The Atlantic|June 2020
Jack Cable sat down at the desk in his cramped dorm room to become an adult in the eyes of democracy. The rangy teenager, with neatly manicured brown hair and chunky glasses, had recently arrived at Stanford—his first semester of life away from home— and the 2018 midterm elections were less than two months away. Although he wasn’t one for covering his laptop with strident stickers or for taking loud stands, he felt a genuine thrill at the prospect of voting. But before he could cast an absentee ballot, he needed to register with the Board of Elections back home in Chicago.
When Cable tried to complete the digital forms, an error message stared at him from his browser. Clicking back to his initial entry, he realized that he had accidentally typed an extraneous quotation mark into his home address. The fact that a single keystroke had short-circuited his registration filled Cable with a sense of dread.
Despite his youth, Cable already enjoyed a global reputation as a gifted hacker—or, as he is prone to clarify, an “ethical hacker.” As a sophomore in high school, he had started participating in “bug bounties,” contests in which companies such as Google and Uber publicly invite attacks on their digital infrastructure so that they can identify and patch vulnerabilities before malicious actors can exploit them. Cable, who is preternaturally persistent, had a knack for finding these soft spots. He collected enough cash prizes from the bug bounties to cover the costs of four years at Stanford.
Though it wouldn’t have given the average citizen a moment of pause, Cable recognized the error message on the Chicago Board of Elections website as a telltale sign of a gaping hole in its security. It suggested that the site was vulnerable to those with less beneficent intentions than his own, that they could read and perhaps even alter databases listing the names and addresses of voters in the country’s third-largest city. Despite his technical savvy, Cable was at a loss for how to alert the authorities. He began sending urgent warnings about the problem to every official email address he could find. Over the course of the next seven months, he tried to reach the city’s chief information officer, the Illinois governor’s office, and the Department of Homeland Security.
As he waited for someone to take notice of his missives, Cable started to wonder whether the rest of America’s electoral infrastructure was as weak as Chicago’s. He read about how, in 2016, when he was a junior in high school, Russian military intelligence— known by its initials, GRU—had hacked the Illinois State Board of Elections website, transferring the personal data of tens of thousands of voters to Moscow. The GRU had even tunneled into the computers of a small Florida company that sold software to election officials in eight states.
Out of curiosity, Cable checked to see what his home state had done to protect itself in the years since. Within 15 minutes of poking around the Board of Elections website, he discovered that its old weaknesses had not been fully repaired. These were the most basic lapses in cybersecurity—preventable with code learned in an introductory computer-science class—and they remained even though similar gaps had been identified by the FBI and the Department of Homeland Security, not to mention widely reported in the media. The Russians could have strolled through the same door as they had in 2016.
Between classes, Cable began running tests on the rest of the national electoral infrastructure. He found that some states now had formidable defenses, but many others were like Illinois. If a teenager in a dorm room—even an exceptionally talented one— could find these vulnerabilities, they were not going to be missed by a disciplined unit of hackers that has spent years studying these networks, a unit with the resources of a powerful nation bent on discrediting an American election.
#DemocracyRIP was both the hashtag and the plan. The Russians were expecting the election of Hillary Clinton—and preparing to immediately declare it a fraud. The embassy in Washington had attempted to persuade American officials to allow its functionaries to act as observers in polling places. A Twitter campaign alleging voting irregularities was queued. Russian diplomats were ready to publicly denounce the results as illegitimate. Events in 2016, of course, veered in the other direction. Yet the hashtag is worth pausing over for a moment, because, though it was never put to its intended use, it remains an apt title for a mission that is still unfolding.
Russia’s interference in the last presidential election is among the most closely studied phenomena in recent American history, having been examined by Special Counsel Robert Mueller and his prosecutors, by investigators working for congressional committees, by teams within Facebook and Twitter, by seemingly every think tank with access to a printing press. It’s possible, however, to mistake a plot point—the manipulation of the 2016 election— for the full sweep of the narrative.
Events in the United States have unfolded more favorably than any operative in Moscow could have ever dreamed: Not only did Russia’s preferred candidate win, but he has spent his first term fulfilling the potential it saw in him, discrediting American institutions, rending the seams of American culture, and isolating a nation that had styled itself as indispensable to the free world. But instead of complacently enjoying its triumph, Russia almost immediately set about replicating it. Boosting the Trump campaign was a tactic; #DemocracyRIP remains the larger objective.
In the week that followed Donald Trump’s election, Russia used its fake accounts on social media to organize a rally in New York City supporting the president-elect—and another rally in New York decrying him. Hackers continued attempting to break into state voting systems; trolls continued to launch social media campaigns intended to spark racial conflict. Through subsidiaries, the Russian government continued to funnel cash to viral-video channels with names like In the Now and ICYMI, which build audiences with ephemera (“Man Licks Store Shelves in Online Post”), then hit unsuspecting readers with arguments about Syria and the CIA. This winter, the Russians even secured airtime for their overt propaganda outlet Sputnik on three radio stations in Kansas, bringing the network’s drive-time depictions of American hypocrisy to the heartland.
While the Russians continued their efforts to undermine American democracy, the United States belatedly began to devise a response. Across government—if not at the top of it—there was a panicked sense that American democracy required new layers of defense. Senators drafted legislation with grandiose titles; bureaucrats unfurled the blueprints for new units and divisions; law enforcement assigned bodies to dedicated task forces. Yet many of the warnings have gone unheeded, and what fortifications have been built appear inadequate.
Jack Cable is a small emblem of how the U.S. government has struggled to outpace the Russians. After he spent the better part of a semester shouting into the wind, officials in Chicago and in the governor’s office finally took notice of his warnings and repaired their websites. Cable may have a further role to play in defending America’s election infrastructure. He is part of a team of competitive hackers at Stanford—national champions three years running— that caught the attention of Alex Stamos, a former head of security at Facebook, who now teaches at the university. Earlier this year, Stamos asked the Department of Homeland Security if he could pull together a group of undergraduates, Cable included, to lend Washington a hand in the search for bugs. “It’s talent, but unrefined talent,” Stamos told me. DHS, which has an acute understanding of the problem at hand but limited resources to solve it, accepted Stamos’s offer. Less than six months before Election Day, the government will attempt to identify democracy’s most glaring weakness by deploying college kids on their summer break.
Despite such well-intentioned efforts, the nation’s vulnerabilities have widened, not narrowed, during the past four years. Our politics are even more raw and fractured than in 2016; our faith in government—and, perhaps, democracy itself—is further strained. The coronavirus may meaningfully exacerbate these problems; at a minimum, the pandemic is leeching attention and resources from election defense. The president, meanwhile, has dismissed Russian interference as a hoax and fired or threatened intelligence officials who have contradicted that narrative, all while professing his affinity for the very man who ordered this assault on American democracy. Fiona Hill, the scholar who served as the top Russia expert on Trump’s National Security Council, told me, “The fact that they faced so little consequence for their action gives them little reason to stop.”
The Russians have learned much about American weaknesses, and how to exploit them. Having probed state voting systems far more extensively than is generally understood by the public, they are now surely more capable of mayhem on Election Day—and possibly without leaving a detectable trace of their handiwork. Having hacked into the inboxes of political operatives in the U.S. and abroad, they’ve pioneered new techniques for infiltrating campaigns and disseminating their stolen goods. Even as to disinformation, the best-known and perhaps most overrated of their tactics, they have innovated, finding new ways to manipulate Americans and to poison the nation’s politics. Russia’s interference in 2016 might be remembered as the experimental prelude that foreshadowed the attack of 2020.
1. Hack the Vote
When officials arrived at work on the morning of May 22, 2014, three days before a presidential election, they discovered that their hard drives were fried. Hours earlier, pro-Kremlin hackers had taken a digital sledgehammer to a vital piece of Ukraine’s democratic infrastructure, the network that collects vote tallies from across the nation. After finishing the task, they taunted their victim, posting photos of an election commissioner’s renovated bathroom and his wife’s passport.
Relying on a backup system, the Ukrainians were able to resuscitate their network. But on election night the attacks persisted. Hackers sent Russian journalists a link to a chart they had implanted on the official website of Ukraine’s Central Election Commission. The graphic purported to show that a rightwing nationalist had sprinted to the lead in the presidential race. Although the public couldn’t access the chart, Russian state television flashed the forged results on its highly watched newscast.
If the attack on Ukraine represented something like all-out digital war, Russia’s hacking of the United States’ electoral system two years later was more like a burglar going house to house jangling doorknobs. The Russians had the capacity to cause far greater damage than they did— at the very least to render Election Day a chaotic mess—but didn’t act on it, because they deemed such an operation either unnecessary or not worth the cost. The U.S. intelligence community has admitted that it’s not entirely sure why Russia sat on its hands. One theory holds that Barack Obama forced Russian restraint when he pulled Vladimir Putin aside at the end of the G20 Summit in Hangzhou, China, on September 5, 2016. With only interpreters present, Obama delivered a carefully worded admonition not to mess with the integrity of the election. By design, he didn’t elaborate any specific consequence for ignoring his warning.
Perhaps the warning was heeded. The GRU kept on probing voting systems through the month of Octo ber, however, and there are other, more ominous explanations for Russia’s apparent restraint. Michael Daniel, who served as the cyber security coordinator on Obama’s National Security Council, told the Senate Intelligence Committee that the Russians were, in essence, casing the joint. They were gathering intelligence about the digital networks that undergird American elections and putting together a map so that they “could come back later and actually execute an operation.”
What sort of operation could Russia execute in 2020? Unlike Ukraine, the United States doesn’t have a central node that, if struck, could disable democracy at its core. Instead, the United States has an array of smaller but still alluring targets: the vendors, niche companies, that sell voting equipment to states and localities; the employees of those governments, each with passwords that can be stolen; vot ing machines that connect to the internet to transmit election results.
Matt Masterson is a senior adviser at the Department of Homeland Security’s freshly minted Cybersecurity and Infrastructure Security Agency, a bureau assigned to help states protect elections from outside attack; it’s where Jack Cable will work this summer. I asked Masterson to describe the scenarios that keep him up at night. His greatest fear is that an election official might inadvertently enable a piece of ransomware. These are malicious bits of code that encrypt data and files, essentially placing a lock-on a system; money is then demanded in exchange for the key. In 2017, Ukraine was targeted again, this time with a similar piece of malware called NotPetya. But instead of extorting Ukraine, Russia sought to cripple it. NotPetya wiped 10 percent of the nation’s computers; it disabled ATMs, telephone networks, and banks. (The United States is well aware of Not Petya’s potency because it relied on a tool created by—and stolen from—the National Security Agency.) If the Russians attached such a bug to a voter-registration database, they could render an entire election logistically unfeasible; tracking who had voted and where they’d voted would be impossible.
You can read up to 3 premium stories before you subscribe to Magzter GOLD
Log in, if you are already a subscriber
Get unlimited access to thousands of curated premium stories and 5,000+ magazines
READ THE ENTIRE ISSUE