How a new federal policy for telling election officials about cyber-intrusions got put to use

In early 2020, federal officials changed how they communicated with states about cyber-intrusions affecting election infrastructure. The Department of Homeland Security’s cybersecurity agency and the FBI would now inform senior state officials, and not just IT personnel, of election-related hacking incidents in a given state.

Some state officials, who had criticized the federal government for being too slow and not specific enough in sharing data on Russian hacking in 2016, welcomed the new policy as another guardrail against foreign interference in 2020. And in March, at the height of the primary season, the policy was put into action.

An unidentified hacker spoofed the email account of a voting-equipment vendor and sent a phishing email to a local election official in Missouri, according to multiple people familiar with the incident who spoke on the condition of anonymity.

The official took the bait — a document purporting to be an “election funding report” but which really redirected the official to a website that aimed to steal Microsoft login credentials. After compromising that account, the phishing email circulated to other election officials, and at least one other voting equipment vendor.

Far from some foreign intelligence operation, the malicious email resembled the type of indiscriminate phishing popular with opportunistic criminals. But it still had to be thwarted. Crooks who might sell access to an election official’s account, or a voter registration database, are a threat officials have to consider.

Federal officials investigated the phishing kit and found it had previously been used for phishing activity in the financial sector. The local election official was able to regain access to their account. The phishing campaign didn’t escalate, nor did it compromise any voter data.

“We were protected by alert employees who recognized the suspicious emails” and flagged them for our security team, said an executive at one voting vendor. “Within an hour or two from that exchange, I received notification” from federal officials that there was a phishing campaign circulating in the election community, the executive said.

It is one of a handful of notifications that have quietly been made under the new DHS and FBI protocols that highlight how state and local officials need to guard against profit-driven criminal hackers, and not just foreign spies. The alerts are part of a heightened tempo that security officials are on in an election year to stay abreast of threats. And they say the process they have in place to spot malicious activity is much more up to the task than it was in 2016.

“As part of our proactive monitoring system, we identified a suspicious email and took immediate action to eliminate any threat to our election systems,” Missouri Secretary of State Jay Ashcroft said in a statement. He added that such phishing attempts happen regularly and are “identified through our layered security systems.”

Staying on high alert

While there have been high-profile warnings from U.S. intelligence officials about efforts by Russia, China and Iran to influence U.S. elections, cybercriminals have their own reasons for trying to compromise election officials or state IT systems. In the aftermath of the 2016 U.S. election, for example, researchers found criminal hackers selling access to computers at the Election Assistance Commission, the federal agency that oversees election funding to states.

To prevent a repeat of that scenario, federal officials are trying to more quickly disseminate information on specific incidents.  That happens via classified briefings, anonymized threat advisories and the updated victim notification process.

One state election official said his team was able to load the “indicators of compromise”— the unique traits of the phishing email — that DHS’s Cybersecurity and Infrastructure Security Agency shared on the March incident to be on the lookout for additional activity. “Getting that information helps us heighten our defenses, not only for our employees but down to the counties as well,” the state official said.

The March notification was in sharp contrast, the state official said, to 2016, when Russian military hackers reportedly breached at least one county government in Florida through a spearphishing campaign. It would be years before some Florida state officials learned the name of the county.

It also took DHS nearly a year after the 2016 election to formally notify some states that the Russians had probed their IT systems. By then, the state official said, “it was too late for anyone to say, ‘Oh, this is something that you can act on.’”

The old notification process — in which the FBI only told hacking victims of the incident, but not senior state officials — was partly to blame for the deficit of threat information in 2016, state officials said. In a November 2019 phone call with federal officials, Mac Warner, West Virginia’s secretary of state, said that clearer notification procedures were needed to avoid the mistakes of 2016.

In an interview Friday, Warner said he had not experienced the new notification protocol because there had not been any reports of intrusions in his state. But he did credit federal officials for improving the threat data they share with state counterparts in the last four years, and for developing much closer relationships with election officials. “We know that if they find out something, they will contact us,” Warner said.

He pointed to the week in January when the U.S. killed Qassem Soleimani, a top Iranian general. Following the killing, CISA told election officials to be on heightened alert for Iranian hacking threats. The West Virginia secretary of state had one of his security advisers monitor state IT systems all weekend for unusual activity. Nothing came to pass.

Matt Masterson, senior cybersecurity adviser at CISA, said his agency was “working hard to get election officials the support and information they need to protect elections. This includes changing the way we respond [to] and share information regarding incidents.”

“Election officials have been clear about their high expectations for us and we are adapting and improving to meet those needs,” Masterson added. “Our ability to communicate threats quickly and clearly with officials is improving every day.”

‘Night and day,’ but room for improvement

While state officials grapple with the slowdown of the U.S. Postal Service and expected delays in mail-in ballot deliveries, they still have to contend with cyberthreats. And less than three months before the presidential election, there is a continued push to bolster security at local election offices. While CISA officials have credited election administrators for reporting suspicious cyber activity, they have expressed concern about some of those local officials sharing login credentials or using default passwords.

Federal officials nonetheless say that a combination of training, threat sharing, and support from CISA and the FBI mean election officials are prepared to deal with malicious cyber activity. All 50 states and the District of Columbia have Albert sensors, an intrusion-detection system, in place, according to CISA.

David Stafford, the supervisor of elections in Escambia County, Florida, said the amount of information sharing is “night and day between ’16 and ’20.”

But the notification process, in particular, can still be improved. Some local officials, Stafford said, believe notifications of cyber-intrusions should be reciprocal so that federal officials automatically tell county clerks about a hacking incident affecting their state’s IT systems.

“If a state-level incident impacted counties or municipalities, there’s an expectation that they would be notified,” Stafford said.

Russia’s interference in the 2016 election still reverberates on Capitol Hill, where Democratic lawmakers, and an occasional Republican, have urged intelligence agencies to publicize more details on foreign efforts to influence the 2020 election. While that struggle goes on, state officials say they are quietly getting data to help them track malicious cyber campaigns.