The midterms are already hacked. You just don’t know it yet.

One evening last May in Knoxville, Tennessee, during the night of the local primary election, Dave Ball, the assistant IT director for Knox County, settled into the Naugahyde chair of his dusty home office and punched away at his desktop computer. Ball’s IT staff had finished a 14-hour day, running dress rehearsals to prepare for the ritual chaos of election night.

In a few minutes, at exactly 8 pm, the county’s incoming precinct results would become visible to the public online. Curious, Ball typed in the address for the Knox County election website.

At 7:53, the website abruptly crashed. Staring back at Ball was a proxy error notice, a gray message plastered against a screen of purgatorial white. It read simply, “Service Unavailable.” Across East Tennessee, thousands of Knox County residents who eagerly awaited the results saw the same error message — including at the late-night election parties for various county candidates, where supporters gathered around computers at Knoxville’s Crowne Plaza Hotel and the nearby Clarion Inn and Suites.

Ball was scowling at the screen when the phone on his table buzzed. It was a message from a staffer, still on duty at the IT department: “We’ve got a problem here,” it read. “Looks like a DDOS.” Ball still remembers his next, involuntary exclamation: “Oh, shit.”

Technicians recognized the attack: a distributed denial of service, or DDOS, in which a server is overwhelmed by a crushing wave of requests, slowing it to a halt. Over at the county’s IT center, “the error logs were coming so fast that you couldn’t even see what anything said,” recalled Ball.

One county technician, dumbfounded by the whoosh of code rocketing across the screen, somberly took out his phone and began to film it. The assault was being launched from 65 countries, a legion of zombie computers pressed into service by the attack’s architects. Finally, the barrage intensified so much that after 15 minutes, the server succumbed and crashed.

Ball was now besieged by callers — local politicos, voters, county staff. One of them was Cliff Rodgers, the Knox County administrator of elections, who was deliberating what he should tell the local media. “I’ve got three TV crews filming me. I’ve never had three TV crews at one time,” Rodgers said, recounting how the chaos unspooled.

Rodgers would later explain to the media that the online precinct tally is unofficial: Attacking it can’t change the vote count, any more than hacking basketball scores on YahooSports.com can change the actual winner of the NBA finals. But it was natural for voters to wonder if the integrity of the vote itself had come under threat: “It’s the first question they asked me,” Rodgers said.

After an hour, Ball’s team managed to bring the server back to life; finally, the results became visible. But then the attack came roaring back; throughout the night, Ball’s team would battle it to the hilt. It wasn’t until next morning, as IT staff began combing through server logs, that they discovered the true purpose of the attack: The DDOS, and the all-hands effort required to fight it, had been a diversion.

Long before election night, attackers had uncovered a vulnerability in Knox’s website — “loosely written code,” Ball called it — and they timed the onslaught perfectly so they could exploit it during the scramble.

Like burglars who pull the fire alarm and, in the ensuing chaos, ransack the cash register, the hackers entered through a hole of their own creation, and briefly probed the county’s internal database.

Within days, Knox hired a third-party security consultant, called Sword and Shield, to conduct a forensic analysis. Their report, which was shared with Vox and reviewed by cybersecurity experts, confirmed that no data was stolen during the attack. But among the various data sets on offer that night, one had controlled the website that ran the precinct tally. That software presented the attackers, whoever they were, with a chance to meddle with the preliminary results or, worse, to announce a false winner, at least temporarily.

Such a tactic has been attempted at least once before, by a Kremlin-affiliated hacking group in 2014. Sword and Shield’s report found that the DDOS attacks came from 65 countries. But it traced the malicious probe to just two: the United Kingdom and Ukraine. The latter has been a redoubt of Russian-affiliated hackers-for-hire, what the New York Times’s David Sanger has called “Putin’s petri dish and Radio Free Europe calls “ground zero on the front lines of the global cyberwar.”

A staffer confirmed to Vox that the episode is currently under investigation by the FBI. “It’s no longer theoretical,” Rodgers said. “And if they can do this in little old Knox County, they can do it anywhere.”




“It’s every county versus the FSB”

What happened in Knox County last spring provided apparent confirmation of what leaders in the intelligence community have warned for months: that the successful interference campaign in the 2016 elections — an event that the Senate Intelligence Committee this year called “an unprecedented, coordinated cyber campaign against state election infrastructure” — is being reprised in the 2018 midterms, and will continue for the foreseeable future.

“2016 certainly could have been a lot worse,” warns former CIA Director John Brennan, who played a leading role in identifying and thwarting Russian meddling efforts in the last presidential election. “It should be seen as a wake-up call,” he went on. “We are really flirting with disaster if we don’t come to terms with this.”

With the midterms two weeks away, news of electoral cyberattacks has begun to appear with growing frequency. In 2018, at least a dozen races for the House and Senate, mostly Democrats, have been the public targets of malicious cyber campaigns, in a variety of attacks that suggests the breadth of the threat: Campaigns have been besieged by network penetration attempts, spearphishing campaigns, dummy websites, email hacking, and at least one near-miss attempt to rob a Senate campaign of untold thousands of dollars.

“The Russians will attempt, with cyberattacks and with information operations, to go after us again,” said Eric Rosenbach, the former Pentagon chief of staff and so-called cyber czar, now at the Harvard Belfer Center, when I talked to him this summer. In fact, he added, “They’re doing it right now.”

Last week, the Department of Justice unsealed a criminal charge against a Russian national in St. Petersburg for interfering in the 2018 midterms. The charges detail an ongoing Russian-backed information operations campaign, called Project Lakhta, with a budget of around $12 million in 2017 and, this year, around $10 million from January through June alone. Lakhta was detailed in an earlier indictment brought by Special Counsel Robert Mueller for its activity in 2016. “This case serves as a stark reminder to all Americans: Our foreign adversaries continue their efforts to interfere in our democracy,” said FBI Director Christopher Wray as he announced the charges.

Intelligence officials, cyber experts, and political campaigns have long been bracing for the possibility that these attacks could escalate through November 6. Election offices and campaigns are far from the only targets: On social media, the country’s largest tech titans have beaten back disinformation efforts. This includes Twitter — which this summer quietly began to delete millions of bot accounts — and Facebook, which this year has deactivated more than 650 accounts related to disinformation efforts backed by Russia and Iran (and recently announced news of a major data breach affecting 50 million users).

In August, Microsoft announced that it had detected sophisticated spearphishing campaigns orchestrated against two conservative American think tanks critical of the Kremlin and, later, against three congressional candidates that included at least one US senator. In late September, Google informed an unknown number of senators and Senate staff that their personal email accounts had been targeted by foreign hackers.

Even the more banal rituals of US politics have come into the crosshairs. In May, a live debate in a California House primary race ended in embarrassment when unidentified hackers brought down the live stream and began to air video porn.

Are we better prepared now than in 2016?

With the midterm election weeks away, the central question is how much better-prepared the country’s election infrastructure is to repel these attacks than it was in 2016. Vox spent six months speaking with more than 100 people in the world of elections — officials in the federal government, the intelligence community, election advocacy, state and local election offices, private vendors, academic researchers, and campaigns. Their verdict is sobering: Since 2016, the country’s election infrastructure has improved, but not by much, and things are going to get worse before they get better.

More importantly, the people who safeguard our elections want Americans to reconcile with a harder truth: The way we experience electoral politics is undergoing a sea change, from the ballots we cast to the outcomes we read about to the way we process our most personal decisions.

From now on, these officials say, each aspect of elections is a national security target — and they will be for the next few decades, so we’d better get used to it now. “This is the challenge for the 21st century,” said Brennan. “And how we’re going to deal with it is going to make the difference between some smooth sailing or some very, very stormy seas.”

The country’s election vulnerability falls into three broad camps: 1) the targeting of individual campaigns, which are susceptible to email theft and other meddling; 2) the hacking of our national discourse, or “information operations,” which are the propaganda efforts designed to sow discord; and perhaps most dangerously, 3) the technology itself that underlies the country’s election infrastructure.

In the past two years, federal and state officials have scrambled to harden a system that is almost perfectly vulnerable to the kinds of meddling and mischief on offer from Russian (or other) adversaries. One reason for this vulnerability: The basic configuration of American elections dates to 1890 — a chaotic ritual designed, literally, for another century.

We might also blame the Constitution, which concocted an election system administered entirely by the states — a privilege they still guard fiercely. But even state-run elections are a misnomer; today, much of the country’s elections are overseen by counties, townships, and precincts.

In a way, the United States this November won’t have one midterm election, or even 50, but a number closer to 10,000.

It’s these local officials, in Knox County and elsewhere — and not the NSA, FBI, or DHS —who are standing foursquare against cyberattackers this November. It’s as if America’s most ancient civilian office, the local election clerk, has become saddled with new and alien responsibilities tantamount to a military contractor.

“We are at a fundamental disadvantage because it’s not a fair fight,” says a big tech security expert, who spoke on background in order to speak frankly about election vulnerabilities. “It’s now every county versus the FSB,” he adds, referencing the acronym of Russia’s version of the CIA.

Not only are our election guardians merely outmatched, but the system they guard is also rickety. Intelligence officials from the Obama administration believe the public continues to have a dim understanding of the vastness of the attack in the last election. In the final months of 2016, more than 1,000 government officials from across the intelligence branches and executive agencies were mobilized to defend against Russian intervention, according to former officials.

The result was the most comprehensive assessment of the American voting system since George W. Bush versus Al Gore in 2000 — and the discovery of a litany of vulnerabilities that, years later, some officials still describe as shocking.

Leading officials, including Homeland Security Secretary Kirstjen Nielsen, have suggested that Russian adversaries aren’t targeting the midterms with the same “scale and scope” as in 2016. In a sense, this is true: By this time two years ago, FBI officials had already pried Russian-affiliated malware out of DNC servers, while emails stolen from the Democratic Congressional Campaign Committee (DCCC) and the Hillary Clinton campaign were leaking at a steady clip. Officials also stress that there is no evidence — in 2016 or 2018 — that the rigging of actual ballot numbers has been the intended goal of meddling efforts.

But this is also cold comfort. “Vote flipping is not where the big threat is,” said Michael Daniel, who served as the White House cybersecurity coordinator in the Obama administration. “The big threat is in activities that would disrupt the election in some ways and cast doubt in Americans’ minds about the validity of the outcome.”

If 2018 hasn’t yet played out as chaotically as 2016, that still allows for the critical days leading up to Election Day, and the possibility for so-called Zero Day vulnerabilities that we may not be aware of yet, a warning sounded by DHS Undersecretary Chris Krebs. “What might they be doing? Might they be waiting for 2020?” Krebs said at a press conference last week. “Or might they have other plans that they could trigger in the intervening two and a half weeks?”

Even with comparatively less activity than in 2016, Democratic Party officials are bracing for the worst. “My stress level goes up every single day as I watch the countdown to the election because if something happened with three days out, that could literally slay everything,” said Raffi Krikorian, the Democratic National Committee’s chief security officer. “We’re sleeping worse and worse at night.”

That is largely why Knox County has caught the attention of the intelligence community: It may hint at what could come on Election Day. Several cybersecurity professionals pointed out that Tennessee’s reporting system is like any other in the country, unregulated equipment comprised simply of network switches and internet cables. And Knox County, if anything — with its large budget and sizable IT staff — is better defended than most county election staffs will be this November.

One person who expressed concern was Anthony Ferrante, now global head of the cybersecurity practice at the Washington-based FTI Consulting, and who oversaw the elections portfolio at the National Security Council in 2016.

“There’s nothing to prevent what happened in Tennessee from happening at the national level,” said Ferrante.




“Their job is tough … and getting tougher every day”

A few days after the attack in east Tennessee, state officials placed a phone call to the office of Matt Masterson, the director of the department’s newly created federal Election Task Force (ETF).

When DHS received word of the attack, Masterson organized a conference call between county and state officials across Tennessee. The FBI joined the call, as did DHS staff from the ETF and the National Protection and Programs Directorate (NPPD).

The group settled on a course of action: The FBI would open an investigation in Tennessee. DHS, in turn, would send its Hunt and Incident Response Team to Knox County — the government’s top civilian cyber-SWAT unit — to assess the damage and, as Masterson put it, “to provide additional analysis beyond what [Knox] had done.” He spoke with practiced caution; the discussions are still not public. But, he added confidently, “This was how it’s supposed to work.”

Such a scene would have been difficult to imagine in 2016, when DHS officials, caught flat-footed as they scrambled to notify state officials of an impending attack, often called the wrong offices. The Knox debrief was later included in the DHS’s regular election security meetings — “syncs” in Fed parlance — which have convened every week inside the bowels of the federal government since January 2017.

That month, in the final days of the Obama administration, Jeh Johnson, the outgoing DHS secretary, wrote a memorandum “for immediate release” that designated the country’s elections as “critical infrastructure.”

The Critical Infrastructure Act was forged in the months after 9/11 and eventually designated 16 sectors of American life — from Wall Street to nuclear reactors — as worthy of privileged federal protection from outside attack. Johnson’s memorandum added elections to this list, just days before the Trump administration took office.

Johnson’s memorandum is the reason Masterson’s position exists at the ETF — plus an alphabet soup of other federal subgroups, all created under the “CI [critical infrastructure] designation,” agencies with names like the Government Coordinating Council, the Sector Coordinating Council, and the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC). The federal government had decided to approach defending elections they same way it defends hospitals, dams, and energy utilities: by deploying extensive monitoring technologies and circulating information about threats as fast as possible.

Masterson’s office sits on the seventh floor of a nondescript DHS building in Arlington, Virginia, with sweeping views of the Potomac River and the Jefferson Memorial. “The threat environment has absolutely changed as a result of 2016 — the idea that sophisticated actors are targeting election systems,” said Masterson.

At 39, he has messily boyish hair, broad shoulders, and a lopsided grin. Over and over, he adamantly channeled a message of sympathy for state election officials. “Every election official is getting asked, ‘What have you done since 2016 to improve election security?’” he said. “Their job is tough, and it’s evolving and getting tougher every day.”

If Masterson sounded at times like a therapist for the woes of state election officials, it’s because, in some measure, that’s what he does. His job is to coach state officials through the regulatory tentacles of safeguarding a national security objective, something they’re still learning as they go. “Our focus on the task force is geared toward helping elections infrastructure,” he said, which means “working with state and local officials to make sure they have the support they need to protect their systems.”

The target landscape is huge

Much of the DHS strategy is shaped by preventing what happened in 2016. Masterson had a front-row seat to the attacks on election infrastructure when he served on the federal Election Assistance Commission. According to the Senate Intelligence Committee’s official declassified summary of the attacks, 21 states saw their voter registration systems probed — including Illinois, where hackers made off with information on 90,000 voters, and California, where some primary voters found their registrations altered, an attack now associated with Russian-backed efforts. The report concludes that in those cases, “cyber actors were in a position to, at a minimum, alter or delete voter registration data.”

On Election Day 2016 in North Carolina, voters in blue-leaning precincts were turned away by the e-pollbook system, the digital check-in devices that have increasingly replaced old-fashioned voter rolls in the past few years. (Jurisdictions in 34 states used them in 2016.)

Hacking was never proven, in part because county officials rebuffed the FBI’s offer to conduct a forensic analysis. But months later, internal NSA documents revealed that the e-pollbook system, used in North Carolina and seven other states, was the target of Russian cyberattacks. According to senior Obama administration officials, at least two other private election technology vendors were also targeted. They remain unnamed. Software glitches were also reported on Election Day in the most populous counties in Georgia, Arizona, and Virginia.

Public websites, like Knox County’s, also operated suspiciously in 2016. On the night of Florida’s August primary, several malfunctions caused county websites to appear erratically: In Leon County, online precinct results were delayed and then fluctuated wildly. In Broward County, the results displayed 30 minutes before polls closed (a malfunction officials attributed to an employee pressing a button prematurely). In total, eight counties in Florida are known to have been targeted by hacking attempts affiliated with Russian hackers; an indictment brought by Special Counsel Robert Mueller alleges Russian hackers targeted the websites of “certain counties in Georgia, Iowa, and Florida.” According to the Senate Intelligence Committee, website attacks were as widespread as six states, typically using a simple technique called an SQL injection.

Not even Masterson’s agency was spared: Soon after the election, the Election Assistance Commission discovered that more than 100 login credentials had been stolen and put up for auction on the dark web.

Masterson isn’t an expert on cybersecurity, but on state elections. It’s a recognition of how vital DHS views cooperation with state and local jurisdictions. “We recognize that it can’t be just incumbent on ‘Cheryl in Jackson County, Ohio,’ to fight the Russians,” Masterson said sympathetically. The paradox, though, is that “neither can it be incumbent on the feds. It’s the state and locals who run elections.”

And because the federal government can’t mandate security procedures, Masterson’s mission is largely to persuade state officials of the importance of securing their own systems.

His first weapon may sound dubious to anyone who has worked in government: meetings. Masterson estimates he’s had dozens of confabs with state officials. In these settings, state officials learn and relearn the importance of good cybersecurity posture, such as asset management, access control, and two-factor authentication.

In the second effort, the federal government has coaxed states and counties into adopting its defensive technologies, a treasure chest of security offerings, mostly free of charge. On the menu: about 20 technologies, services, and exercises, offering a kind of federal “geek squad” at the beck and call of the 50 states.

These services include remote cyber-hygiene scans, penetration tests, and risk-and-vulnerability assessments — all of which poke and prod, in various methods, at the strength of the networks and servers inside states and counties. According to Masterson’s figures, 21 states, 13 counties, and one election technology company will have undergone onsite risk-and-vulnerability assessments by Election Day 2018, a marked increase from a lonely one, Pennsylvania, in 2016.

The number of remote hygiene scans is larger still: The networks of 37 states, 88 counties, and eight private election companies are receiving the ongoing scans. (DHS wouldn’t confirm which ones.)

Federal security clearances are also forthcoming, which allow state election officials to be briefed more quickly on classified intelligence. (DHS has promised 150 clearances; as of mid-September, 100 had been granted.) And the department has invited state election officials to join in various cyberwar-game exercises.

In August, officials from 44 states (and a few election companies) beamed into Washington for three days of role-playing exercises on spearphishing attacks, social media manipulation, and, tellingly, DDOS attacks on state websites.

The DHS’s prized pig is the “Albert” sensor, an ungainly gray box that attaches itself, koala-like, to a server rack and monitors incoming online traffic in real time — then sends alerts to a team of analysts sitting in the Elections Infrastructure Information Sharing & Analysis Center (EI-ISAC) facility in Albany, New York.

Forty-one states had installed Alberts into their election-related IT infrastructure as of mid-September. Sixty-eight counties had had one installed, too. Masterson and DHS officials tell Vox that 1,300 local jurisdictions and all 50 state governments are participants in its continuous threat-sharing program with EI-ISAC.

Yet these figures also show the vast extent of the challenge. If 21 states receive risk-and-vulnerability assessments, that means by Election Day, the majority won’t. Eighty-eight counties receiving remote hygiene scans means that roughly 2,900 aren’t. And boasting of 1,300 local jurisdictions that have signed on for federal monitoring also means that roughly nine out of 10 of these localities in the US have opted out of a free, vital program.

Masterson pointed out that the federal government is just in the early stages of a massive reinvestment in taxpayer dollars. And because of constitutional limits, he noted, the feds can’t wage these battles for local governments. “All the election officials I’ve talked to are taking this seriously,” he said. “They recognize, ‘I may not have wanted to be an IT manager. But I am.’ That should encourage all of us.” In a follow-up email, he described the election system’s readiness and resilience, compared to 2016, as “night and day.”

Masterson may well be right. But there remains the more worrisome question, one that cyber experts outside the federal government are raising loudly: Will any of this work?




“We’re still on year zero”

Many cybersecurity researchers and engineers remain doubtful of success, at least for the 2018 elections. The security expert at a big tech corporation, who spoke on background in order to speak frankly about election vulnerabilities, put it this way: “On a scale of 1 to 10, with 10 being the Pentagon’s [security measures], elections have probably moved from a 2 to a 3.”

Most election cybersecurity experts who spoke with Vox shared this prognosis. Alex Stamos, a former chief information security officer at Facebook who now teaches cybersecurity at Stanford, said, “We’re still on year zero. And we should be on year two.”

These experts acknowledge that the election system has improved. But their reasons for pessimism are just as numerous. They laid out a number of scenarios that could exploit vulnerable election infrastructure: names deleted from voter registration databases; e-pollbooks that send voters to the wrong precinct; malware that corrupts ballot-definition files for machines or software that governs vote tabulation, before it’s installed in various counties and precincts; or corrupted public-facing websites to announce a false winner on election night.

Much of these vulnerabilities can be traced to the fairly recent history of the country’s slapdash election infrastructure. That system was built, largely, by the country’s private elections industry.

Perhaps nowhere in American life is a private industry’s role so critical, charged with defending a core national security objective, yet so dimly understood by its own government.

These private companies “represent an enticing target [f]or malicious cyber actors,” according to the Senate Intelligence report. Yet the report admits that state and federal authorities continue to “have very little insight into the cybersecurity practices of many of these vendors.” Rosenbach, the former Pentagon cyber czar, largely agreed. “The cybersecurity mechanisms in place for a lot of the election software vendors are just not clear,” he said.

America’s voting system is run by a handful of private companies

Today, the American elections industry today is dominated by three companies: Dominion, Hart InterCivic, and, the largest, Election Systems and Software (ES&S). If you voted in the past 10 years, the chances are good that you used these machines (92 percent of voters do), or the myriad supportive technology required to stage an election.

Today’s election system has its roots in 2002, with the Help America Vote Act, passed after Bush v. Gore. HAVA did some good, like forming the Election Assistance Commission. But on the whole, HAVA was the Johnny Appleseed of mediocre security practices, encouraging states to adopt insecure products from largely unregulated companies.

Much of the criticism has been directed at digital voting machines, called DREs. But election offices have become increasingly digital in other, less obvious ways: Adopting e-pollbooks; hauling voter registration information into state-run or third-party databases; proffering all-in-one election management suites, which program the machines and tabulate the outcomes; and building internet-based services for voters, like the precinct tally program in Knox County.

All of these are potential vectors of attack, according to experts. Daniel, the former White House cybersecurity coordinator, summed up the era of digital expansionism: “If you bring a process out of that analog space and into the digital space, you end up getting a set of vulnerabilities that you never realized you had before.”

The testing protocols for these machines, administered by the EAC, have long been considered weak, with scant focus on security and little visibility from the public. (One machine that came out of this process, built by Diebold, infamously was found to have a hard-coded encryption key identical to every machine, a basic security flaw.)

Nearly all of the machines in use today underwent these lab tests, which are paid for by the companies that manufacture the machines, whose compliance standards were last updated in 2005. “There wasn’t a lot going on in there,” said one insider familiar with the process, who spoke anonymously to discuss the testing protocol, which is not supposed to be public. “The voting systems that came out of that process were not secure.” And the other key parts of election infrastructure the Russians targeted in 2016 — voter registration databases, e-pollbook machines and software, privately built election websites — are exempt from lab testing entirely.

For 15 years, an informal corps of computer scientists did nearly anything they could to warn the public about the vulnerability of these systems. In some ways, Russian interference in 2016 was a version of the catastrophe these security engineers had predicted.

In response, the major companies have taken two defensive measures. The first is to insist their products are “air-gapped,” or not connected to the internet, making it difficult for them to be hacked. This is true, but only in the best-case scenario, assuming that thousands of local clerks and technicians have never once accidentally plugged in an ethernet cable or network jack.

But other experts say this insistence overlooks the sophistication of nation-state attackers, who can find other creative methods for intrusion — infected USB drives, modem access, remote-access software — or, of course, infiltrating the company networks themselves, engineering direct upload malware through regular software updates.

The companies’ second measure has been to close ranks, resisting independent research into their machines. Public security audits of election technology are rare; the last major ones, commissioned by California and Ohio in 2007, were scathing. And the companies have often seemed committed to avoiding them, with one even threatening Princeton University researchers with lawsuits.

(Companies like Google and Microsoft, on the other hand, not only tolerate white-hat hackers but pay them handsomely to find flaws in their products, typically as part of so-called “bug bounties.”)

Tension between the industry and the security community reached a boiling point this August during Def Con, the famous hacking conference in Las Vegas. At Def Con’s Voting Village, cybersecurity experts put various models of voting equipment on public display. There, participants found critical software vulnerabilities in voting machines.

Others swapped new programming into an old Diebold e-pollbook, erasing voters from the rolls, while children as young as 11 hacked the mock-up election websites of 13 secretaries of state.

Among 31 digital voting machines on display, some were out of date. But one, the ES&S M650, had suffered a serious vulnerability in Ohio’s 2007 public review; 11 years later, it still demonstrated the same error. (The M650 was used in 371 counties across 26 states in 2016.)

The event infuriated election vendors and state officials, who pointed out, correctly, that Russians don’t enjoy boundless physical access to their machines.

But Def Con succeeded in attracting the attention of several senators, who wrote to ES&S to inquire about the “unprecedented security risks” on display. In a public statement, Sen. Kamala Harris’s (D-CA) office called it “unacceptable that ES&S continues to dismiss the very real security concerns that Def Con raised.” In response, ES&S suggested the real threat to elections was Def Con itself — for allowing “foreign intelligence operatives” potential access to the machines.

“That’s a pretty clear sign these companies are not taking the threat seriously enough,” said Stamos, the former chief information security officer at Facebook.

Small, third-party vendors play an outsized role in US voting

The public focus on the big companies misses another side of the elections industry: so-called third-party vendors, scattered across the country, which manufacture other kinds of election infrastructure and present their own vulnerabilities.

It was one of these smaller companies — VR Systems, based in Tallahassee — that manufactured North Carolina’s malfunctioning e-pollbooks and Florida’s erratic voter websites.

Last year, the Intercept leaked an internal NSA intelligence review that described an advanced persistent threat, probably the GRU — Russian military intelligence units — that had “executed cyber espionage operations” against VR Systems and 122 election officials.

VR Systems COO Ben Martin publicly denied the company was compromised. But an indictment brought by special counsel Mueller this summer appeared to lay out in even more explicit terms the hacking described by the leaked NSA document — which definitively stated Russian attackers “hacked into the computers” of a company matching the description of VR Systems (which the indictment calls “Vendor 1”). In August, a retired county supervisor of elections in Leon County, Florida, told the Associated Press and other newspapers that he had received a briefing in 2016 from the FBI and DHS, alerting all 67 Florida counties that a vendor had been penetrated by a foreign actor. “Everybody knew they were talking about the GRU and VR Systems,” the supervisor said.

Had North Carolina officials requested the FBI’s forensic analysis, we might know definitively whether Russian intelligence services were responsible for the e-pollbook snafu. (As for the website malfunctions, which occurred the same month the Mueller indictment alleges the hacking of “Vendor 1” occurred, Florida officials have publicly insisted their systems were not compromised.) Today, the 122 election officials who were targeted in 2016 still have not been named. But their collective footprint could be large: VR Systems has contracts in California, Florida, Indiana, North Carolina, New York, Virginia, West Virginia, and Illinois.

More importantly, VR Systems offers a lesson about the vast latticework of products and services that these little-known third-party vendors provide, often across state lines, from purveying e-pollbook software and absentee ballots to configuring registration databases to servicing the machines and software before Election Day. In Michigan, for example, two small vendor outfits, Election Source and GBS, service and program election equipment in 62 counties, according to the Secretary of State’s office.

Because of the growing demand for e-pollbooks, GBS has a beta product in development, called ValidVoter, currently used in one county and set for rollout next year. One afternoon, on a whim, I asked Matthew Bernhard, a security researcher at the University of Michigan, to take a look at ValidVoter’s security posture. In less than 10 minutes, Bernhard discovered two Google-indexed, back-end credential portals for GBS, which he said should have been hidden from public view, hosted on servers with two vulnerabilities that required patches. When Bernhard alerted the company, they promptly took the portals down. (A GBS representative said the portal, no longer in use, was inadvertently left up by a third-party developer, and that “there was no ‘real’ data” accessible in the site save for “early development test data.”)

When it comes to security, the inmates are running the asylum

The federal government doesn’t publicly track or monitor these smaller companies. Asked for a definitive list of private voting assistance entities, what they administer, and where, DHS and the EAC couldn’t provide one.

“If you want to attack many counties in Michigan all at once, the easiest thing to do is to go to one of these small firms,” said Alex Halderman, a professor at the University of Michigan, one of the country’s leading researchers on election cybersecurity. Compared to foreign adversaries who “specialize in penetrating some of the world’s most well-protected systems,” said Halderman, the security capabilities of election companies are like “night and day.”

Representatives from ES&S say they are taking security more seriously. In April, the company hired Chris Wlaschin, formerly the chief information security officer at the Department of Health and Human Services, to lead its security operations.

“When it comes to cyber, we’ve absolutely, absolutely, upped our game,” Wlaschin said. He confirmed ES&S networks are receiving DHS cyber-hygiene scans, with another one scheduled before the election that will examine the company’s voter registration databases.

Asked about the country’s weak testing protocols, Wlaschin was surprisingly deferential. “I think that criticism is fair,” he said, before adding that ES&S is considering its own bug-bounty program in the future — which, if true, would signal a milestone in vendor openness. “The vendor community is embracing many of the tenets of cybersecurity improvements,” Wlaschin said. “We’re probably not moving as fast as some folks would like us to. But we are moving in that direction.”

Preparing for the enemy of yesterday

Other companies, though, seem not to have changed tune much. Representatives from the election company Hart InterCivic repeated the mantras that have so irked security experts. “We go through the most rigorous testing of any part of the election infrastructure,” said Hart vice president Peter Lichtenheld, adding that their products are “air-gapped from the internet, so we are the most secure part” of the industry.

The company said it has someone overseeing security measures, but declined to make them available for comment. (Most companies declined to speak to Vox, or at much length. A Dominion representative sent a statement by email, which read in part, “Dominion has been actively laying the groundwork for security-focused collaboration at all levels — with new hires, with intelligence partners, with state and local customers, with white hat hackers and third-party service providers who share our forward-leaning approach.” A representative from VR Systems pointed me to the company’s online “Questions and Answers” about security.)

“None of us are sitting here saying, ‘Oh, gee, you idiots, why did you build these insecure machines?’ We know exactly why,” said Jake Braun, a former White House liaison to the DHS, who organized the Def Con event. “They built them to the specifications that were written, which didn’t say you need to make them hack-proof from Russian hackers. It said, ‘Build me cheap machines that will accurately count votes.’ That’s what they did.”

“It’s not their fault the machines are insecure,” Braun continued. “What’s their fault is that they’re saying they’re secure, which is not true.”

Election companies tend to get harsh press. But the public should look harder at the incentives created for them by allowing a private and unregulated industry to manage this fundamental democratic act. According to a groundbreaking report by the Wharton School, the revenue footprint of the entire US elections industry is less than $350 million — smaller, for instance, than a single construction company in Dallas, Texas.

What this means, in practice, is that the industry has little capital to invest in research and development, tech talent, or security. Two of the three largest vendors, ES&S and Hart, are owned by private equity companies whose agendas are unclear; Dominion’s headquarters isn’t even American, but Canadian.

And though the companies face virtually no federal security regulations, they are hugely regulated at the state and local levels, building machines that have to comply with local ordinances that can vary widely. With a fixed number of clients, the prospect of losing a single county can be substantial: Earlier this year, when Cook County, Illinois, decided to switch its technology from ES&S to Dominion, ES&S sued, choosing to spend its money not on better products, but on lawyers.

One of the authors of the Wharton study, Matthew Caulfield, a PhD student there, was not surprised. “In light of the slim profit margins and long-term contracts,” he said, “it’s likely more profitable to fight over territory like Cook County now, than to innovate on security and hope to win them back next round.”

The consequences of this unregulated, for-profit system can touch the absurd. This year, FBI agents briefed Maryland Gov. Larry Hogan on some disturbing information about ByteGrid, a third-party vendor that hosts Maryland’s voter registration database, election management system, online ballot delivery system, and election-night results website.

Unbeknownst to Maryland officials, ByteGrid had been purchased two years earlier by a Russian fund manager whose largest investor is Russian oligarch Vladimir Potanin, who in turn has close ties to Russian President Vladimir Putin. (A Maryland election official tells Vox the FBI “had no evidence of a breach or fraudulent transactions.)

The feds are, belatedly, upping their game

The federal government has taken some steps to secure parts of the private election sector. One is the Sector Coordinating Council, a roundtable of 24 election companies, whose executive committee meets every two weeks to receive security briefings and discuss benchmarks. Masterson said that eight of those 24 companies have begun receiving cyber-hygiene scans, and one received a risk-and-vulnerability assessment (which includes penetration testing) this year.

When I pointed out this good news to Halderman, the cybersecurity expert, he countered with an unsettling point: Earlier this year, DHS officials announced that Russian hackers had successfully burrowed into the networks of several of the country’s largest energy utility companies, a penetration so thorough that Russian hackers could “have thrown switches,” but they didn’t, according to one DHS official. Those utilities, also designated as critical infrastructure since 2003, have received the same protocol of scans and tests that state election offices have crammed into the past 18 months. The hackers jumped these supposedly “air-gapped” networks with the same method experts fear could be applied to elections: by penetrating the smaller vendors that serviced the air-gapped technology.

This is the kind of attack that Halderman worries we might not discover until Election Day, whether in 2018 or beyond. Many of the vulnerabilities election vendors have patched were previously unknown to them, instead pointed out by others. Earlier this year, security consultants flagged a “Client Web Portal” page for Dominion Voting that lacked SSL encryption. And last year, ES&S unwittingly exposed data for roughly 1.8 million Illinois voters on an Amazon server it controlled, a breach that included ES&S employee’s passwords — encrypted, but potentially crackable by an advanced adversary.

“It’s likely that many election-related systems already have been compromised by sophisticated attackers and we just haven’t noticed yet,” said Halderman. “If there’s going to be an attack in 2018 by a nation-state threat, they probably have already broken into the relevant systems. And they’re waiting.”




“100 percent, it’s happening now”

Earlier this year, the campaign staffers of Linda Coleman, a congressional candidate in North Carolina, noticed something unusual: They couldn’t consistently get their website, LinaColemanForCongress.com, to appear at the top of the Google search rankings. Instead, a different website with a similar name, LindaColemanForNC.com, jockeyed for viewership. When the campaign hired a consultant to investigate, they found the website registration was Russian.

“The worst part of it is, we don’t even know what to prepare for,” said Coleman of the fake website. “You never know what people are going to do with that information.”

Another congressional candidate running in Alabama, Tabitha Isner, alerted the FBI to a brute-force entry attempt, an inelegant but sometimes effective attack that runs thousands of password combinations to access a network. The FBI confirmed to her that the attempts came from Russia.

“I would have assumed there would have been a more coordinated effort to address these potential security breaches,” Isner said recently. “We’re on our own out here in the Wild West.”

Coleman and Isner are part of at least a dozen races that have been targeted in 2018, in some form or another. In one case, Hans Keirstead, a Democratic primary challenger in California, reported that cyberattackers had attempted a brute-force penetration and successfully hacked his private email using a spearphishing campaign. Two other congressional races in California were targeted, according to public reports.

In July, Democratic Sen. Claire McCaskill of Missouri saw her Senate staff targeted with a sophisticated spearphishing campaign, in which staffers were directed to a look-alike web page, complete with the US Senate seal, designed to steal usernames and passwords. McCaskill is one of three midterm election candidates that Microsoft identified as targets of the attack, which they link to the Russian state hacking group Fancy Bear.

Earlier this year, Tennessee Senate candidate Phil Bredesen told the FBI his campaign was the target of an effort designed to steal campaign funds by someone posing in an email as a trusted media buyer. Democratic Sen. Jeanne Shaheen of New Hampshire and Republican Sen. Pat Toomey of Pennsylvania also reported being the recipients of spearphishing attempts this year. (Neither is up for reelection this cycle.)

In September, Sen. Ron Wyden (D-OR) announced that Google had notified an unknown number of Senate offices of email intrusion attempts on personal email that likely came from nation-state attackers.

Besides campaigns and incumbents, other aspects of the party apparatus have been targeted, too. In the spring, Emily’s List, the fundraising group for Democratic women, discovered a fake Facebook account set up in its name. In March, Democratic Party officials announced that they had halted an attack that made use of the email of a former employee.

And a party official tells Vox that the Democratic Congressional Campaign Committee’s new social media monitoring division has identified more than 2,200 Twitter handles it believes are targeting campaigns. The party official also shared with Vox internal monitoring reports indicating a high volume of malicious Twitter handles targeting two swing races key to Democratic efforts to retake the House.

“We do believe certain campaigns have already been targeted. We can’t say from who, or what,” the Democratic Party official tells Vox, speaking on background to share the internal data. “But the risk is real.”

The Democratic Party takes information operations seriously, including on Twitter. One example from 2016 suggests why: a fake Twitter account called “Tennessee Republicans,” using the handle @TEN_GOP, which attracted more than 140,000 followers. It circulated divisive content that defended WikiLeaks’ interference in the election; advocated for the firing of then-FBI Director James Comey; and, of course, vocally discredited allegations of Russian meddling.

The account was spotted by the real Tennessee Republican Party, which urged Twitter to purge the account three times. But it managed to fool a number of prominent influencers: People magazine, former US National Security Adviser Michael Flynn, Roger Stone, Nicki Minaj, James Woods, Anne Coulter, and MSNBC host Chris Hayes, who each retweeted content from the account.

In total, Twitter believes 50,000 impostor accounts were active in 2016, while Facebook estimates disinformation efforts reached 126 million users. This year, two-thirds of Americans will get some of their news from social media.

War games are prepping state and local officials for battle

“This should be a wake-up call to every campaign,” said Robby Mook, the campaign manager for Hillary Clinton in 2016. “100 percent, it’s happening right now.” He added another prediction: “You’re going to start to see [hacking] more evenly on both political parties.”

Since 2016, Mook has largely left politics behind to pursue a different calling: election security. Last year, he and Matt Rhoades, Mitt Romney’s 2012 campaign manager, both joined the Harvard Belfer Center to help direct its ongoing initiative, Defending Digital Democracy, before the midterms. The project’s goal is to harden individual campaigns and local election offices — two different operations, Mook said, that are stuck in the same predicament: underfunded, overstressed, prone to mistakes, and squarely in the crosshairs of a sophisticated threat.

Mook and Rhoades explained all this while they sat in the lobby of the Charles Hotel in Cambridge, Massachusetts, last March. There, the Belfer Center was hosting the largest election security conference to date: 120 state election officials had flown in from 38 states. They now mingled with a who’s-who of election security: Rosenbach, the former cyber czar, and Ashton Carter, the former secretary of defense, both at Belfer; cybersecurity experts like Michael Sulmeyer and Bruce Schneier; EAC chair Thomas Hicks; and then-Facebook CSO Alex Stamos and Google CSO Heather Adkins.

“The voting systems in the US are a more complex system that even Google has,” Adkins told election officials in one security seminar. Local election officials, she went on, “have, literally, the hardest job in the world.”

The conference was convened as a series of trainings for local officials and planned by dozens of Harvard Kennedy School students, including a small corps of Army and NSA officers on leave from active duty. The simulations stress-tested local officials’ responses in real time to the worst crises imaginable on Election Day 2018: a hacked voter registration database, with thousands of voter names altered; a DDOS attack that crashes an election information website; malicious robocalls, directing voters to a false precinct location.

Belfer also trained local officials on handling social media disinformation efforts. In one mock scenario, a viral Facebook post claiming that Latino voters were barred from voting was sent from a fake account mimicking the regional American Civil Liberties Union office. In another simulation, a state governor’s email was hacked, followed by the Twitter account of the secretary of state, whose handle blasted tweets that declared the election for a false winner.

To simulate the scrutiny of local media, Belfer brought in real reporter from the Financial Times, who dragged leery officials before a camera in the hallway, where their answers were broadcast live on a projection screen hanging in the ballroom. (“How much harder are you going to make it for people to vote?” the reporter asked one beleaguered official, Jen Morrell of Colorado, who looked squeamishly at the microphone jabbing toward her collar.)

Why can’t we afford to secure our elections?

This year, state officials received a boost in the area they need it most: money. In June, Congress authorized $380 million to be distributed among all 50 states for election upgrades. According to the EAC, which has disbursed the funds, the largest portion will go toward cybersecurity improvements in 38 states: better training for officials, new software, more IT personnel and cybersecurity experts. (Other funds will go to upgrades for voting machine and voter registration systems.)

This year, jurisdictions in Illinois, California, and Florida are experimenting with on-site “cyber navigators” to monitor any irregularities. In Orange County, California, election officials have partnered with the CalTech Political Science Department, which will monitor the servers and networks of election offices up through Election Day.

(Orange County has installed its own Albert sensor on its voter registration system and received DHS-sponsored risk-and-vulnerability assessments, according to Neal Kelley, the registrar of voters.)

The political parties are making improvements, too. The DNC has made Wickr, a secure messaging platform, available to all its campaigns. And this year, the DCCC has employed a corps of paid activists, so-called “Battle Station Organizers,” and dispatched them to swing races around the country.

The organizers identify negative social media posts, flag potential foreign disinformation efforts, and, in the words of one party official, “flood the zone” with positive social media content. In some cases, the party has also quietly paid good-guy hackers to infiltrate its own networks.

An attack this summer on the DNC’s coveted voter file turned out to be a false alarm, hackers working at the direction of the Michigan Democratic Party to find vulnerabilities. To oversee its security, the DNC hired Raffi Krikorian and Bob Lord, two security officers with sterling Silicon Valley credentials.

Krikorian and Lord have worked at breakneck pace to overhaul DNC security in two years: achieving perfect network visibility, rotating passwords, mandating use of two-factor authentication and the secure-messaging platform Signal. “We managed to get [DNC Chair] Tom Perez to stand up in front of the entire staff and say, ‘If you’re going to talk to me, you have to use Signal,” Krikorian said.

When the DNC’s new CEO, Seema Nanda, arrived for her first day at work this summer, Krikorian’s team spearphished her entire staff. “This is an arms race,” Krikorian said. “The best thing you can do is prepare for the worst.”

But among campaigns and election offices, the same problem prevails: foot-dragging. Even with the $380 million in hand, most of these funds won’t be spent in time for the midterms — it’s simply too late. (North Carolina, for instance, won’t fully upgrade its voter registration system until 2019.)

A recent study by ProPublica found that among the election offices overseeing 40 congressional toss-up races, only a third used two-factor authentication to secure their passwords.

Campaigns are in even worse shape — what Mook calls the “soft underbelly” of election security. According to an analysis from BuzzFeed, most congressional candidates have not adopted Wickr, while a late September report from McClatchy found that only six campaigns in the entire country had spent more than $1,000 on cybersecurity.

“It’s not like we’re a big corporation that can simply make a mandate from the CTO’s office,” said Krikorian. At the same time, “We have a target on our backs the size of a multinational corporation. The things we’re up against are insane,” he continued. “That makes me feel good about the national party, but feel nervous about the system overall.”

When Tabitha Isner, the Alabama congressional candidate, approached the FBI following the attempted hack, the response was meager: A DCCC official got on the phone to tell her about Wickr, and then sent a brochure about good cybersecurity practices. In the end, she spent $500 for an upgraded security package, and that was it. “We can’t afford the kind of software we would need, and we can’t afford to hire a cybersecurity expert,” she said.

When I asked Coleman, the candidate in North Carolina, if her campaign was using Wickr or anything like it, she said no: Her campaign office has five staff who work on fold-out plastic tables. An IT security consultant was not in the budget for her either. “We’re doing the best with what we have,” Coleman told me.

The big tech companies have tried to offer their own solutions. Jigsaw, a Google-affiliated outfit, offers campaigns and election offices a suite of security services — such as Project Shield, which can prevent DDOS attacks. Microsoft’s Defending Democracy Program offers similar services.

Harvard’s Belfer Center, however, has a decidedly low-tech solution to the cost problem: two comprehensive handbooks, one for campaigns and another for election officials. The goal, according to Mook, is to make those groups “as secure as possible for as cheap as possible.”

Few of the suggestions involve better technology. Instead, most are cultural steps toward better cyber-hygiene, like choosing strong passwords, using two-factor authentication, and emphasizing vigilance.

This emphasis on culture over technology found wide appeal among officials at the Belfer hacking simulation. One state election official in attendance, Eric Spencer, the director of elections for Arizona, spoke proudly about a new statewide requirement: Any USB thumb drive must be brand new, come fresh out of the packaging, be opened inside the office, and be used only once, before being tossed in the garbage — a protocol similar to the Pentagon’s. Compared to three years ago, Spencer said, cybersecurity “is the No. 1 thing I think about.”

That our salvation will come in the form of culture and handbooks, not gadgets or more secure voting infrastructure, can seem underwhelming. During one conversation I had with Masterson, he began talking enthusiastically of a “product” the Election Task Force had built, custom-designed for election officials in Iowa. A malware scanning system? Proprietary software? “We can show you a picture of it,” Masterson told me. “It’s a big poster.”

The poster, which will hang on the walls of dozens of Iowa election offices, includes phone numbers to call in an emergency, reminders about “risks and mitigations,” and a checklist of good practices.

The tech evangelists I spoke with scoffed at Masterson’s efforts. But Mook raised a sharper question: What if a poster, in some cases, is all we need? Of all Belfer’s security recommendations, he said, “The first one is taking responsibility for the problem and creating a culture in your campaign of security.”

To revisit the hacking of the DNC and DCCC is to read through a litany of cultural failures: alarms not raised, phony emails clicked, warnings ignored, meetings not held. If such a poster had existed when he was campaign director, Mook said, Clinton campaign chair John Podesta’s emails still might be secure, and Clinton might be president.

Today, in fact, such a poster does exist inside the headquarters of both the DNC and the DCCC. It reminds employees about the dangers of communicating over email and other security hazards.

In both offices, it hangs in a place that is unlikely to be ignored: in bathroom stalls and above the urinals.




“We shouldn’t be waiting for the big boom”

The next 10 years of election cybersecurity will play out as the resolution of several dichotomies: states versus the federal government, and who should secure what systems; technological solutions versus cultural ones; and elusive but much-needed consensus between Democrats and Republicans.

“I have long been calling for an independent commission, akin to the 9/11 Commission,” said former CIA Director John Brennan. “I still think that we, as a country, have not come to grips with the magnitude of the challenge and the problem and the complexity of it.”

“Unfortunately,” he went on, “the partisan animus that exists right now in Washington, and the political infighting that’s going on, has really frustrated our country’s ability to come together and to deal with what is, I think, the defining challenge of the 21st century.”

At least in terms of funding, Brennan is right. Since 9/11, the country spent more than $100 billion securing about 5,000 airports. With 10,000 separate electoral jurisdictions in the US, the number of potential election targets is far greater, and the money allocated so far, $380 million, is a decimal of a percentage point in comparison.

This year, House Democrats called for $1.4 billion of federal investment in elections. Braun, of Def Con, said even those figures are paltry: “We need support for a bill, to the tune of $5 billion, to dramatically overhaul the election infrastructure in the country.”

That kind of consensus is unlikely to come soon. When senators this summer tried to pass an additional $250 million for states in time for the midterms, the amendment was blocked by Republican Sen. Roy Blunt of Missouri, calling it a potential new “entitlement.” And a proposed ceasefire between the DCCC and NRCC, pledging not to use hacked materials in campaign ads, collapsed when Republicans dropped out of the talks.

However, Democrats and Republicans — in both the House and Senate — this year introduced nearly a dozen bipartisan bills and measures to secure the country’s election systems. One is Sen. Ron Wyden’s (D-OR) PAVE Act, which would mandate paper ballots and “risk-limiting” audits for all federal elections, as a backstop for ensuring that all outcomes are accurate. Another, the DETER Act, would mandate sanctions on Russia in the event of further meddling.

A bevy of House bills also propose support for more paper backups, increased coordination between DHS and campaigns, creating a national “bug bounty” for election infrastructure, or new EAC guidelines and cybersecurity grants. Democratic Sens. Ben Cardin and Chris Van Hollen of Maryland have asked the Treasury Department to examine foreign investment in election companies, inspired by the Maryland ByteGrid fiasco.

And a new bill, the Cybersecurity and Infrastructure Security Agency Act, would cement the role of DHS in defending IT infrastructure, including elections. It recently passed the Senate.

But the most prominent of these efforts is the Senate’s Secure Elections Act, sponsored by Sens. James Lankford (R-OK) and Amy Klobuchar (D-MN). The bill would grant security clearances to each state’s top election official, create a technical advisory board to proliferate best practices in cybersecurity, and require states to conduct manual, paper-based election audits.

This summer, the bill seemed like a sure bet for passage. Then in mid-August, the markup for the bill was abruptly canceled, with little explanation.

The mystery was solved when it was announced that the shelving of the Secure Elections Act came at the behest of the White House. “We cannot support legislation” that “moves power or funding from the states to Washington,” the White House announced in a statement. No particular objections to the bill were identified.

The White House has actively hurt election security

Former intelligence officials have given the White House mixed marks on election security. For all of President Donald Trump’s “deep state” misgivings, it’s the federal bureaucracy and law enforcement agencies, from DHS to the FBI to US Cyber Command, that have performed most admirably, even with little visible support from the president.

Nor has the administration been entirely silent: Earlier this year, National Security Adviser John Bolton told his Russian counterpart, Nikolai Patrushev, that the United States “wouldn’t tolerate meddling in 2018,” a threat that appeared to grow teeth in September when the White House announced the threat of sanctions to anyone who meddles with elections on US soil.

On the other hand, the administration’s own words have repeatedly undercut these efforts on the world stage, whether in the president’s remarks in Helsinki, favoring Putin’s denials over the conclusions of his own intelligence branches, or new talking points from the White House arguing that the real threat in the 2018 midterms comes from China (a belief that holds little currency among cybersecurity experts).

More consequential are the White House’s lesser-known administrative moves. In the past two years, the administration has eliminated three vital positions in cyberdefense: cybersecurity coordinators at the State Department and Homeland Security Council, and, most critically, its White House cybersecurity coordinator.

The moves have baffled members of Congress and former intelligence officials. “The reason those positions were so important is because they could focus on this 24/7,” said Nick Shapiro, a former senior CIA official. “You’re not going to find anyone who knows anything about this stuff who doesn’t think those positions were a vital necessity.”

Fully staffed cyberdefenses and threats of sanctions, though, won’t alone answer the tectonic questions about the future of election security. In a landmark report issued in September, the National Academy of Sciences put forward a series of proposals for the future of voting. The working group, co-chaired by Columbia University president Lee Bollinger, proposed 54 recommendations, many of which would entail a more active role for the federal government. These included a federal mandate for vendors to report intrusions or technology failures to DHS and submit to regular technology audits; a national backup of voter registration data; paper trails for all voting machines; strong cybersecurity requirements in the EAC’s laboratory testing; and expanding those tests to include the things that Russian hackers targeted in 2016, such as e-pollbooks and voter registration databases.

How these advancements will come about, exactly, remains a wide-open debate. “There needs to be some unprecedented partnership between public and private sector,” former CIA Director Brennan offered. “We shouldn’t be waiting for the 9/11 equivalent, that big boom, to take the steps necessary to prevent a recurrence.”

Even as they brace for the midterms, cybersecurity leaders have already begun to look ahead to 2020, as if to hint they are ready to yield the battle, but not the war.

“A large-scale concerted effort across the board that also involves setting international norms — yes, that’s going to be unrealistic in 50-something days,” said Krikorian when we spoke in September. The country, he said, “needs more staffing, we need more resources, we need more training, two years before 2020. But even that’s going to be rough in my opinion.”

For Alex Stamos, the former Facebook chief information security officer, it’s the Knox County attack that encapsulates all that still unnerves him. “That’s one of my big fears for 2018, in that we haven’t done anything to prevent that,” he said. “There’ve been very few changes that [have] given support for local election authorities to stop that kind of attack.”

Instead, Stamos offered a sobering thought: It’s time to start planning for 2020.

For 2018, he said, “It is much too late.”

Benjamin Wofford is a staff writer at Washingtonian Magazine, and a contributing editor at Politico.