The Intelligence Community Assessment of Russian Activities in US Elections and What It Means For Voting System Technologies

The U.S. intelligence community has released its declassified report on Russian activities in relation to the recent U.S. election. It’s 25 pages long and is easy to read (DNI original source, DocumentCloud copy).

Background

It’s unusual to have a report like this made available to the public. To help readers understand intel community lingo, the report describes what it means for the intel community to reach a conclusion and why they cannot share original “sources and methods” with the general public. They also explain that words like “we assess” or “highly likely” are actually specific technical terms with very particular meanings. It helps to know this when reading the report so you can understand what’s being written.

Also of particular note, the report states:

We did not make an assessment of the impact that Russian activities had on the outcome of the 2016 election. The US Intelligence Community is charged with monitoring and assessing the intentions, capabilities, and actions of foreign actors; it does not analyze US political processes or US public opinion.

So the intel community isn’t trying to tell you about how U.S. voters responded to leaked information. They’re just telling you about how and why they reached their conclusions about Russian state activities. The authors of this report went out of their way to be non-partisan. Of course, there will be counter-claims that these reports are still somehow partisan in nature, and there’s no easy way to refute those claims except for reading the report directly and reaching your own conclusions.

The report’s conclusions

Yes, the report says what we expected. It concludes bluntly, on page 7 of the PDF (numbered “ii”) that (emphasis in the original):

We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia’s goals were to undermine public faith in the US democratic process, denigrate Secretary Clinton, and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump. We have high confidence in these judgments.
We also assess Putin and the Russian Government aspired to help President-elect Trump’s election chances when possible by discrediting Secretary Clinton and publicly contrasting her unfavorably to him. All three agencies agree with this judgment. CIA and FBI have high confidence in this judgment; NSA has moderate confidence.

The report directly states that “Guccifer 2.0” and “DCLeaks.com” were fronts for Russian military intelligence and that that the WikiLeaks data was “relayed” to them through an unstated third party, but clearly originating with the Russians.

Another remarkable conclusion concerns Russian access to state and local election systems (emphasis in the original):

Russian intelligence obtained and maintained access to elements of multiple US state or local electoral boards. DHS assesses that the types of systems Russian actors targeted or compromised were not involved in vote tallying.
We assess Moscow will apply lessons learned from its Putin-ordered campaign aimed at the US presidential election to future influence efforts worldwide, including against US allies and their election processes.

What’s this mean for future voting technologies?

The connection between Russian actions and US elections technologies (voter registration databases, vote tabulation computers, voting machines, etc.) is not particularly fleshed out in this report. This is all the detail we’re given (emphasis in the original):

Russian Cyber Intrusions Into State and Local Electoral Boards. Russian intelligence accessed elements of multiple state or local electoral boards. Since early 2014, Russian intelligence has researched US electoral processes and related technology and equipment.
DHS assesses that the types of systems we observed Russian actors targeting or compromising are not involved in vote tallying.

We can’t make too much out of this, but we can reach a few obvious conclusions, many of which I pointed to in my Congressional testimony last September:

  • Internet voting should not be considered for use anywhere in the U.S. (or elsewhere, for that matter) when we’re facing legitimate threats to our elections from foreign nation-state actors. This has important implications for efforts to allow overseas and military voters to more easily cast their votes.
  • Many current election management systems / voting tabulation systems are connected to computer networks that are not strictly air-gapped from the Internet, instead using firewalls or other forms of limited networking. There must be no electrical path between the Internet and any vote tabulation system. This same issue also applies to the plain-old phone system, which is every bit as vulnerable as the Internet.
  • Many current voting systems include modems for the electronic return of ballots. For example, the ES&S DS200 precinct-based ballot scanner offers an optional “USB wireless modem” feature. Such features create unacceptable vulnerabilities. Electronic ballot data should only be transmitted physically, by courier; no other means are suitably secure.
  • We don’t know enough about Russian intent and capabilities with regard to local electoral boards, but an obvious target is voter registration databases, which are generally online. In both early voting or election day vote centers, where any voter can go to any location in a county to cast his or her vote, these voter registration databases must necessarily be online in order to centrally verify each voter, ensuring that no voter casts more than one ballot. These systems present vulnerabilities that cannot be addressed through traditional security practices like air-gapped networks. Instead, these systems must be engineered to be bulletproof against attack. Luckily, they’re very similar to other web database systems, so software engineers have a lot of experience in building such systems to rigorous standards. Note that current voter registration database systems aren’t subject to any sort of national standards or certification, so addressing this will be an important challenge. Meanwhile, election officials need to take a variety of precautions, ranging from offline backups to printing paper pollbooks, to ensure that elections can go on.
  • Election equipment vendors have traditionally suggested that attacks against their systems were “purely hypothetical” and/or would not be practical outside of “laboratory conditions”. These claims have always been a way of avoiding responsibility for poorly-engineered systems, but now that those systems must face threats from overseas nation-state actors with sophisticated cyber-security skills, we must improve our game. In the short term, this means regular audits of paper ballots to compare them to their electronically scanned counterparts, and the removal of insecure, purely electronic voting systems. In the next few years, it also means we should place more emphasis on the next generation of voting systems like Los Angeles’s VSAP and Travis County (Austin, TX)’s STAR-Vote, where computer security is engineered in from the very beginning.