The first primary of the 2018 midterm elections, in Texas, is barely
eight weeks away. It’s time to ask: Will the Russian government deploy
“active measures” of the kind it used in 2016? Is it possible that a
wave of disinformation on Facebook and Twitter could nudge the results
of a tight congressional race in, say, Virginia or Nevada? Will hackers
infiltrate low-budget campaigns in Pennsylvania and Nebraska, and leak
their e-mails to the public? Will the news media and voters take the
bait?
By most accounts, the answer is likely to be yes—and, for several
reasons, the election may prove to be as vulnerable, or more so, than
the 2016 race that brought Donald Trump to the White House.
Part of the explanation is political: the 2018 midterms are shaping up
to be extraordinarily competitive. Consider the spectacle currently
unfolding in Virginia. Before the most recent election, on
November 7th, Republicans controlled Virginia’s House of Delegates by a
comfortable sixteen-seat majority. In a wave of Democratic wins,
propelled by the state’s highest turnout in twenty years,
the Republican majority nearly evaporated. Final control of the House
now rests on the results of the 94th District, which is deadlocked at
11,608 votes apiece. The Virginia Board of Elections planned to draw the
name of a winner out of a pitcher, a tactic unused in Virginia in more
than four decades, but, on December 26th, the state postponed the plan,
because of pending court challenges. If the Republican incumbent David
Yancey loses to the Democrat Shelly Simonds, the House will be tied
fifty-fifty, and the two parties will share power.
Nationwide, voters will have similar motivations to turn out in 2018, an
election with higher stakes than any midterm in memory. Voters could
determine control of both chambers of Congress, and, indirectly, the
fate of President Trump. If Democrats take control of the House, they
are likely to face pressure to embark on an impeachment. Party leaders still say that discussion is premature—and, perhaps,
counterproductive, if talk of impeachment inspires Republican voters to
come out in defense of Trump. In polls, however, three out of four
Democrats already favor impeaching Trump. In December,
fifty-eight House Democrats—nearly a third of their caucus—voted to
start debate on impeachment.
For Democrats to win control of the House, they will need to gain
twenty-four seats. Historically, a President’s party loses twenty-five
seats in a midterm, which would give the Democrats control by one vote.
When I reported, in May, on the outlook for 2018, the
chances of a Democratic victory looked small, because gerrymandered
districts have reduced the number of competitive elections, and morale
among Democrats was low. Seven months later, the chances of Democrats
taking the House are still modest, but less so: The President remains
uniquely unpopular, and Democratic surges, like those in Virginia and
Alabama, have produced results that were once thought impossible. By the
end of the year, political analysts figured that as many as forty races
will be competitive in 2018, and Republicans hold
thirty-two of the seats in question. That is the makings of a brutally
tight year—and a perfect setting for hackers to make mischief.
“An attacker who wants to affect the national outcome could try
targeting all of those races, find the states where the election systems
are most weakly protected, and strike there,” J. Alex Halderman, the
director of the Center for Computer Security and Society at the
University of Michigan, told me. In the language of hacking and
cyber-defense, the 2018 midterms present an unusually large “attack
surface,” because of the sheer number of competitive races. “About a
dozen states still rely on obsolete paperless voting machines, and most
states fail to routinely conduct rigorous post-election audits,” he
said.
On a technical level, the American election system is almost as
vulnerable as it was in 2016. According to U.S. intelligence, Russian
hackers tested the vulnerabilities of registration rolls in twenty-one
states, but did not alter the vote tallies. Halderman, who testified
recently in Congress about gaps in election defenses, told me,
“Unfortunately, there haven’t been widespread security improvements so
far. We can be sure that our adversaries have been paying attention, and
so they may be more likely to try attacking election systems in
November.” At the Def Con hackers’ conference in July, attendees
demonstrated that they could break into thirty voting
machines of multiple types, some in as little as ninety minutes. Without
altering the results, hackers could sow doubt about the outcome by
shutting down or disrupting voting machines on Election Day.
In October, Senator Richard M. Burr, a Republican of North Carolina, who
is chairman of the Senate Intelligence Committee, warned political
candidates that they should expect Russian interference in
2017 and 2018. “The Russian intelligence service is
determined—clever—and I recommend that every campaign and every
election official take this very seriously.” The committee’s ranking
Democrat, Mark Warner, of Virginia, added a specific warning about the
vulnerabilities across multiple states. “You could pick two or three
states in two or three jurisdictions and alter an election,” he said.
Two weeks later, Attorney General Jeff Sessions testified before Burr’s committee, and Ben Sasse, a Republican of Nebraska, asked
if the U.S. is ready to fend off further Russian interference. Sessions
replied, “Probably not, we’re not.” Despite voluminous reports by U.S.
intelligence and law enforcement agencies, Sessions asserted that the
Justice Department remains incapable of addressing the challenge. He
said, “The matter is so complex that for most of us we’re not able to
fully grasp the technical dangers that are out there.”
Since 2016, Russia has not withdrawn its interference in American
politics; it has expanded it. In the Washington Post this week, Adam
Entous, Ellen Nakashima, and Greg Jaffe described the ways
in which Russian trolls have ventured beyond Twitter bots and Facebook
posts to write full-fledged articles for opinion sites, such as
CounterPunch, which don’t have the resources or structure to vet whether
“Alice Donovan,” a self-described freelancer with a distinctly
pro-Russian angle, is a real person.
Nearly four years after U.S. officials intercepted a classified cable
from Russia’s military intelligence unit, laying out a playbook for the
use of fake online personas to spread disinformation abroad, the U.S.
has yet to mount a full-scale response. According to the Post, U.S.
spy agencies have planned a “half-dozen specific operations to counter
the Russian threat,” but “one year after those instructions were given,
the Trump White House remains divided over whether to act.”
After a year in office, Trump and his aides continue to resist adopting
greater protections against Russian interference, because Trump is
insulted by the intelligence community’s finding that Russia aided in
his victory. (“The president is right. The Democrats are using the
report to delegitimize the presidency,” a White House official told the
Post.) If any action is taken, it will likely come from Congress,
where several bills seek to impose federal standards for voting
machines, and provide funding to states to overhaul outdated equipment
and install software patches. It might be too late: By this point in the 2016 election cycle, Russian hackers had already
broken into the Democratic National Committee, and had been rooting
around in the e-mail system for four months.
How much of an effect could Russian interference actually have in 2018?
The effects could be meaningful, even if they never touch the tallies
directly. “More and more Americans seem to distrust the basic
institutions of democracy. Unfortunately, that means that an attacker
could do serious damage by throwing election results into further
doubt,” Halderman said. “Sabotaging election infrastructure to make it
fail on election day, resulting in long lines and other visible chaos,
would be even easier than actually stealing votes.”