Under Attack: How Election Hacking Threatens the Midterms

Any conversation about US election security in the 2018 midterms and beyond eventually finds its way back to the 2016 presidential election. Prior to that race, we'd seen cyber attacks directed at campaigns and elections since the mid-2000s, but never before at that scale.

"At the time, no one had ever seen anything like this before. It was shocking to think that Russia would be so brazen as to interfere in our democracy and influence it in favor of a certain candidate," said Rosenbach, who testified before Congress in March on Russian interference in the 2016 election. "I've been working in national security for 20 years now, and this was the most complicated, difficult problem I've ever dealt with."

At this point, the facts are fairly clear. A dozen Russians allegedly working for the GRU, Russia's military intelligence service, were indicted for hacking the Democratic National Committee (DNC) and leaking documents to organizations including WikiLeaks, which released over 20,000 emails.

Operating under online personas including Guccifer 2.0, Fancy Bear, and DCLeaks, the indicted hackers also breached voter registration databases in Illinois and Arizona in August 2016 and stole information on more than 500,000 voters. Subsequent FBI and NSA reports found that hackers compromised voting software in 39 states during the 2016 presidential election. US Deputy Attorney General Rod Rosenstein said in the indictment of Russian hackers that "the goal of the conspiracy was to have an impact on the election."

Those were just the attacks hitting the first two levels of election infrastructure. On social media, Russia, Iran, and others unleashed bots and troll factories—including the Russia-backed Internet Research Agency (IRA)—that spread fake news and bought thousands of political ads on Facebook and Twitter to influence voter opinions. While linked to political parties rather than outside hackers, Facebook's Cambridge Analytica scandal also played a role in how social media platforms affected the 2016 election.

"We did not react quickly or strongly enough [after the 2016 election]," said Rosenbach. While working at the Pentagon, Rosenbach also served as Deputy Assistant Secretary of Defense for Cyber from 2011 to 2014, and Assistant Secretary of Defense for Global Security overseeing cybersecurity.

He's now the co-director of the Belfer Center at Harvard's Kennedy School and director of the D3P. He founded it last year alongside Matt Rhoades, Mitt Romney's campaign manager during the 2012 election, and Robby Mook, Hillary Clinton's campaign manager in 2016.

"An important thing to understand from a security standpoint is that the campaign itself was never hacked," Mook told PCMag. "Personal email accounts were hacked, and the DNC was hacked, but I think it's an important warning to everyone that we really do have to secure the entire ecosystem. Adversaries are going to go anywhere they can to weaponize information against different candidates."

The phishing attack that successfully hacked DNC Chairman John Podesta's personal Gmail account in 2016 left Mook with the realization that there weren't any mechanisms in place for how to react to an attack of this magnitude. In 2017, he connected with Rhoades, who had dealt with constant hacking attempts by Chinese cyber forces during Romney's presidential run. The basic idea was to create a checklist of things to do to prevent exploits like this in future campaigns and to provide somewhere for campaigns to go when they were hacked.

The two linked up with Rosenbach and worked to publish the D3P Cybersecurity Campaign Playbook. They've since collaborated on two other playbooks: one for state and local election administrators, and one that primes communications officials on how to counter online misinformation. They also helped organize and run the interstate tabletop simulations.

Mook didn't want to spend too much time talking about 2016; it's important not to keep reliving the last battle when you can prepare for the next one, he said.

"The fact is, you just don't know why or how someone is trying to get in. You just know that somebody will," said Mook. "The most important thing is to think about what could be next. What are the threats we haven't considered or seen yet? I think the midterms will potentially surface some new vulnerabilities, but I think it's more about looking at the system as a whole and figuring out every possible way someone could get in."

As we approach the 2018 midterms and face the long slog to the 2020 US presidential election, the threat landscape is coming into focus.

Though President Trump has downplayed the extent of Russian interference, the US hit Russia with new sanctions in March. "We continue to see a pervasive messaging campaign by Russia to try to weaken and divide the United States," US Director of National Intelligence Dan Coats said during an August briefing.

That came after Microsoft in July stymied a hacking attempt involving fake domains targeting three candidates running for reelection. Mere weeks before this story was published, a Russian national was charged with overseeing an effort to manipulate voters through Facebook and Twitter to interfere with the midterms. Elena Khusyaynova, a Russian citizen named in the indictment, allegedly managed financial and social operations affiliated with the IRA, wielding a budget of more than $35 million bankrolled by Russian oligarch and Putin ally Yevgeny Prigozhin.

The Directors of National Intelligence, Department of Homeland Security, and FBI released a joint statement timed with the indictment. It states that while there is no current evidence of compromised voting infrastructure in the midterms, "some state and local governments have reported mitigated attempts to access their networks," including voter registration databases.

In the final weeks before the midterm elections, US Cyber Command is reportedly even identifying Russian operatives in control of troll accounts and informing them that the US is aware of their activities in an effort to deter election meddling.

"We are concerned about ongoing campaigns by Russia, China, and other foreign actors, including Iran, to undermine confidence in democratic institutions and influence public sentiment and government policies," the statement reads. "These activities also may seek to influence voter perceptions and decision making in the 2018 and 2020 US elections."

Looking for Patterns

When monitoring activity from foreign adversaries and other potential cyber foes, experts look for patterns. Toni Gidwani said it's like studying a radar array of all the different malicious entities out there; you search for early warning indicators to mitigate risk and secure the weakest links in your defenses.

Gidwani is the Director of Research Operations at cybersecurity firm ThreatConnect. She has spent the past three years spearheading ThreatConnect's research into the DNC hack and Russian influence operations on the 2016 US presidential election; her team linked Guccifer 2.0 to Fancy Bear. Gidwani spent the first decade of her career at the DoD, where she built and led analytics teams at the Defense Intelligence Agency.

"You need to pull the strings on a lot of different fronts," said Gidwani. "Fancy Bear was working a lot of different channels to try to get the DNC data into the public domain. Guccifer was one of those fronts, DCLeaks was one, and WikiLeaks was the highest-impact front."

Gidwani broke down the nation-state exploits we've seen into a few distinct activities that together form a multi-stage interference campaign. The campaign-focused data breaches led to strategic data leaks at critical moments in the election cycle.

"In [the midterms] we're concerned about spear-phishing and man-in-the-middle [MitM] attacks for sure. That information is so impactful when it gets in the public domain that you may not need sophisticated malware, because campaigns are such pickup operations, with an influx of volunteers as targets," she explained. "You don't need zero-day vulnerabilities if your spear-phishing is working."

The penetration attacks on state boards of elections are another prong meant to disrupt the voting-machine supply chain and erode confidence in the validity of election results. Gidwani said the outdated and fragmented nature of voting infrastructure from state to state made attacks such as SQL injections, which "we would hope shouldn't even be part of the attack playbook anymore," not only possible but also effective.

Those operations are largely distinct from the Facebook groups and Twitter troll accounts churned out by the IRA and other nation-state actors, including China, Iran, and North Korea. Ultimately, those campaigns are more about stirring up sentiment and swaying voters across the political spectrum, amplifying the coordinated data leaks with political slants. When it comes to misinformation, we've uncovered only the tip of the iceberg.

"One of the things that makes elections so challenging is that they're made up of a lot of different pieces with no single stakeholder," said Gidwani. "The big challenge we're wrestling with is fundamentally a political question, not a technical one. The [social] platforms are making an effort to make legitimate content more easily identifiable by verifying candidates. But with how virally this type of content can spread, it takes us outside the world of information security."

At its most fundamental level, American election infrastructure is a patchwork—a jumble of outdated and insecure voting machines, vulnerable voter databases, and state and local websites that sometimes lack even the most basic encryption and security.

In a backward sort of way, the fragmented nature of nationwide voting infrastructure can make it a less appealing target than an exploit with more widespread impact. Because of the outdated and sometimes analog tech in voting machines and how vastly each state differs from the next, hackers would need to expend significant effort in each case to compromise every individual localized system. That's a misconception to some degree, because hacking state or local voting infrastructure in a key swing district can absolutely impact an election outcome.

Two election cycles ago, Jeff Williams consulted for a major US voting machine vendor, which he declined to identify. His company did a manual code review and security test of the voting machines, election management technology, and vote-counting systems, and found a slew of vulnerabilities.

Williams is the CTO and co-founder of Contrast Security, and one of the founders of the Open Web Application Security Project (OWASP). He said that because of the archaic nature of election software, which is managed in many cases by local precincts that often make purchasing decisions based more on budget than security, the technology hasn't changed all that much.

"It's not just about the voting machines. It's all the software you use to set up an election, manage it, and collect the results," said Williams. "The machines have a pretty long lifetime because they're expensive. We're talking about millions of lines of code and many years' worth of work trying to review it, with security that's complicated to implement and not well-documented. It's a symptom of a much larger problem—nobody has any insight into what's going on in the software they use."

Williams said he doesn't have much faith in the testing and certification processes either. Most state and local governments put together small teams that do penetration testing, the same kind of testing that made headlines at Black Hat. Williams believes that's the wrong approach, compared with exhaustive software quality-assurance testing. Hacking contests like those in the Voting Village at DefCon find vulnerabilities, but they don't tell you all about the potential exploits you didn't find.

The more systemic issue nationwide is that voting machines and election management software differ massively from state to state. There are only a handful of major vendors registered to provide voting machines and certified voting systems, which can be paper ballot systems, electronic voting systems, or a combination of the two.

According to nonprofit organization Verified Voting, 99 percent of America's votes are counted by computer in some form, either by scanning various types of paper ballots or through direct electronic entry. Verified Voting's 2018 report found that 36 states still use voting equipment proven to be insecure, and 31 states will use direct-recording electronic voting machines for at least a portion of voters.

Most alarmingly, five states—Delaware, Georgia, Louisiana, New Jersey, and South Carolina—currently use direct-recording electronic voting machines with no voter-verified paper audit trail. So if vote counts are altered in the electronic system, either through a physical or remote hack, the states may have no way of verifying the valid results in an audit process where often only a statistical sampling of votes is needed, rather than a full recount.

"There's not a box of hanging chads for us to count," said Joel Wallenstrom, CEO of encrypted messaging app Wickr. "If there are claims in the midterms that the results aren't real because the Russians did something, how do we deal with that misinformation issue? People read bombastic headlines, and their trust in the system is further eroded."

Upgrading state-by-state voting infrastructure with modern tech and security isn't happening for the midterms and likely not before 2020. While states including West Virginia are testing emerging technologies such as blockchain for electronic vote recording and auditing, most researchers and security experts say that in lieu of a better system, the most secure method of verifying votes is a paper trail.

"Paper audit trails have been a rallying cry for the security community for a long time, and in the midterms and probably the presidential election they will be using a ton of machines that don't have that," said Williams. "It's not hyperbole to say this is an existential threat to democracy."

One of the states with a paper audit trail is New York. Deborah Snyder, the state's Chief Information Security Officer, told PCMag at a recent National Cyber Security Alliance (NCSA) summit that New York was not among the 19 states whose estimated 35 million voter records are for sale on the dark web. However, publicly-available New York State voter records are allegedly available for free on another forum.

The state conducts regular risk assessments of its voting machines and infrastructure. New York has also invested millions since 2017 in local intrusion detection to improve incident monitoring and response, both within the state and in coordination with the Information Sharing and Analysis Center (ISAC), which partners with other states and the private sector.

"We're on heightened awareness leading up to and through the election," said Snyder. "I have teams on deck from 6 a.m. the day before to midnight on Election Day. We're all hands on deck, from the New York State Intelligence Center to the ISAC to the local and state Board of Elections and my office, ITS [Information Technology Services] and the Division of Homeland Security and Emergency Services."

The last and most often overlooked aspect of state and local election security are the government websites telling citizens where and how to vote. In some states, there's shockingly little consistency between official sites, many of which lack even the most basic HTTPS security certificates, which verifies that web pages are protected with SSL encryption.

Cybersecurity company McAfee recently surveyed the security of county election board websites in 20 states and found that only 30.7 percent of sites have SSL to encrypt any information a voter shares with the website by default. In states including Montana, Texas, and West Virginia, 10 percent of sites or fewer are SSL-encrypted. McAfee's research found that in Texas alone, 217 out of 236 county election websites do not use SSL.

You can tell an SSL-encrypted site by looking for HTTPS in the website URL. You may also see a lock or key icon in your browser, which means you are communicating securely with a site that is who they say they are. In June, Google's Chrome started flagging all unencrypted HTTP sites as "not secure."

"Not having SSL in 2018 in preparation for the midterms means these county websites are far more vulnerable to MiTM attacks and data tampering" said McAfee CTO Steve Grobman. "It's often an old unsecure HTTP variant that doesn't redirect you to secure sites, and in many cases, the sites would share certificates. Things do look better at the state level, where only around 11 percent of sites are unencrypted, but these local county sites are completely insecure."

Of the states included in McAfee's research, only Maine had above 50 percent of county election websites with basic encryption. New York was only at 26.7 percent, while California and Florida were around 37 percent. But the lack of basic security is only half the story. McAfee's research also found almost no consistency in the domains of county election websites.

A shockingly small percentage of state election sites use the government-verified .gov domain, instead opting for common top-level domains (TLDs) like .com, .us, .org, or .net. In Minnesota, 95.4 percent of election sites are using non-government domains, followed by Texas at 95 percent and Michigan at 91.2 percent. This inconsistency makes it nearly impossible for a regular voter to discern which election sites are legitimate.

In Texas, 74.9 percent of local voter registration websites use the .us domain, 7.7 percent use .com, 11.1 percent use .org, and 1.7 percent use .net. Only 4.7 percent of sites use the .gov domain. In the Texas county of Denton, for example, the county elections website is https://www.votedenton.com/, but McAfee found that related websites such as www.vote-denton.com are available for purchase.

In scenarios like this, attackers don't even need to hack local websites. They can simply purchase a similar domain and send phishing emails that direct people to register to vote through the fraudulent site. They can even provide false voting information or incorrect polling place locations.

"What we see in cybersecurity in general is that attackers will use the simplest mechanism that is effective to achieve their goals," said Grobman. "While it may be possible to hack the voting machines themselves, there are a lot of practical challenges to that. It's a lot easier to go after voter registration systems and databases or just buy a website. In some cases we found there were similar domains purchased by other parties. It's as easy as finding a GoDaddy for-sale page."

It generally takes more effort for hackers to infiltrate each county or state's system than to go after low-hanging fruit such as campaigns, where thousands of temporary employees make for appealing marks. As we saw in 2016, the impact of campaign data breaches and information leaks can be catastrophic.

Attackers can penetrate campaigns in a number of different ways, but the strongest defense is simply making sure the basics are locked down. The D3P's Campaign Cybersecurity Playbook doesn't reveal any groundbreaking security tactics. It's essentially a checklist they can use to make sure every campaign employee or volunteer is vetted, and that anyone working with campaign data uses protection mechanisms like two-factor authentication (2FA) and encrypted messaging services such as Signal or Wickr. They also need to be trained in common-sense information hygiene with awareness of how to spot phishing schemes.

Robby Mook talked about simple habits: say, automatically deleting emails you know you won't need, because there's always a chance that data will leak if it's sitting around.

"The [Clinton] campaign is an interesting example, because we had that second factor on our campaign accounts and business rules about keeping data and information within our domain," explained Mook. "The bad guys, we learned in retrospect, got a lot of staff to click through phishing links, but those attempts weren't successful, because we had safeguards in place. When they couldn't get in that way, they went around to people's personal accounts."

Campaign security is tricky: There are thousands of moving parts, and often there's no budget or expertise to build in cutting-edge information security protections from scratch. The tech industry has stepped up on this front, collectively providing a number of free tools for campaigns leading up to the midterms.

Alphabet's Jigsaw is giving campaigns DDoS protection through Project Shield, and Google has expanded its advanced account-security program to protect political campaigns. Microsoft is offering political parties free AccountGuard threat detection in Office 365, and this summer, the company hosted cybersecurity workshops with both the DNC and RNC. McAfee is giving away McAfee Cloud for Secured Elections free for a year to election offices in all 50 states.

Other cloud tech and security companies—including Symantec, Cloudflare, Centrify, and Akamai—are providing similar free or discounted tools. It's all part of the tech industry's collective PR campaign of sorts, making a more concerted effort to improve election security than Silicon Valley has in the past.

Getting Campaigns on Encrypted Apps

Wickr, for example, is (more or less) giving campaigns access to its service for free, and working directly with campaigns and the DNC to train campaign workers and build out secure communications networks.

The number of campaigns using Wickr has tripled since April, and more than half of Senate campaigns and over 70 political consulting teams were using the platform as of this summer, according to the company. Audra Grassia, Wickr's political and government lead, has been heading up its efforts with political committees and campaigns in Washington, D.C. for the past year.

"I think people outside of politics have a hard time understanding how difficult it is to deploy solutions across multiple campaigns, at every level," said Grassia. "Every campaign is its own separate small business with staff rotating out every two years."

Individual campaigns often don't have the funding for cybersecurity, but the big political committees do. In the wake of 2016, the DNC in particular has invested heavily in cybersecurity and this kind of relationship-building with Silicon Valley. The committee now has a tech team of 35 people led by new CTO Raffi Krikorian, formerly of Twitter and Uber. The DNC's new Chief Security Officer, Bob Lord, was formerly a security exec at Yahoo who is intimately acquainted with dealing with catastrophic hacks.

Grassia's team has been working directly with the DNC, helping get Wickr's technology deployed and offering campaigns various levels of training. Wickr is one of the tech providers featured in the DNC's tech marketplace for candidates. "The moving pieces within a campaign are really staggering," said Wickr CEO Joel Wallenstrom.

He explained that campaigns don't have the tech knowledge or the resources to invest in enterprise-grade information security or to pay Silicon Valley prices for talent. Encrypted apps essentially offer built-in infrastructure to move all of a campaign's data and internal communications into secure environments without hiring an expensive consulting team to configure it all. It's not an all-encompassing solution, but at the very least encrypted apps can get a campaign's essentials locked down relatively quickly.

In the midterms and future elections, Robby Mook said, there are a few campaign attack vectors he's most concerned about. One is DDoS attacks on campaign websites in critical moments, such as during a convention speech or a primary contest when candidates are banking on online donations. He's also worried about fake sites as a one-two punch to steal money.

"We've seen a little bit of this, but I think one thing to watch is fake fundraising sites that can create confusion and doubt in the donation process," said Mook. "I think it could get much worse with social engineering trying to trick campaign staff into wiring money or rerouting donations to thieves. The danger of this is particularly high because for an adversary, not only is it lucrative, but it distracts campaigns from the real issues and keeps them focused on intrigue."

The most difficult aspects of modern election security to understand, let alone to protect against, are misinformation and social influence campaigns. It's the issue that has played out most publicly online, in Congress, and on the social platforms at the heart of the conundrum threatening democracy.

Fake news and misinformation disseminated to influence voters can come in many different forms. In 2016, it came from micro-targeted political ads on social media, from groups and fake accounts circulating false information about candidates, and from leaked campaign data strategically disseminated for information warfare.

Mark Zuckerberg famously said days after the election that fake news on Facebook influencing the election was a "pretty crazy idea." It took a disastrous year of data scandals and revenue hits for Facebook to get where it is now: mass purges of political spam accounts, verifying political ads, and setting up a midterm election "war room" as part of a comprehensive strategy to fight election meddling.

Twitter has taken similar steps, verifying political candidates and cracking down on bots and trolls, but misinformation persists. The companies have been honest about the fact that they're in an arms race with cyber foes to find and delete fake accounts and to stem fake news. Facebook shut down an Iran-linked propaganda campaign comprising 82 pages, groups, and accounts just last week.

But machine-learning algorithms and human moderators can only go so far. The spread of misinformation via WhatsApp in Brazil's presidential election is just one example of how much more work social media companies need to do.

Facebook, Twitter, and tech giants such as Apple have gone from tacitly acknowledging the role their platforms play in elections to accepting responsibility and trying to fix the very complicated problems they helped to create. But is it enough?

"Influence in elections has always been there, but what we're seeing is a new level of sophistication," said Travis Breaux, Associate Professor of Computer Science at Carnegie Mellon, whose research concerns privacy and security.

Breaux said the types of misinformation campaigns we're seeing from Russia, Iran, and other nation-state actors aren't all that different from the playbook espionage agents have been using for decades. He pointed to a 1983 book called The KGB and Soviet Disinformation, written by an ex-intelligence officer, which talked about state-sponsored Cold War information campaigns designed to mislead, confound, or inflame foreign opinion. Russia's hackers and troll farms are doing the same thing today, only their efforts are magnified exponentially by the power of digital tools and the reach they provide. Twitter can blast a message out to the entire world in an instant.

"There is a combination of existing techniques, like fake accounts, that now we're seeing become operationalized," said Breaux. "We have to get up to speed and understand what genuine, trusted information looks like."

McAfee CTO Steve Grobman thinks the government should run public service campaigns to raise awareness about false or manipulated information. He said one of the biggest issues in 2016 was the flagrant assumption that breached data had integrity.

In the late stages of an election cycle, when there isn't time to independently verify the validity of information, information warfare can be particularly powerful.

"When John Podesta's emails were published on WikiLeaks, the press was making the assumption that they were all really Podesta's emails," said Grobman. PCMag has not conducted a direct investigation into the authenticity of the leaked emails, but some Podesta emails verified as false were still circulating as recently as this fall, according to FactCheck.org, a project run out of the Annenberg Public Policy Center at the University of Pennsylvania.

"One of the things we need to educate the public about is that any information coming out of a breach can contain fabricated data intertwined with legitimate data to feed whatever narrative adversaries are leading you toward. People may believe something fabricated that influences their vote."

This can extend not just to what you see online and in social media, but also to logistical details about voting in your area. Given the inconsistency in something as fundamental as website domains from one local municipality to the next, voters need an official means of discerning what's real.

"Imagine hackers trying to sway an election toward a candidate in a given rural or urban area," said Grobman. "You send a phishing email to all the voters saying that due to weather, the election has been postponed for 24 hours, or give them a false updated polling place location."

Ultimately, it's up to voters to filter out misinformation. New York State Chief Information Security Officer Deborah Snyder said, "Don't get your news from Facebook, vote your mindset," and make sure your facts are coming from verified sources. Wickr's Joel Wallenstrom believes voters need to steel themselves to the fact that there will be an awful lot of FUD (fear, uncertainty, and doubt). He also thinks you should just turn off Twitter.

Robby Mook said that whether you're dealing with cybercrime or data warfare operations, it's important to remember that the information you see is designed to make you think and act a certain way. Don't.

"Voters need to take a step back and ask themselves what matters to them, not what's being said to them," said Mook. "Focus on the substance of the candidates, the decisions these public officials are going to make, and how those decisions will impact their lives."

The Defending Digital Democracy project's election security simulation drill started at 8 a.m in Cambridge, Mass. As it began, with participants working in fictional states six or eight months before Election Day, 10 minutes of the exercise accounted for 20 days. By the end, each minute was happening in real time as everyone counted down to polling time.

Rosenbach said he, Mook, and Rhoades went in with 70 pages of scenarios scripting how election security catastrophes would play out, and they'd throw one after another at state officials to see how they respond.

"We'd say, here's the situation, we just got a news report of a Russian info op carried out through Twitter bots," said Rosenbach. "Also, results are coming in from this polling place that it's showing as closed but only for African-American voters. Then they'd have to react to that, while at the same time 10 other things are going down—registration data was hacked, voting infrastructure is compromised, something leaked, and on and on."

The Defending Digital Democracy Project did research in 28 states on demographics and different types of polling equipment to script into the simulations, and everyone was assigned a role. Low-level election administrators got to play top officials of a fictional state, and vice-versa. Rosenbach said West Virginia Secretary of State Mac Warner wanted to play a poll worker.

The goal was for officials from all 38 states to leave the simulation with a response plan in their minds and to ask the right questions when it really matters. Have we encrypted this link? Is the voter database secure? Have we locked down who has physical access to the polling machines before election day?

An arguably more important byproduct of the tabletop exercise was the creation of a network of election officials across the country to share information and exchange best practices. Rosenbach called it a sort of "informal ISAC" that has remained very active leading up to the midterms for states to share the types of attacks and vulnerabilities they're seeing.

States are also doing this kind of training on their own. New York kicked off a series of regional tabletop exercises in May in partnership with the Department of Homeland Security focusing on cybersecurity preparedness and threat response.

NYS CISO Snyder said the State Board of Elections provided election-specific training to County Boards of Elections. In addition, the free cyber awareness training provided to all 140,000 state workers was also made available to local municipalities, giving them both election-specific training and general cybersecurity awareness training. Snyder also said she has reached out to other states that have suffered voter data breaches to find out what happened and why.

"Partnerships are what make cybersecurity work. Lack of intelligence sharing is why it fails," said Snyder. "States are realizing cyber can't be done in silos, and the advantage of that shared situational awareness far outweighs the embarrassment of telling the tale of how you got hacked."

The D3P is sending teams across the country during the midterms to observe the elections in dozens of states and report back to improve the project's playbooks and trainings before 2020. One sentiment a number of sources shared is that cyber adversaries may not hit the US as hard in the midterms. America was caught entirely off-guard during the 2016 election, and 2018 will show nation-state hackers what we have and haven't learned since then.

Cyber warfare isn't only about full-frontal assaults. Hacking and misinformation campaigns are more covert, and they rely upon hitting you with exactly what you're not expecting. As for Russia, Iran, China, North Korea, and others, many security and foreign policy experts fear that far more devastating attacks on US elections will come in the 2020 presidential campaign cycle.

"The Russians are still active, but I'd be surprised if the North Koreans, Chinese, and Iranians weren't watching very carefully to see what we do in the midterms and laying clandestine groundwork, just like any intel cyber operation," said Rosenbach.

The cyber attacks we see during the midterms and in 2020 may well come from entirely new vectors that weren't in any of the simulations; a new generation of exploits and techniques no one expected or prepared to face. But at least we'll know they're coming.