Russian hackers tried altering US election data. Now what?
Posted June 15, 2017 1:01 p.m. EDT
A new report from Bloomberg this week reveals that Russian cyberattackers were much more involved in the US presidential election than previously publicized. These findings suggest that Russian hackers tried to change electoral data at local and state levels. CNN reached out to Michael Sulmeyer, director of the Belfer Center's Cyber Security Project at the Harvard Kennedy School, for his take on what the Bloomberg report reveals about the deeper vulnerabilities in the our electoral system. The conversation, conducted via email, has been lightly edited for flow.
CNN: According to the recent Bloomberg report, Russian hackers tried -- but failed -- to alter data from the US election in 39 states. How surprised are you? If not, why not?
Sulmeyer: I am not surprised by recent reports that Russian hackers assumed a far more aggressive approach to manipulating the 2016 US election. First, phishing is one of the oldest tricks in the hacker book. The reality is that as a technique to gain access to data and to systems, it's cheap, easy to do, and often successful. Second, Russia's posture towards Western Europe, and US interests more broadly, has become increasingly hostile over the last several years. Finally, Russia has not paid much of a price for this hostility, so its leaders likely believed that the costs of getting caught attempting to manipulate our election would be low.
CNN: Given the number of intrusions, how is it that no votes were affected? Or do you not buy that assertion?
Sulmeyer: The key breakdown probably goes something like this: how many systems, networks, and databases were targeted? Of that number, how many systems, networks, and databases did the hackers successfully gain access to? Of that number, how many did the Russians try to change (delete, modify data, etc.)? Of that number, how many were successfully altered by the hackers? By that logic, there's a narrowing down from the attempted number of intrusions to changing data. I am also not sure what kind of evidence would be sufficient to prove the negative: that no votes were affected.
CNN: What current tools do we have to deal with -- and neutralize -- these attacks? Did the government deploy them -- and/or deploy them effectively -- in 2016?
Sulmeyer: There are two lines of effort that should have been pursued, and need to be pursued for the future. First, how do we make the various facets of our elections harder to hack? Essentially, how can we improve our defenses? Second, how do we credibly threaten to impose costs on perpetrators who hack, and order the hacking of, our elections?
On the first, state and local governments have a lot of responsibility, and they need help. Help can come from the federal government in terms of funding and guidance, but also private sector companies that support elections need to do better. There were some efforts late in the game to offer states some scanning, but the investments needed to be made earlier to improve the foundations on which our electoral infrastructure rests. Tragically, it's still not happening.
On the second, the United States and many in the international community were slow to recognize the growing threat Russia posed to our interests and our values. Some cost was imposed (in the form of sanctions and expulsions), but more will have to be done to deter similar conduct in the future. In that regard, the notion that the US would undo these sanctions and allow the Russians to regain access to their spy houses seems counterproductive (to say the least).
CNN: President Donald Trump dismissed Russia's role in the hacking for a long time. He once said it could be "somebody sitting on their bed that weighs 400 pounds." Does he understand the threat? Why or why not?
Sulmeyer: I suspect people around the President understand that Russia's (and others') hacking operations pose a significant threat to American national security. My guess is that those closest to him worry about blurring that clear and present danger with the facts from last year's election -- the election that obviously brought him to power. If they can encourage the President to support important and necessary reforms to make the country safer from cyberattack, that would be a welcome development. For now, however, it is concerning that the President's minimization and dismissal of Russian malicious behavior may disincentivize the government from trying to prevent that same conduct from happening again.
CNN: How scared should we be about future elections? What keeps you up at night, in terms of our electoral stability?
Sulmeyer: The most concerning development is that we do not see a bipartisan consensus that (even attempted) foreign interference in US elections is unacceptable. I understand that politically, there are those on the right that don't want to make too much noise on this issue for fear of being seen as delegitimizing the current administration's victory. But you would think that helping states upgrade their election equipment is a win-win outcome, for it improves the confidence people should have in voting as an institution, and winners want their victories to be seen as legitimate. Yes, the Russian threat is very serious, and as former FBI Director Comey warned, they will be back. But that election integrity from cyber interference has become partisan -- that is tremendously disappointing.