How The U.S. Fended Off Serious Foreign Election Day Cyberattacks

Nov 18, 2020
Originally published on November 22, 2020 9:25 pm

On Election Day, Geoff Brown watched lines of text flow by on monitors at New York City Cyber Command in downtown Manhattan.

Brown, the head of the city's cybersecurity operation, was plugged into a bank of virtual conference rooms, checking in with partners at the local, state and federal levels working together to monitor election systems for any security breaches or disinformation campaigns that might target the voting process.

After all the waiting, after months of hardening defenses, the serious threats never came.

"It was a long night. It was sort of a lonely night, perhaps, because we're all in our own rooms in this day and age," Brown reflected. He singled out for particular praise his counterparts at the Department of Homeland Security, especially Christopher Krebs, "who I think has done an absolute, tremendous job in their mission."

Geoff Brown is the head of New York City Cyber Command, the city's cybersecurity operation.
New York City Cyber Command

President Trump's Tuesday evening firing of Krebs, director of the Cybersecurity and Infrastructure Security Agency at DHS, which oversaw federal efforts on election security and countering voting system disinformation, highlights a broader point: After all the concerns raised about foreign adversaries hacking into systems and launching disinformation campaigns such as those that marred the 2016 presidential election, the 2020 race went smoothly on both fronts.

"After millions of Americans voted, we have no evidence any foreign adversary was capable of preventing Americans from voting or changing vote tallies," Krebs wrote in a statement following Election Day. That was two weeks before he was fired.

In some ways Nov. 3 turned out to be like the Y2K of election nights: Despite widespread fears of chaos, the system held and disaster was averted.

"From a Y2K perspective, the beauty and elegance in the mitigation of the catastrophic events that we were all expecting was because people prepared, because they took a step back and spent time thinking about the potential impacts," said Stu Solomon, chief operating officer of the cybersecurity firm Recorded Future.

Ultimately the fact that Election Day came and went without serious cybersecurity or foreign disinformation campaigns suggests that the lessons of 2016 were learned — because the threats to this election were real.

"I was surprised at how well this happened because there are so many interests, both criminal or otherwise," Solomon said. "And because it is so easy to go out and create these impacts, the fact that we were able to mitigate them as effectively as we were is surprising, but certainly a very pleasant surprise."

The most serious foreign threats included the prospect of cyberattacks against key elections systems and the potential for foreign disinformation campaigns.

Between election cycles, tech companies and government officials acted to prevent a repeat of 2016 when Russian leak operations and foreign misinformation networks wreaked havoc on the presidential race between Hillary Clinton and Trump.

Throughout 2020, Facebook repeatedly took down fake accounts backed by the Chinese, Iranian and Russian governments.

"It's obvious to me that Facebook and other social media companies have massively upped the spending on resources to identify these sources within their platforms," said Mark Arena, CEO of Intel 471, a cyber intelligence firm. "They should be commended for it."

Government officials also took action to prevent intrusions inside key election systems: DHS worked with local election officials in nearly all 50 states to shore up their cyberdefenses by, among other things, testing the systems and suggesting fixes and patches.

Another threat that was hobbled before Election Day was the disruption of a network of zombie computers that were controlled by Russia-linked hackers. The botnet was called TrickBot, and it is rather famous for planting ransomware and malware on computer systems around the world. If U.S. election systems were to be compromised, intelligence officials said later, it was likely TrickBot would be part of it.

So it got special attention from the U.S. government and the private sector. In the months before the election, the U.S. military's Cyber Command reportedly mounted an operation to disrupt it temporarily.

"So the idea is you can cut the head off the snake or you can cut all the snakes which connect to the head. And that was what the objective was. And we saw it," Arena said. "It probably didn't get all the snakes, but the reality is it did probably cut off a lot of those connections."

Microsoft took its own action to support the U.S. cyber force's efforts. It moved to disable the same botnet, arguing that the network's ability to disrupt American computer systems used for election results and voter rolls was "one of the largest threats to the upcoming elections."

"The fact that it was disrupted right at the same time that the elections were kicking into high gear is not a coincidence," Solomon told NPR. "And yes, it definitely had impact."

These actions have been publicly announced. Analysts said there were likely others that were not.

"What we're seeing is only a small amount of what's actually happening. So I think there's probably a huge amount of effort happening behind the scenes," Arena said. "People toiling in the dark, working in dark rooms, knowing that their successes are probably not going to be public."

But success preventing foreign adversaries from interfering with the election only paints a partial picture: Domestic disinformation about the validity of the election has been widespread, even without intervention from abroad.

"I think on some level, we're always fighting the last war. So we made significant strides on the threats we identified from 2016 around the cybersecurity of election infrastructure and the threat of foreign interference in our election," said Lindsay Gorman, a fellow at the Alliance for Securing Democracy. "And now I think what we have to really contend with is the threat of domestic disinformation."

Copyright 2020 NPR. To see more, visit https://www.npr.org.

RACHEL MARTIN, HOST:

With all the focus on recounts and baseless claims of fraud being made by the president, something may have gotten lost in this election. Foreign adversaries, those hackers who were supposed to crack into voter systems or spread disinformation, they didn't have much of a role. Tim Mak and Dina Temple-Raston of NPR's investigations team explain why.

TIM MAK, BYLINE: Geoff Brown, head of New York City's Cyber Command in downtown Manhattan, spent November 3 watching for hackers, for anyone who might have been trying to use the Internet in some way to undermine the election.

GEOFF BROWN: It's like a game of chess with a sentient opponent on the other side. And I think all the indications was that opponents were trying to test and interfere with elections all over the globe.

MAK: So he watched and waited and nothing happened.

BROWN: On the night of the election and running up to the election in this cycle, no, we didn't see anything strange. We didn't see any suspicious behavior.

MAK: But Brown said the threat was there.

BROWN: I don't think it was overstated at all. I think it was a real threat. And I think that being prepared was exactly what we needed to do.

DINA TEMPLE-RASTON, BYLINE: In some ways, November 3 became a kind of Y2K of election nights. So much was supposed to go wrong, but very little actually did. Stu Solomon is the chief operating officer at Recorded Future, a cybersecurity firm. And he was watching for hackers on election night, too.

STU SOLOMON: And in this case, the good guys won. The bad guys are not deterred. They're just going to simply look for another element of the attack surface where they could create the outcomes they want.

TEMPLE-RASTON: Microsoft and the U.S. military's Cyber Command targeted a huge network of computers controlled by Russian cybercriminals known as TrickBot. Solomon says one of the reasons we didn't see massive cyberattacks on the system was because of that.

SOLOMON: So the fact that it was disrupted right at the same time that the elections were kicking into high gear is not a coincidence. And yes, it definitely had impact.

MARK ARENA: The people behind TrickBot are very, very experienced, compromising a huge number of people's computers globally.

TEMPLE-RASTON: That's Mark Arena, the CEO of Intel 471, a cyber intelligence firm. He's been watching TrickBot for some time, and he figures Microsoft and CyberCom targeted TrickBot because if there was going to be a massive attack on U.S. election systems, TrickBot probably would have been involved.

MAK: There were other pre-emptive strikes that may have helped protect the election. Facebook and other social media companies took down fake accounts linked to the Chinese, Iranian and Russian governments. Arena said that over the past few years, social media organizations have significantly improved how they monitor their sites.

ARENA: It's obvious to me that Facebook and other social media companies have massively upped the spending on resources to identify these sources within their platforms. They should be commended for it.

MAK: So there are two reasons why the election appears to have avoided the kind of mischief that marred the 2016 contest. First, a huge purveyor of ransomware, TrickBot, was hobbled.

TEMPLE-RASTON: And second, social media companies were more proactive about taking down fake accounts.

MAK: And there's one more piece that local officials say was critical. And it came from the Department of Homeland Security.

TEMPLE-RASTON: Its Cyber Infrastructure and Security Agency, to be precise, which was run by a man named Christopher Krebs.

MAK: His agency had spent the years since the 2016 election fanning out to various states to help them beef up security around their election systems and voter rolls.

TEMPLE-RASTON: Which, given how smoothly everything went, brings us to what may have been the most surprising cyber event of the political cycle. After Krebs said 2020 was the most secure election America has ever had...

MAK: President Trump fired him in a tweet.

TEMPLE-RASTON: And that was the one thing before the election no one had prepared for. For NPR News, I'm Dina Temple-Raston in New York.

MAK: And I'm Tim Mak in Washington.

(SOUNDBITE OF AK'S "23.01.2018") Transcript provided by NPR, Copyright NPR.