All sides agree that Russian meddling appeared to have a smaller impact on the 2018 elections than it did two years earlier.
Yet nobody can agree on why.
One explanation is that the Russians didn’t try as hard. Another is that the U.S. was better prepared to fend off hacking attempts. The scariest explanation is that the Russians did meddle but have become sophisticated enough that American officials missed it.
Each explanation has its defenders, and the differences explain why there is such a fierce debate but no prospects for immediate action in Washington.
Senate Majority Leader Mitch McConnell, the Kentucky Republican who controls which bills reach his chamber’s floor, said he is looking to schedule a briefing for lawmakers but is in no hurry to speed legislation.
“I do think the missing story that very few of you have written about is the absence of problems in the 2018 election,” Mr. McConnell said. “I think the Trump administration did a much, much better job working with state and local officials in the last election. Remember, the one that generated all the problems was in 2016.”
His Democratic counterpart, Senate Minority Leader Charles E. Schumer of New York, said Mr. McConnell was “declaring ‘Mission Accomplished’” because of one successful Election Day. He called that irresponsible.
“There are a lot of reasons, but every expert expects it to be worse in 2020, including the FBI director who is President Trump’s own appointee who has more knowledge of this than anybody else. So why not do something?” Mr. Schumer said.
Analysts say both men likely make some correct assessments but Mr. Schumer’s warnings ring more true.
“I would say Russia sat it out in 2018. They were not as aggressive, and the lower level of activity was due to the fact that it was a nonpresidential year,” said Michael Daniel, president and CEO of the Cyber Threat Alliance and cybersecurity coordinator for President Obama’s National Security Council.
All told, 470 House and Senate seats were up for grabs during midterms, making it harder for Moscow to determine and target specific races worthy of meddling, Mr. Daniel said.
“The presidential election is really the bigger prize in terms of American attention and influence over the political process. It is also more concentrated than the midterms, which is harder to cause a large level of disruption,” said J. Alex Halderman, director of the Center for Computer Security & Society at the University of Michigan.
Reports of hackers targeting election networks last year were scattered. The Homeland Security Department cited one effort to insert malicious computer code or fake requests for voter registration forms, The Boston Globe reported. One state blocked more than 51,000 login attempts from foreign countries in a 24-hour period, the documents reportedly disclosed.
No evidence of Russian involvement was found, and the attempts were far from the sophisticated attacks waged against the U.S. in 2016, when hackers broke into the voter registration databases in 21 states and stole personal information from 500,000 American voters.
Where Russia did increase its efforts in 2018 was on social media.
One Russian operation — the Internet Research Agency, which prosecutors blame for social media chaos ahead of the 2016 presidential election — doubled its spending heading into the 2018 elections, according to a Justice Department indictment lodged against the group’s accountant.
The agency also changed tactics. In 2016, it created and spread false stories. In 2018, it worked to boost conspiracy theories and internet memes gaining traction on the political left or right. Such posts are easier to pass off as American and harder to link back to Russia, and they don’t require the time to make up a story, analysts said.
“Narrative No. 1 was trying to plant kernels of doubt in people’s minds about the election itself, and narrative No. 2 was amplifying the extreme messaging on the right and left on hot button issues to draw more polarizing content into the mainstream,” said David Salvo, deputy director of the Alliance for Securing Democracy, an election security advocacy group.
Analysts said they expect Russia to be acting in both spheres — social media disruption and election systems hacking — in 2020.
Worst-case scenarios involve purging voter rolls, leaving voters without a chance to cast ballots on Election Day, or even attempting to alter the results of elections by hacking voting machines.
“It is certain the attacks are going to evolve,” Mr. Halderman said. “We’ve seen that in every attack, and the most likely direction the attacks will evolve is further efforts toward election mechanics and election infrastructure. Russia got a tremendous return on investment just poking around with the voter registration system in 2016.”
The decentralized U.S. system makes playing defense difficult.
Each state runs its own elections, with different rules and levels of protection and security on its systems.
Some state officials said that was an asset, not a burden.
Matthew Dunlap, Maine’s secretary of state, said elections are in his state are controlled by 500 different municipalities, making meddling in all of them nearly impossible.
“It’s not like ‘Star Wars,’ where you can shut down the Death Star with a switch. There is no central switch; there are 500 switches in the state of Maine,” Mr. Dunlap said.
“It would require a level of sophisticated coordination that is inconceivable to the human mind because we also have over 500 people who pursue election security with almost a religious zeal,” he said.
The Homeland Security Department has tried to help by establishing a hub to share information about threats and offering to conduct stress tests to evaluate vulnerabilities.
“We are significantly underprepared despite a lot of productive efforts on the part of many states and Department of Homeland Security,” Mr. Halderman said. “The local governments should never be on the frontline of an international cyberwar, but in elections that is the situation.”
But states say they can deal with the threats, and some are wary of the federal government’s help. They fear it’s the first step to a takeover.
“We are skeptical of accepting help,” said David Scanlan, New Hampshire’s deputy secretary of state. “We have turned down things like cyber hygiene and stress tests, which allows the federal government to get into your system. We are very cautious about the types of assistance they offer.”
Mr. Dunlap agreed. He turned down Homeland Security’s stress tests for similar reasons.
“We don’t like other actors coming into our systems,” he said. We do our own testing, and it is similar to what [Homeland Security] did.”
Mr. Dunlap said his distrust stems from Homeland Security’s testing of the state’s election infrastructure without alerting local officials.
“They probed us without telling us, and we told them to stop probing the system, and they said, ‘OK,’” he said.
State officials say their distrust comes from the cloaked nature in which Homeland Security controls information.
The public was notified only last month about Russian hackers’ successful penetration of the voter registration files in two Florida counties in 2016. Special counsel Robert Mueller’s report hinted at the breach, and Gov. Ron DeSantis went public with the information in May after meeting with the FBI and Homeland Security.
Trevor Timmons of Colorado’s secretary of state office said he is frustrated with Homeland Security’s unwillingness to be forthcoming.
“They don’t provide specifics about who it was that was attacked and whether it was a success or failure,” he said. “That piece matters so we can learn what to do to protect ourselves from a similar incident. DHS can get better at making sure everyone who is affected gets notified in a timely manner.”
But he does find the government’s assistance helpful.
“Those penetration tests are very important because the reality is bad guys are attacking your systems and trying to find a way in all the time,” said Mr. Timmons, chief information officer in Colorado’s operation. “Not doing those tests from DHS means you don’t know where your vulnerabilities might be.”
Once Homeland Security designated elections as critical infrastructure in the wake of the 2016 presidential election, he said, it paved the way for better cooperation.
“In the past year, they’ve done a very good job of stuffing up, adding people who know the space — hard-core cybersecurity people who know what needs to be done rather than ask silly questions,” he said.