How The U.S. Fended Off Serious Foreign Election Day Cyberattacks
On Election Day, Geoff Brown watched lines of text flow by on monitors at New York City Cyber Command in downtown Manhattan.
Brown, the head of the city's cybersecurity operation, was plugged into a bank of virtual conference rooms, checking in with partners at the local, state and federal levels working together to monitor election systems for any security breaches or disinformation campaigns that might target the voting process.
After all the waiting, after months of hardening defenses, the serious threats never came.
"It was a long night. It was sort of a lonely night, perhaps, because we're all in our own rooms in this day and age," Brown reflected. He singled out for particular praise his counterparts at the Department of Homeland Security, especially Christopher Krebs, "who I think has done an absolute, tremendous job in their mission."
President Trump's Tuesday evening firing of Krebs, director of the Cybersecurity and Infrastructure Security Agency at DHS, which oversaw federal efforts on election security and countering voting system disinformation, highlights a broader point: After all the concerns raised about foreign adversaries hacking into systems and launching disinformation campaigns such as those that marred the 2016 presidential election, the 2020 race went smoothly on both fronts.
"After millions of Americans voted, we have no evidence any foreign adversary was capable of preventing Americans from voting or changing vote tallies," Krebs wrote in a statement following Election Day. That was two weeks before he was fired.
In some ways Nov. 3 turned out to be like the Y2K of election nights: Despite widespread fears of chaos, the system held and disaster was averted.
"From a Y2K perspective, the beauty and elegance in the mitigation of the catastrophic events that we were all expecting was because people prepared, because they took a step back and spent time thinking about the potential impacts," said Stu Solomon, chief operating officer of the cybersecurity firm Recorded Future.
Ultimately the fact that Election Day came and went without serious cybersecurity or foreign disinformation campaigns suggests that the lessons of 2016 were learned — because the threats to this election were real.
Honored to serve. We did it right. Defend Today, Secure Tomrorow. #Protect2020
— Chris Krebs (@C_C_Krebs) November 18, 2020
"I was surprised at how well this happened because there are so many interests, both criminal or otherwise," Solomon said. "And because it is so easy to go out and create these impacts, the fact that we were able to mitigate them as effectively as we were is surprising, but certainly a very pleasant surprise."
The most serious foreign threats included the prospect of cyberattacks against key elections systems and the potential for foreign disinformation campaigns.
Between election cycles, tech companies and government officials acted to prevent a repeat of 2016 when Russian leak operations and foreign misinformation networks wreaked havoc on the presidential race between Hillary Clinton and Trump.
Throughout 2020, Facebook repeatedly took down fake accounts backed by the Chinese, Iranian and Russian governments.
"It's obvious to me that Facebook and other social media companies have massively upped the spending on resources to identify these sources within their platforms," said Mark Arena, CEO of Intel 471, a cyber intelligence firm. "They should be commended for it."
Government officials also took action to prevent intrusions inside key election systems: DHS worked with local election officials in nearly all 50 states to shore up their cyberdefenses by, among other things, testing the systems and suggesting fixes and patches.
Another threat that was hobbled before Election Day was the disruption of a network of zombie computers that were controlled by Russia-linked hackers. The botnet was called TrickBot, and it is rather famous for planting ransomware and malware on computer systems around the world. If U.S. election systems were to be compromised, intelligence officials said later, it was likely TrickBot would be part of it.
So it got special attention from the U.S. government and the private sector. In the months before the election, the U.S. military's Cyber Command reportedly mounted an operation to disrupt it temporarily.
"So the idea is you can cut the head off the snake or you can cut all the snakes which connect to the head. And that was what the objective was. And we saw it," Arena said. "It probably didn't get all the snakes, but the reality is it did probably cut off a lot of those connections."
Microsoft took its own action to support the U.S. cyber force's efforts. It moved to disable the same botnet, arguing that the network's ability to disrupt American computer systems used for election results and voter rolls was "one of the largest threats to the upcoming elections."
"The fact that it was disrupted right at the same time that the elections were kicking into high gear is not a coincidence," Solomon told NPR. "And yes, it definitely had impact."
These actions have been publicly announced. Analysts said there were likely others that were not.
"What we're seeing is only a small amount of what's actually happening. So I think there's probably a huge amount of effort happening behind the scenes," Arena said. "People toiling in the dark, working in dark rooms, knowing that their successes are probably not going to be public."
But success preventing foreign adversaries from interfering with the election only paints a partial picture: Domestic disinformation about the validity of the election has been widespread, even without intervention from abroad.
"I think on some level, we're always fighting the last war. So we made significant strides on the threats we identified from 2016 around the cybersecurity of election infrastructure and the threat of foreign interference in our election," said Lindsay Gorman, a fellow at the Alliance for Securing Democracy. "And now I think what we have to really contend with is the threat of domestic disinformation."