Trial run: 2018 midterm poses first real test of reinforced Wisconsin election security system

“Russians are looking for every opportunity, regardless of party, regardless of whether or not it applies to the election, to continue their pervasive efforts to undermine our fundamental values,” Dan Coats, director of national intelligence, said in August.

This statement followed almost two years of claims of Russian interference in the already controversial 2016 presidential election, claims that were quickly corroborated by evidence collected by both the FBI and CIA.

Not only did these two independent organizations agree the Russians had intervened in the election, both the FBI and CIA concluded they did so with the intent of helping then-Republican presidential candidate Donald Trump secure victory.

A hacker’s toolkit

Attempted or successful Russian hacking did not begin, nor will it end, with the 2016 election. Ted Gerber, University of Wisconsin sociology professor and member of the UW Center for Russia, East Europe and Central Asia, said the Russian government had flexed its cyber muscles almost a decade prior to the 2016 election.

“[Russia] had trial runs and they were very involved in Ukraine’s elections, in Georgian elections … in Montenegro and Hungary. A lot of this stuff started with the cyber attack on the Estonian government back in 2007,” Gerber said. “They’ve been pioneers at using web-based attacks and social media in order to influence elections in other countries.”

In 2016, these web-based attacks manifested in three main forms: Efforts to infiltrate political campaigns to expose sensitive information, probes of electoral systems to collect voter data and fake advertisements or profiles on social media platforms to spread disinformation within the American public.

If you don’t trust the voting system, you need to vote to change it

These three main methods exploit an array of targets, including the Clinton campaign, social media users, the Democratic National Committee and voter information data.

As early as September 2015, the FBI contacted the IT department of the DNC, warning them that at least one computer had been compromised by Russian hackers. Six months later, Clinton campaign chair John Podesta received an email purportedly from Google, informing him another user had attempted to access his account and instructed him to click a link to update his password.

Podesta clicked the link and was redirected to a malicious website, where he changed his password, allowing hackers to access his emails and tunnel into the internal network of the Clinton campaign.

In this particular hack, and around 3,900 others, the Russian hackers were using a technique referred to as “spear-phishing,” a derivative of a more general “phishing method.”

Dave Schroeder, UW information technology strategist and cyber subject matter expert, said phishing is an all-encompassing term for the spam emails a person receives asking them for a changed password or to click on a link to receive an undisclosed prize.

“Phishing is very easy, you could do it yourself, anyone could do it,” Schroeder said.

But spear-phishing, he said, becomes more sophisticated and targeted. Instead of sending out mass emails hoping for a couple of clicks, hackers use spear-phishing to hone in on people or institutions from which they wish to extract specific types of information.

“Spear-phishing is when you’re actually targeting a person or an organization with customized emails for them, which might be something they’re expecting to get or it might look very legitimate,” Schroeder said. “Now, can you tell that these things are illegitimate if you really examine them? Yes. But it’s difficult for a person, whether it’s a senior official or someone who’s part of a campaign, to be able to tell that.”

In contrast to oftentimes blatantly fake or malicious phishing emails, spear-phishing attacks capitalize on something drilled into the heads of politicians, campaign workers and the general public: maintaining a secure presence online. Using different and inventive passwords for different accounts, keeping the passwords secret and other security measures are of utmost importance in today’s digital age.

If someone attempted to access a campaign manager’s account, as the fabricated email to Podesta claimed, the Clinton campaign would risk having their privacy and classified information compromised. The Russian hackers knew and exploited this precautionary tendency, successfully gaining access to Podesta’s email and to sensitive information about the Clinton campaign which was later published on Wikileaks, Schroeder said.

Following the infiltration of Podesta’s email and the successful hack of the Clinton campaign, Russian hackers turned their attention to the DNC, where hacking groups “Cozy Bear” and “Fancy Bear” tunneled into the DNC computer system.

“[Fancy Bear and Cozy Bear] successfully got someone’s credentials who was affiliated with those organizations so that they could get into the internal networks and access things they wouldn’t normally have access to just as an outsider,” Schroeder said.

Schroeder said Fancy Bear and Cozy Bear are examples of Advanced Persistent Threats and that these threat networks have been around for almost a decade, dating back to the 2008 Russo-Georgian war. In addition to hacks of political organizations and campaigns, the Russian hackers probed the electoral systems of 39 states in 2016. In Illinois, the hackers attempted to delete or alter voter data.

Through their infiltration of software used by poll workers and voter information databases, hackers accessed information to use in their sophisticated social media campaigns of misinformation.

Deepening the divide

A third front for Russian hacking and disinformation attacked the American electorate through sophisticated and targeted social media campaigns. Schroeder said because social media platforms profit from ad revenue, foreign actors are able to exploit this system, easily purchasing ads to spread certain ideas. In the vast majority of cases, there is no one vetting these ads for truthfulness.

“[The Russian ads] were designed to get people angry, maybe to incite people to do or not do something, make them disgusted enough that they’re just going to stay home from the polls,” Schroeder said. “Or [the ads] were to get people to vote a certain way, to change their minds or just to get people to become disgusted with the entire political process.”

UW journalism professor Young Mie Kim, a leading expert on targeted political advertising and the Russian social media influence in 2016, elaborated on the Russian strategy for their disinformation campaign.

“If we analyze the Russian themes, they’re divisive issues: abortion, LGBT issues, the gun race, immigration, nationalism … the Russians exploited the existing cleavages in our society,” Kim said.

Experts discuss vulnerabilities in Wisconsin elections

Instead of running a more traditional propaganda campaign that focuses on promulgating and pushing a certain agenda, the Russian disinformation campaign was targeting both ends of the political spectrum, Kim said. The disinformation campaign pitted the two political extremes against one another, creating a salient “us versus them” attitude voters carried with them to the polls.

The Russian social media presence also served as a way to distract and guide the public opinion to focus on certain issues rather than others.

“You can think about it as sort of a pollution. There’s so much information out there, so if we just think about the Russian disinformation campaign overall compared to all other media outlets, it might just be a small fraction,” Kim said. But it’s like poison; you drop it in the water, and you pollute the entire system.”

In Wisconsin, a crucial swing state, this poison seeped into voter’s Facebook and Twitter feeds as Russian hackers attempted to pollute public opinion. Kim said both Wisconsin and Pennsylvania, historically Democratic strongholds, were targeted by Russian hackers and ultimately turned red in 2016 by a “razor-thin margin.”

In these states, targeted Russian ads appealed to the identities of voters: their race, their political affiliation, their beliefs on social issues, Kim said.

“We found that almost 87 percent of anti-immigration ads were targeted at whites,” Kim said. “On the other hand, non-white voters received voter suppression ads telling them to ‘boycott the election, do not vote.’”

In the aftermath of the surprising social media presence and influence enjoyed by Russian groups, Kim reiterated the importance of transparency by the government and by social media companies.

Facebook launched a political ads archive, has started requiring advertisers to provide documentation proving they are based in the U.S. prior to purchasing ads and has added a “paid for by” disclaimer attached to political ads. These are all steps to ensure political ads are not purchased by foreign actors looking to influence public opinion to their benefit.

But these measures are just a first step toward true transparency.

Legislation regarding tech transparency stagnates in Congress, and the FEC has yet to provide a consistent set of regulatory guidelines, Kim said.

“Google, Twitter and Facebook, all three major tech platforms, have some transparency measures that they didn’t have before and [have added] political ad archives,” Kim said. “But their policies are all different. What defines political ads [is] all different. So without consistency, it’s really hard to utilize that.”

Under lock and key

As Wisconsin looks to the midterm elections next week, election security becomes a sensitive topic for voters looking to cast ballots in truly fair and free elections.

Incumbent Republican Governor Scott Walker has largely shied away from the issue of Russian interference in American elections. Walker’s campaign did not respond to repeated requests for comment on Wisconsin election security going into the midterm election.

Democratic Gubernatorial candidate Tony Evers has also not publicly spoken on the issue very much. In an email to The Badger Herald, Evers’ campaign addressed Wisconsin voter security and processes.

Britt Cudaback, deputy communications director for Evers’ campaign, said protecting the right to vote hasn’t been a priority for Walker.

“We deserve a governor who will put government back to work for the people of Wisconsin, and we have to start by making sure our elections are secure and that every Wisconsinite has the opportunity to participate in our democracy,” Cudaback said.

Although neither gubernatorial candidate’s platform has been particularly concentrated on improving election security, Wisconsin elections were not immune from Russian hacking attempts in 2016.

Reid Magney, public information officer for the Wisconsin Elections Commission, said in 2016, there were two scans of Wisconsin firewalls with IP addresses linked to the Russian hackers.

“Nine million times a year, somebody somewhere around the world scans the state of Wisconsin’s firewalls looking for a potentially open door,” Magney said. “In 2016, two out of those 9 million scans came from an IP address that the federal government thinks is associated with the Russian government.”

These two scans did not target the Wisconsin Elections Commission, a government organization responsible for facilitating elections in the state. Instead, these scans targeted the Department of Workforce Development, probably to look for a backdoor into election data, Magney said.

2018 Election: Here are the candidates running for public office in Wisconsin this year

These probes of Wisconsin data targeting the extraction of voter information happened in conjunction with the widespread Russian disinformation campaign on social media.

“These anonymous groups, including Russian groups, clearly targeted battleground states like Wisconsin [by] talking about identity, talking about values, targeting specific people and how they’re thinking to either suppress the vote or to encourage turnout,” Kim said.

While there are nervous tremors within the cybersecurity community about the security of Wisconsin voter information and election technology, Magney and the Wisconsin Elections Commission maintain that voters should have nothing to worry about come election day next week.

Magney said Wisconsin was taking measures to secure elections from potential hackers even prior to the 2016 election through “cyber-hygiene scans” conducted by the Department of Homeland Security. These scans help secure systems connected to the internet from weak configurations and vulnerabilities that could be exploited by hackers.

Following 2016, Wisconsin doubled down on efforts to secure its elections equipment and to improve the training of employees who interact with the equipment and voter information systems.

On the technological front, the voter registration system database has been encrypted, making the data meaningless to any hacker who could potentially access it.

Moreover, computers with access to the internal network now have multi-factor authentication. This means that, in addition to requiring the standard username and password, a FIDO key is required. A FIDO key resembles a USB drive, and must be plugged into the computer in order to gain access to its interface. Finally, enhanced monitoring systems have been put in place.

In April, Congress appropriated $380 million to be distributed to states to improve election technology and security. Wisconsin received $7 million. This money, Magney said, has been predominantly used to establish six new positions focused on cyber security and for training Wisconsin clerks on using the existing system more safely.

“One of the big things we’ve been concentrating on is training Wisconsin clerks, the people who use our system, for everything from making sure they don’t fall victim to email phishing attacks, that they use good passwords, that they take the steps necessary to protect the system,” Magney said.

A large critique of Wisconsin voter systems comes from a simulation run at DEFCON, one of the world’s largest hacker conventions, called the Voting Village. In this village, participants attempted to hack more than 30 pieces of election voting equipment, most of which were identical or similar to systems still in use across the country.

By the end of the four-day conference, every piece of equipment in the voting village had been breached in some manner.

Magney, however, maintained that the Voting Village simulation at DEFCON is not as applicable to Wisconsin elections as critics have claimed. In this simulation, the election machines used were touch-screen Accuvote PSX machines, Magney said. In Wisconsin a similar model is in use, but it has a few unique and crucial differences to those used at DEFCON.

Wisconsin machines use something referred to as a “voter-verifiable paper audit trail,” which means that, although voters are using a machine with a touch screen to select the candidate they are voting for, their votes are also recorded on paper within the machine. Once a voter selects their candidate, they are able to confirm that what is marked on the paper within the machine is correct before finishing the voting process, Magney said.

In addition to the voter-verifiable paper audit trail, the machines used are “hardened,” meaning they are not connected to the internet, and are therefore more insulated from potential hacking attempts.

Finally, unlike the systems that were breached at the Voting Village, Wisconsin voting technology is kept under strict surveillance before, during and after the election.

“Before every election we do what’s known as logic and accuracy testing, to make sure that the machines are correctly programmed. All of the machines are sealed with number security seals; they’re kept locked up,” Magney said. “After the election, there are a large number of security procedures in place … that ensure nobody is tampering with the results.”

Evers to challenge Walker, Vukmir to take on Baldwin in key November races

While promising 100 percent security for an election is impossible, Magney said Wisconsin systems are much more prepared to handle potential hacking attempts come the midterm election.

Schroeder, however, cautioned that even a perceived infiltration of things such as campaign websites or pages where voting results are listed pose a real threat to election security and American trust in the democratic process.

“As soon as you have something like [one of these sites] hacked, a lot of the nuance and complexity of ‘well this isn’t really the voting system itself, this isn’t really the vote count’ kind of gets lost, because what people are going to hear is that these results were changed on the official website,” Schroeder said. “It all comes back to trust and integrity.”

Finding common ground

With midterm elections just around the corner, the political landscape of Wisconsin hangs in the balance. Both the College Democrats and College Republicans view this upcoming election as crucial to the future of Wisconsin.

While they want to see different results come with Nov. 6, both Charlie Meuth, UW College Republicans chair, and Sam Schwab, UW College Democrats press secretary, agreed the issue is an important one heading into the midterm elections.

Schwab calls the initiatives the Wisconsin Elections Commission has implemented with the federal money it received a “step in the right direction” for the security of Wisconsin elections.

Meuth echoed this sentiment, and said any “attempted interference by any foreign governments into the integrity of our elections should be taken incredibly seriously.”

Wisconsin and other states have been tasked with improving election security, social media platforms with improving their transparency and accountability to their users, in two short years.

The 2018 midterms will be the first real test of these improvements, and the first chance to see just how big of a first step these institutions took toward remedying the slew of problems they were confronted within the 2016 election.