and divisive posts “influence the election in any way is a pretty crazy idea” to ordering the hiring of thousands of Facebook monitors to make sure it never happened again.

But there are no guarantees. Months after the midterms are over, evidence of covert internet action that is going unnoticed may well surface. As the Russians and others embrace artificial intelligence techniques, and get better at targeting messages, they may well find ways to route around the phalanx of new social-media police. Green says that is unavoidable.

“It’s still retroactive,” she said of monitoring social media. “We haven’t figured out how to do this in real time.”