Putin Is Well on His Way to Stealing the Next Election
RIP democracy

Timo Lenzen
Story by Franklin Foer
JUNE 2020 ISSUE

Jack cable sat down at the desk in his cramped dorm room to become an adult in the eyes of democracy. The rangy teenager, with neatly manicured brown hair and chunky glasses, had recently arrived at Stanford—his first semester of life away from home—and the 2018 midterm elections were less than two months away. Although he wasn’t one for covering his laptop with strident stickers or for taking loud stands, he felt a genuine thrill at the prospect of voting. But before he could cast an absentee ballot, he needed to register with the Board of Elections back home in Chicago.

When Cable tried to complete the digital forms, an error message stared at him from his browser. Clicking back to his initial entry, he realized that he had accidentally typed an extraneous quotation mark into his home address. The fact that a single keystroke had short-circuited his registration filled Cable with a sense of dread.

Despite his youth, Cable already enjoyed a global reputation as a gifted hacker—or, as he is prone to clarify, an “ethical hacker.” As a sophomore in high school, he had started participating in “bug bounties,” contests in which companies such as Google and Uber publicly invite attacks on their digital infrastructure so that they can identify and patch vulnerabilities before malicious actors can exploit them. Cable, who is preternaturally persistent, had a knack for finding these soft spots. He collected enough cash prizes from the bug bounties to cover the costs of four years at Stanford.

Though it wouldn’t have given the average citizen a moment of pause, Cable recognized the error message on the Chicago Board of Elections website as a telltale sign of a gaping hole in its security. It suggested that the site was vulnerable to those with less beneficent intentions than his own, that they could read and perhaps even alter databases listing the names and addresses of voters in the country’s third-largest city. Despite his technical savvy, Cable was at a loss for how to alert the authorities. He began sending urgent warnings about the problem to every official email address he could find. Over the course of the next seven months, he tried to reach the city’s chief information officer, the Illinois governor’s office, and the Department of Homeland Security.

As he waited for someone to take notice of his missives, Cable started to wonder whether the rest of America’s electoral infrastructure was as weak as Chicago’s. He read about how, in 2016, when he was a junior in high school, Russian military intelligence—known by its initials, GRU—had hacked the Illinois State Board of Elections website, transferring the personal data of tens of thousands of voters to Moscow. The GRU had even tunneled into the computers of a small Florida company that sold software to election officials in eight states.

Out of curiosity, Cable checked to see what his home state had done to protect itself in the years since. Within 15 minutes of poking around the Board of Elections website, he discovered that its old weaknesses had not been fully repaired. These were the most basic lapses in cybersecurity—preventable with code learned in an introductory computer-science class—and they remained even though similar gaps had been identified by the FBI and the Department of Homeland Security, not to mention widely reported in the media. The Russians could have strolled through the same door as they had in 2016.

Between classes, Cable began running tests on the rest of the national electoral infrastructure. He found that some states now had formidable defenses, but many others were like Illinois. If a teenager in a dorm room—even an exceptionally talented one—could find these vulnerabilities, they were not going to be missed by a disciplined unit of hackers that has spent years studying these networks, a unit with the resources of a powerful nation bent on discrediting an American election.

Franklin Foer and McKay Coppins discuss Putin’s plan for the 2020 election, live at 2 p.m. ET on June 4. Register for The Big Story EventCast here.

#democracyrip was both the hashtag and the plan. The Russians were expecting the election of Hillary Clinton—and preparing to immediately declare it a fraud. The embassy in Washington had attempted to persuade American officials to allow its functionaries to act as observers in polling places. A Twitter campaign alleging voting irregularities was queued. Russian diplomats were ready to publicly denounce the results as illegitimate. Events in 2016, of course, veered in the other direction. Yet the hashtag is worth pausing over for a moment, because, though it was never put to its intended use, it remains an apt title for a mission that is still unfolding.

Russia’s interference in the last presidential election is among the most closely studied phenomena in recent American history, having been examined by Special Counsel Robert Mueller and his prosecutors, by investigators working for congressional committees, by teams within Facebook and Twitter, by seemingly every think tank with access to a printing press. It’s possible, however, to mistake a plot point—the manipulation of the 2016 election—for the full sweep of the narrative.

Events in the United States have unfolded more favorably than any operative in Moscow could have ever dreamed: Not only did Russia’s preferred candidate win, but he has spent his first term fulfilling the potential it saw in him, discrediting American institutions, rending the seams of American culture, and isolating a nation that had styled itself as indispensable to the free world. But instead of complacently enjoying its triumph, Russia almost immediately set about replicating it. Boosting the Trump campaign was a tactic; #DemocracyRIP remains the larger objective.

From the April 2020 issue: George Packer on how Trump is winning his war on American institutions

In the week that followed Donald Trump’s election, Russia used its fake accounts on social media to organize a rally in New York City supporting the president-elect—and another rally in New York decrying him. Hackers continued attempting to break into state voting systems; trolls continued to launch social-media campaigns intended to spark racial conflict. Through subsidiaries, the Russian government continued to funnel cash to viral-video channels with names like In the Now and ICYMI, which build audiences with ephemera (“Man Licks Store Shelves in Online Post”), then hit unsuspecting readers with arguments about Syria and the CIA. This winter, the Russians even secured airtime for their overt propaganda outlet Sputnik on three radio stations in Kansas, bringing the network’s drive-time depictions of American hypocrisy to the heartland.

Less than six months before Election Day, the government will attempt to identify democracy’s most glaring weakness by deploying college kids on their summer break.
While the Russians continued their efforts to undermine American democracy, the United States belatedly began to devise a response. Across government—if not at the top of it—there was a panicked sense that American democracy required new layers of defense. Senators drafted legislation with grandiose titles; bureaucrats unfurled the blueprints for new units and divisions; law enforcement assigned bodies to dedicated task forces. Yet many of the warnings have gone unheeded, and what fortifications have been built appear inadequate.

Jack Cable is a small emblem of how the U.S. government has struggled to outpace the Russians. After he spent the better part of a semester shouting into the wind, officials in Chicago and in the governor’s office finally took notice of his warnings and repaired their websites. Cable may have a further role to play in defending America’s election infrastructure. He is part of a team of competitive hackers at Stanford—national champions three years running—that caught the attention of Alex Stamos, a former head of security at Facebook, who now teaches at the university. Earlier this year, Stamos asked the Department of Homeland Security if he could pull together a group of undergraduates, Cable included, to lend Washington a hand in the search for bugs. “It’s talent, but unrefined talent,” Stamos told me. DHS, which has an acute understanding of the problem at hand but limited resources to solve it, accepted Stamos’s offer. Less than six months before Election Day, the government will attempt to identify democracy’s most glaring weakness by deploying college kids on their summer break.

Despite such well-intentioned efforts, the nation’s vulnerabilities have widened, not narrowed, during the past four years. Our politics are even more raw and fractured than in 2016; our faith in government—and, perhaps, democracy itself—is further strained. The coronavirus may meaningfully exacerbate these problems; at a minimum, the pandemic is leeching attention and resources from election defense. The president, meanwhile, has dismissed Russian interference as a hoax and fired or threatened intelligence officials who have contradicted that narrative, all while professing his affinity for the very man who ordered this assault on American democracy. Fiona Hill, the scholar who served as the top Russia expert on Trump’s National Security Council, told me, “The fact that they faced so little consequence for their action gives them little reason to stop.”

The Russians have learned much about American weaknesses, and how to exploit them. Having probed state voting systems far more extensively than is generally understood by the public, they are now surely more capable of mayhem on Election Day—and possibly without leaving a detectable trace of their handiwork. Having hacked into the inboxes of political operatives in the U.S. and abroad, they’ve pioneered new techniques for infiltrating campaigns and disseminating their stolen goods. Even as to disinformation, the best-known and perhaps most overrated of their tactics, they have innovated, finding new ways to manipulate Americans and to poison the nation’s politics. Russia’s interference in 2016 might be remembered as the experimental prelude that foreshadowed the attack of 2020.

1. Hack the Vote
When officials arrived at work on the morning of May 22, 2014, three days before a presidential election, they discovered that their hard drives were fried. Hours earlier, pro-Kremlin hackers had taken a digital sledgehammer to a vital piece of Ukraine’s democratic infrastructure, the network that collects vote tallies from across the nation. After finishing the task, they taunted their victim, posting photos of an election commissioner’s renovated bathroom and his wife’s passport.

Relying on a backup system, the Ukrainians were able to resuscitate their network. But on election night the attacks persisted. Hackers sent Russian journalists a link to a chart they had implanted on the official website of Ukraine’s Central Election Commission. The graphic purported to show that a right-wing nationalist had sprinted to the lead in the presidential race. Although the public couldn’t access the chart, Russian state television flashed the forged results on its highly watched newscast.

If the attack on Ukraine represented something like all-out digital war, Russia’s hacking of the United States’ electoral system two years later was more like a burglar going house to house jangling doorknobs. The Russians had the capacity to cause far greater damage than they did—at the very least to render Election Day a chaotic mess—but didn’t act on it, because they deemed such an operation either unnecessary or not worth the cost. The U.S. intelligence community has admitted that it’s not entirely sure why Russia sat on its hands. One theory holds that Barack Obama forced Russian restraint when he pulled Vladimir Putin aside at the end of the G20 Summit in Hangzhou, China, on September 5, 2016. With only interpreters present, Obama delivered a carefully worded admonition not to mess with the integrity of the election. By design, he didn’t elaborate any specific consequence for ignoring his warning.

Perhaps the warning was heeded. The GRU kept on probing voting systems through the month of October, however, and there are other, more ominous explanations for Russia’s apparent restraint. Michael Daniel, who served as the cybersecurity coordinator on Obama’s National Security Council, told the Senate Intelligence Committee that the Russians were, in essence, casing the joint. They were gathering intelligence about the digital networks that undergird American elections and putting together a map so that they “could come back later and actually execute an operation.”

What sort of operation could Russia execute in 2020? Unlike Ukraine, the United States doesn’t have a central node that, if struck, could disable democracy at its core. Instead, the United States has an array of smaller but still alluring targets: the vendors, niche companies, that sell voting equipment to states and localities; the employees of those governments, each with passwords that can be stolen; voting machines that connect to the internet to transmit election results.

Matt Masterson is a senior adviser at the Department of Homeland Security’s freshly minted Cybersecurity and Infrastructure Security Agency, a bureau assigned to help states protect elections from outside attack; it’s where Jack Cable will work this summer. I asked Masterson to describe the scenarios that keep him up at night. His greatest fear is that an election official might inadvertently enable a piece of ransomware. These are malicious bits of code that encrypt data and files, essentially placing a lock on a system; money is then demanded in exchange for the key. In 2017, Ukraine was targeted again, this time with a similar piece of malware called NotPetya. But instead of extorting Ukraine, Russia sought to cripple it. NotPetya wiped 10 percent of the nation’s computers; it disabled ATMs, telephone networks, and banks. (The United States is well aware of NotPetya’s potency, because it relied on a tool created by—and stolen from—the National Security Agency.) If the Russians attached such a bug to a voter-registration database, they could render an entire election logistically unfeasible; tracking who had voted and where they’d voted would be impossible.

But Russia need not risk such a devastating attack. It can simply meddle with voter-registration databases, which are filled with vulnerabilities similar to the ones that Cable exposed. Such meddling could stop short of purging voters from the rolls and still cause significant disruptions: Hackers could flip the digits in addresses, so that voters’ photo IDs no longer match the official records. When people arrived at the polls, they would likely still be able to vote, but might be forced to cast provisional ballots. The confusion and additional paperwork would generate long lines and stoke suspicion about the underlying integrity of the election.

Given the fragility of American democracy, even the tiniest interference, or hint of interference, could undermine faith in the tally of the vote. On Election Night, the Russians could place a page on the Wisconsin Elections Commission website that falsely showed Trump with a sizable lead. Government officials would be forced to declare it a hoax. Imagine how Twitter demagogues, the president among them, would exploit the ensuing confusion.

Such scenarios ought to have sparked a clamor for systemic reform. But in the past, when the federal government has pointed out these vulnerabilities—and attempted to protect against them—the states have chafed and moaned. In August 2016, President Obama’s homeland-security secretary, Jeh Johnson, held a conference call with state election officials and informed them of the need to safeguard their infrastructure. Instead of accepting his offer of help, they told him, “This is our responsibility and there should not be a federal takeover of the election system.”

After the 2016 election, the federal government could have taken a stronger hand with localities. Unprecedented acts of foreign interference presumably would have provided quite a bit of leverage. That did not happen. The president perceives any suggestion of Russian interference as the diminution of his own legitimacy. This has contributed to a conspiracy of silence about the events of 2016. A year after the election, the Department of Homeland Security told 21 states that Russia had attempted to hack their electoral systems. Two years later, a Senate report publicly disclosed that Russia had, in fact, targeted all 50 states. When then–DHS Secretary Kirstjen Nielsen tried to raise the subject of electoral security with the president, acting White House Chief of Staff Mick Mulvaney reportedly told her to steer clear of it. According to The New York Times, Mulvaney said it “wasn’t a great subject and should be kept below his level.”

This atmosphere stifled what could have been a genuinely bipartisan accomplishment. The subject of voting divides Republicans and Democrats. Especially since the Bush v. Gore decision in 2000, the parties have stitched voting into their master narratives. Democrats accuse Republicans of suppressing the vote; Republicans accuse Democrats of flooding the polls with corpses and other cheating schemes. Despite this rancor, both sides seemed to agree that Russian hacking of voting systems was not a good thing. After the 2016 election, Democratic Senator Amy Klobuchar, from Minnesota, partnered with Republican Senator James Lankford, from Oklahoma, on the Secure Elections Act. The bill would have given the states money to replace electronic voting machines with ones that leave a paper trail and would have required states to audit election results to confirm their accuracy. The reforms would also have had the seemingly salutary effect of making it easier for voters to cast ballots.

The Secure Elections Act wouldn’t have provided perfect insulation from Russian attacks, but it would have been a meaningful improvement on the status quo, and it briefly looked as if it could pass. Then, on the eve of a session to mark up the legislation—a moment for lawmakers to add their final touches—Senate Republicans suddenly withdrew their support, effectively killing the bill. Afterward, Democrats mocked Senate Majority Leader Mitch McConnell as “Moscow Mitch,” an appellation that stung enough that the senator ultimately agreed to legislation that supplied the states with hundreds of millions of dollars to buy new voting systems—but without any security demands placed on the states or any meaningful reforms to a broken system. McConnell made it clear that he despised the whole idea of a legislative fix to the electoral-security problem: “I’m not going to let Democrats and their water carriers in the media use Russia’s attack on our democracy as a Trojan horse for partisan wish-list items that would not actually make our elections any safer.” For McConnell, suppressing votes was a higher priority than protecting them from a foreign adversary.

2. The Big Phish
To raise the subject of John Podesta’s email in his presence is a callous act. But I wanted his help tabulating a more precise toll of Russian hacking—how it leaves a messy trail of hurt feelings, saps precious mental space, and reshapes the course of a campaign. After repeatedly prodding him for an interview, I finally met with Hillary Clinton’s old campaign chief in his Washington office, which stares down onto the steeple of the church Abraham Lincoln attended during the Civil War. Dressed in a plaid shirt, with a ballpoint pen clipped into the pocket, Podesta rocked back and forth in a swivel chair as he allowed me to question him about one of the most wince-inducing moments in recent political history.

Months before WikiLeaks began publishing his emails, Podesta had an inkling that his Gmail account had been compromised. Internal campaign documents had appeared on an obscure website, and he considered the possibility that they had been lifted from his computer. Still, the call from a member of the campaign’s communications team on October 7, 2016, left him gobsmacked. As he finished a session of debate preparation with Clinton, he learned that Julian Assange intended to unfurl the contents of his inbox over the remaining month of the campaign. It’s a familiar if much-ignored maxim in politics that no email should ever contain content one wouldn’t want to see on the front page of The New York Times. This was now Podesta’s reality.

On the 10th floor of the Clinton campaign’s headquarters, in Brooklyn, a team of 14 staffers quickly assembled. They covered a glass door in opaque paper to prevent voyeurs from observing their work and began to pore over every word of his 60,000 emails—every forwarded PDF, every gripe from an employee, even the meticulous steps of his risotto recipe. The project would consume the entirety of the month. Every day, Podesta set aside time to meet with emissaries from the 10th floor and review their findings. “I willed myself not to feel pain,” he told me.

The material that WikiLeaks eventually posted created some awkward moments. Podesta had received snarky emails from colleagues, and had sent a few himself. To repair relationships, Podesta found himself apologizing to co-workers, friends, former Cabinet secretaries. Even when the contents of the leaked messages seemed innocuous, new annoyances would arise. WikiLeaks hadn’t redacted the correspondence to protect privacy, leaving the cellphone numbers of campaign staffers for the world to view. In the middle of meetings, staffers would find their devices vibrating incessantly; strangers would fill their voicemails with messages like I hope you’re raped in prison. Identity thieves quickly circled Podesta, attempting to claim his Social Security benefits and applying for credit cards in his name. Despite a political career that has permitted him to whisper into the ears of presidents, the legendarily frugal Podesta had commuted to New York on Vamoose, a discount bus line. A fraudster exploited the hack to steal the points he had accumulated in the Vamoose rewards program.

As Podesta revisited these painful moments, he claimed that he’d stoically persisted in their face: “I kept going on television. I kept raising money. I kept traveling with Hillary and President Clinton. I kept doing everything that I had been doing.” But these were the closing weeks of an election that would turn on fewer than 80,000 votes spread across three states. For a campaign that arguably didn’t invest its resources properly in the final stretch, the question must be asked: How badly did the Russians throw the campaign off its game? The least visible damage of the hack might have been the most decisive.

In the years since the Podesta hack, Microsoft’s Tom Burt has continually battled its perpetrators. As the man charged with safeguarding the security of Windows, Word, and his company’s other software, he has developed a feel for the GRU’s rhythms and habits. Through Microsoft’s work with political parties and campaigns around the world—the company offers them training and sells them security software at a discount—Burt has accumulated lengthy dossiers on past actions.

What he’s noticed is that attacks tend to begin on the furthest fringes of a campaign. A standard GRU operation starts with think-tank fellows, academics, and political consultants. These people and institutions typically have weak cybersecurity fortifications, the penetration of which serves dual purposes. As the GRU pores through the inboxes of wonks and professors, it gathers useful intelligence about a campaign. But the hacked accounts also provide platforms for a more direct assault. Once inside, the GRU will send messages from the hacked accounts. The emails come from a trusted source, and carry a plausible message. According to Burt, “It will say something like ‘Saw this great article on the West Bank that you should review,’ and it’s got a link to a PDF. You click on it, and now your campaign network is infected.” (Although Burt won’t discuss specific institutions, he wrote a blog post last year describing attacks on the German Marshall Fund and the European offices of the Aspen Institute.)

Podesta fell victim to a generic spear-phishing attack: a spoofed security warning urging him to change his Gmail password. Many of us might like to think we’re sophisticated enough to avoid such a trap, but the Russians have grown adept at tailoring bespoke messages that could ensnare even the most vigilant target. Emails arrive from a phony address that looks as if it belongs to a friend or colleague, but has one letter omitted. One investigator told me that he’s noticed that Russians use details gleaned from Facebook to script tantalizing messages. If a campaign consultant has told his circle of friends about an upcoming bass-fishing trip, the GRU will package its malware in an email offering discounts on bass-fishing gear.

Many of these techniques are borrowed from Russian cybercrime syndicates, which hack their way into banks and traffic in stolen credit cards. Burt has seen these illicit organizations using technologies that he believes will soon be imported to politics. For instance, new synthetic-audio software allows hackers to mimic a voice with convincing verisimilitude. Burt told me, “In the cybercrime world, you’re starting to see audio phishes, where somebody gets a voicemail message from their boss, for example, saying, ‘Hey, I need you to transfer this money to the following account right away.’ It sounds just like your boss and so you do it.”

What the Russians can’t obtain from afar, they will attempt to pilfer with agents on the ground. The same GRU unit that hacked Podesta has allegedly sent operatives to Rio de Janeiro, Kuala Lumpur, and The Hague to practice what is known as “close-access hacking.” Once on the ground, they use off-the-shelf electronic equipment to pry open the Wi-Fi network of whomever they’re spying on.

The Russians, in other words, take risks few other nations would dare. They are willing to go to such lengths because they’ve reaped such rich rewards from hacking. Of all the Russian tactics deployed in 2016, the hacking and leaking of documents did the most immediate and palpable damage—distracting attention from the Access Hollywood tape, and fueling theories that the Democratic Party had rigged its process to squash Bernie Sanders’s campaign.

In 2020, the damage could be greater still. Podesta told me that when he realized his email had been breached, he feared that the hackers would manufacture embarrassing or even incriminating emails and then publish them alongside the real ones. It’s impossible to know their reasoning, but Russian hackers made what would prove to be a clever decision not to alter Podesta’s email. Many media outlets accepted whatever emails WikiLeaks published without pausing to verify every detail, and they weren’t punished for their haste. The Podesta leaks thus established a precedent, an expectation that hacked material is authentic—perhaps the most authentic version of reality available, an opportunity to see past a campaign’s messaging and spin and read its innermost thoughts.

In fact, the Russians have no scruples about altering documents. In 2017, hackers with links to the GRU breached the inboxes of French President Emmanuel Macron’s campaign staffers. The contents were rather banal, filled with restaurant reservations and trivial memos. Two days before these were released, other documents surfaced on internet message boards. Unlike the emails, these were pure fabrications, which purported to show that Macron had used a tax haven in the Cayman Islands. The timing of their release, however, gave them credibility. It was natural to assume that they had been harvested from the email hack, too. The Macron leaks suggested a dangerous new technique, a sinister mixing of the hacked and the fabricated intended to exploit the electorate’s hunger for raw evidence and faith in purloined documents.