This fall's U.S. presidential election may end up being a chaotic mess that won't yield a winner on Election Night, three election-security experts told the Black Hat 2020 security conference during its opening day Wednesday (Aug. 5).
The states don't know how many absentee ballots they need to send to voters, how early to tell voters to mail the ballots back or how they're going to count those ballots in a timely manner, one expert warned.
- Trump attacks mail-in voting fraud — but election officials say it's safe
- Worried about Election Day hacking? Here's what you need to know
- The best antivirus software to keep your PC clean
Some voters who try to cast their ballots in person will find their regular polling places closed, and long lines may form at those that are open as a smaller-than-usual number of election workers try to limit crowds.
Meanwhile, the Russians will continue to flood American social media with disinformation, and the Chinese and Iranians may join in. Russian tactical hackers could even try to disrupt the actual voting with strategic power outages or destructive malware on electoral computer systems, as they've already done in other countries.
"On November third, it's quite possible that we won't know who won the election," said Christopher Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). "So we you need you to be a more patient voter and recognize that it's going to take a little more time."
'A Sputnik moment'
In his Black Hat presentation, taped the night before it was streamed out to attendees of this year's virtual conference, Krebs tried to project a positive note.
"Four years ago at this time, it was becoming very clear that Russia was intent on disrupting the election," he said. "But if you talk to anyone in the last administration, they would not have been happy with the response," which was quickly pulled together from various agencies for a scenario that had not been planned for.
"It was almost a Sputnik moment," Krebs said, comparing it to the day in October 1957 when the U.S. realized that its military forces could not protect its skies from Soviet satellites. "Before this, cybersecurity incidents were financial crimes or a bad movie. Suddenly it was very real."
"But we got to see the Russians' playbook," Krebs added, enabling the U.S. national-security establishment to plan for the next presidential election.
"Today in 2020," he said, we're much better prepared for the Russian disinformation and hacking threat. "It's night and day."
Krebs cited much better visibility into the varied American election systems, greater understandings of the risks involved, and progress in making sure that all voting precincts record the votes on some kind of paper trail -- 92% would be compliant by Election Day 2020, Krebs said, as opposed to only 80% in 2016.
"We have the confidence that 2020 will be the most secured, most protected election in modern history," he predicted.
'Can we postpone a national election?'
Matt Blaze, a computer-science professor who holds the McDevitt Chair in Computer Science and Law at Georgetown University, wasn't so optimistic.
Delivering Wednesday's Black Hat keynote address, Blaze lamented that the slow but steady progress made in election security over the past decade had been disrupted by the COVID-19 crisis.
"I've never encountered a problem that's more complex than the security of civil elections," Blaze said, yet he was glad to see earlier this year, for example, that touchscreen voting machines that don't print a paper readout were slowly being phased out.
"So this all sounded good in February," he added. "Then March and the coronavirus pandemic came along."
Our election systems are just not prepared to handle the resulting huge expected influx of mail-in ballots, Blaze said, with the exceptions of counties or states like Oregon where mail-in ballots are the norm.
"Absentee voting is permitted by every state, but the scale varies," he said, pointing out that some states require to voter to provide a reason why he or she can't vote in person, although more states let you do it for any reason. "But is absentee voting scalable in an emergency? This is a systems and logistics problem."
The U.S. has dealt with regional or national voting disruptions before, such as caused by natural disasters, the Civil War or even the 9/11 terrorist attacks (a mayoral primary day in New York City).
But, Blaze said, we've never seen anything like this before, when millions of people will want to vote but won't want to go to polling places. Many of those polling places, such as in schools or government buildings, will be closed anyway.
As Krebs put it later in the day during his own presentation, on Election Day, "something will have changed in way you vote. Your polling place might not be available."
"There's lots of uncertainty about how many voters will need mail-in ballots," Blaze said. "We probably won't know until it's too late to change course. We'll need to prepare for a very wide range of scenarios."
Among those scenarios, Blaze admitted, might be one that would extremely disruptive and would require congressional approval.
"Can we postpone a national election?" Blaze asked rhetorically. "We never have before. The Speaker of the House could become acting president" — which would happen if a president's term ran out without an elected successor — "but that might be preferable to accepting an election viewed as illegitimate."
Making sure U.S. elections are cast in doubt is one of the Kremlin's primary goals, Booz Allen Hamilton threat-intelligence analyst Nate Beach-Westmoreland said in the day's third election-security address.
Beach-Westmoreland said the Russians have tried to influence U.S. elections since at least 1976, when the KGB tried to derail the presidential campaign of defense hawk Sen. Henry "Scoop" Jackson by forging fake FBI files alleging that Jackson was gay and sending them to major newspapers.
None of the newspapers ran the stories, Beach-Westmoreland said, and Jackson's campaign fizzled out on its own. But after Vladimir Putin took charge in Russia on the last day of 1999, efforts at what Beach-Westmoreland called "information confrontation" began anew.
"Russia has been incorporating information confrontation into its military strategy since 2000," Beach-Westmoreland said.
Disinformation vs. destruction
There are two sides to this, he said. The "information psychological" side is what hit us in 2016, with the break-in at the Democratic National Committee, the media leaks of mixed false and real information, and the social-media campaigns aimed at stirring up trouble.
These campaigns have been carried out by a group information-security specialists call Fancy Bear, Sofacy or APT 28, and it's part of the GRU, the Russian military-intelligence agency. Fancy Bear has used similar tactics in France, Bulgaria, Ukraine and Montenegro.
Even though Russia's favored candidates have rarely won, Beach-Westmoreland said, these disinformation campaigns still further Russia's goals.
"There's a greater utility to this than just changing outcomes," he said. "You can undermine your opponents, create new opportunities, and shape domestic opinions in Russia itself" by showing that Western democracy is flawed.
Yet there's a worse side to GRU hacking, said Beach-Westmoreland. The "information technical" group, aka Sandworm or Black Energy, has hit many countries with destructive cyberattacks.
This group is blamed for disabling Ukrainian power plants in 2016, launching the NotPetya worm that destroyed computers across Europe in 2017 and taking down the computer systems at the Pyeongchang Winter Olympics in 2018.
Yet Sandworm/Black Energy has never been very active in the United States. The GRU did probe the election systems in all 50 states in 2016, as Krebs noted during his presentation earlier Wednesday, but that may just have been reconnaissance.
Beach-Westmoreland says it's possible, if unlikely, that the Sandworm/Black Energy group might try to disrupt the U.S. presidential election by using destructive wiper malware to hack election systems or by creating localized power outages to disable electronic voting machines.
Such attacks would create a massive blowback from the U.S. government, which has stated that they would constitute an act of war. Russia has generally used these tactics only on countries it doesn't have to fear militarily.
Deterrence is "a matter of shaping your adversary's risk calculus," Beach-Westmoreland said. "Draw clear bright lines for which there will be consequences if they're crossed."
Deterrence clearly has not worked to stop the Russians from spreading disinformation, which Krebs said is as much of a threat as it's ever been.
"On the intelligence side, election-infrastructure targeting is not like what we've seen in 2016," he said while taking questions after his own presentation. "But in the disinformation space, Russia has never taken its foot off the gas. China and Iran are also in the game."
To American voters and social-media users, Krebs urged them to not fall victim to fake-news campaigns designed to spark outrage and viral sharing.
"Consider your sources of information," he said. "Think before you share. There are [news] outlets out there like Sputnik or RT [Russia Today] that are closely associated with the Kremlin."
"We could be attacked by a very capable adversary," Krebs said about the next three months. "We have to factor COVID-19 in. And we require the voter to have patience."
Get the BEST of Tom’s Guide daily right in your inbox: Sign up now!
Upgrade your life with the Tom’s Guide newsletter. Subscribe now for a daily dose of the biggest tech news, lifestyle hacks and hottest deals. Elevate your everyday with our curated analysis and be the first to know about cutting-edge gadgets.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.