The FBI is investigating how the hackers got inside Twitter's systems. Photo / Jason Henry, The New York Times
The breach that targeted Joe Biden, Barack Obama and others served as a warning: Had it happened on November 3, hoping to upend the election, the political fallout could have been quite different.
Over the past year, government officials have raced to help states replace voting machines that leave nopaper trail, and to harden vulnerable online voter registration systems that many fear Russia, or others, could hijack to trigger chaos on Election Day.
But this week, the country got a startling vision of other perils in political disinformation — and how many other ways there may be to manipulate turnout, if not votes.
The hacker or hackers who bored into the command centre of Twitter on Wednesday (Thursday NZ time) — seizing control of Joe Biden's and Barack Obama's blue-checked accounts, among many others — served as a warning that some of the most critical infrastructure that could influence the election is not in the hands of government experts, and is far less protected than anyone assumed even a day ago.
The hackers probably did the nation a favor. With a crude scheme to deceive users into thinking that Biden and Obama were asking them for donations in Bitcoin — which sent more than US$120,000 ($182,000) flowing into their cryptocurrency wallets — they revealed how simple it may be to imitate the powerful and the trusted.
Had saboteurs infiltrated Twitter on November 3 instead of in the middle of July, with the goal of upending the election, the political fallout could have been quite different. False warnings of a coronavirus outbreak in key precincts in Wisconsin or Pennsylvania could have untold effect on a close vote in a battleground state. Deceptive tweets from political party accounts saying polling places were closed could sow confusion.
Or imagine a fake declaration, under Biden's account, that he was dropping out of the race — a nightmare scenario for Democrats that some federal officials said they were talking about hypothetically among themselves Wednesday night as the scope of Twitter's failure became clear.
Similar war gaming about social media and election interference has played out in classified simulations conducted by the Department of Homeland Security, which is responsible for securing the 2020 election, and at Fort Meade, Maryland, home of the National Security Agency and US Cyber Command. The results have never fully been made public.
But the nation is now getting a very public look at the effect of disinformation when trusted accounts of politicians and prominent Americans are hacked — with voters confused and more wary than ever of who is telling the truth, blue check or no blue check. The disruption revealed that the social media platform favoured by the president — one that the federal courts concluded a year ago is a conduit for official messages about national policy — was as vulnerable, in its own way, as the aging registration databases that Russian intelligence invaded four years ago in Arizona, Illinois and other states.
Investigators are still trying to determine exactly how the hackers got inside Twitter's systems and took such command of the platform that, when Twitter employees took the Bitcoin-seeking messages down, the disinformation popped right back up. Many of the details remain unclear: Investigators are still trying to determine if the hackers tricked a Twitter employee into handing over login information. Twitter suggested Wednesday that the hackers had used "social engineering," a strategy to gain passwords or other personal information by posing as a trusted person like a company representative.
But another line of inquiry includes whether a Twitter employee was bribed for his or her credentials, something one person who claimed responsibility for the hacking told the technology site Motherboard.
In the end, it may matter less how they did it than that they succeeded. As Christopher Krebs, who leads the Cybersecurity and Infrastructure Agency at the Department of Homeland Security, has often noted, influencing an election requires either hacking into voter systems or hacking into voters' brains. The Twitter breach demonstrated yet another way to accomplish the latter, what Krebs called Thursday "the more likely, less costly way" to mount an attack.
Until Wednesday's attack, most of the officials and analysts at the array of federal agencies confronting election threats were focused heavily on voting systems — because that is the area over which governments have most control. Their particular worry was a convergence of cybercriminals and national intelligence agencies, particularly in Russia, deploying ransomware against underprotected American cities and towns.
A leaked FBI warning from May 1 said ransomware hackers could seek to lock up registration databases, a move that would disrupt both in-person voting and the mailing and processing of mail-in ballots. The FBI warning suggested that ransomware attacks "will likely threaten the availability of data on interconnected election servers, even if that is not the actors' intention."
The bureau had reason to worry: Atlanta, Baltimore and towns across Florida and Texas have been victims of attacks that locked up their data, making it impossible to pay taxes, get potholes fixed or obtain a building permit. The advisory noted that cybercriminals broke into the American companies that provide internet services to Louisiana election officials late last year, then carefully timed their ransomware attack to a week before an election.
It was a wake-up call, FBI analysts said, to what American states and counties might expect in 2020.
But the Twitter hacking suggested yet another vector for attack. And it was a reminder of three particular challenges facing those trying to secure the election. The first is assessing possible vulnerabilities so the country is not playing catch-up once again, long after Election Day, to outside interference with the election system or on social media. (The extent of Russia's manipulation of Facebook posts in 2016, for example, became clear only after President Donald Trump had been elected.)
The second is how well the country can lock down these systems in the 100-plus days left before the election, beyond the obvious "critical infrastructure" that will enable the November 3 vote. And the third is whether it is possible to build some national resilience to respond quickly, as Twitter tried, if something goes wrong.
Since 2016, thousands of pages of federal investigative reports have been published on what went wrong in the presidential election that year, and a congressional Cyberspace Solarium Commission has produced long lists of recommendations of how private enterprise and the government can work together.
But then there are days like Wednesday, when it seems as if all the studies were insufficient.
"We have seen disconcerting incidents of account takeovers before," said John Hultquist, the senior director of intelligence analysis at FireEye, one of the leading cybersecurity firms, "but we are very concerned about the possibility of real foreign actors hijacking legitimate sources of information — key media accounts for instance — and using that to push out disinformation" close to Election Day.
"By the time we unwind everything to figure out what happened, it could be too late," he added. "That's a very real scenario."
Or, as Laura Rosenberger, a former State Department official who now directs the Alliance for Securing Democracy project at the German Marshall Fund, noted, "What hasn't changed is our failure to think ahead. Our adversaries have an ability to turn this infrastructure, which we have created, against us, and we need to be better at anticipating the threat vectors."
Similar thoughts haunt state election officials on both sides of the aisle who say they are alarmed about what could happen if the mega-microphones of accounts belonging to the likes of Biden or Obama broadcast a bit of electoral disinformation.
Alex Padilla, the secretary of state in California, home to Twitter headquarters, said that while state officials had run simulations of a social media disinformation campaign disrupting an election day, they hadn't imagined a situation in which Twitter itself was hacked. Still, he said, threats posed by disinformation motivated him to set up VoteSure, a statewide voting information effort sparked by the special counsel's investigation of Russian interference in the 2016 election.
"I wouldn't say it was a new concern, but I would say it's a big reminder given what we've all been through over the last four years," Padilla said.
In Ohio, Frank LaRose, the secretary of state, has been conducting seminars to inform local officials about disinformation tactics and how to respond, and directing much of Ohio's federal election funds to shoring up election security. But the attack on Twitter opened a new front, he said.
"From my time in the Army, I learned that the enemy is always going to be innovating to try to find our vulnerabilities," LaRose said in a statement. "We're doing everything we can to stay ahead of the curve, including going straight into targeted communities and arming them with the tools they need to fight back against disinformation."
Of course, no one should be shocked at high-profile account takeovers: The account of Jack Dorsey, Twitter's chief executive, was compromised last year. Last year, two Twitter employees were accused of abusing their access to aid Saudi Arabia's efforts to spy on dissidents abroad.
And as far back as 2013, the Syrian Electronic Army hacked The Associated Press's Twitter account, issuing false warnings that an explosion at the White House had injured Obama. By the time the tweet could be corrected, and the hackers exposed, the stock market had plunged.
Seven years later, fears are heightened by the uncertainty over how to deal with life in a so-called dirty network, where data and information are coursing through Americans' phones on apps of questionable security — Twitter is now in that category — or under foreign control.
That is why companies ranging from PayPal and Wells Fargo, and political organizations like the Democratic National Committee, have told employees to delete the Chinese social media app TikTok from their corporate devices. On Wednesday, as the Twitter drama was unfolding, Trump's chief of staff, Mark Meadows, said the government was considering banning TikTok entirely.
"There are a number of administration officials who are looking at the national security risk as it relates to TikTok, WeChat and other apps that have the potential for national security exposure," Meadows said on Air Force One, "specifically as it relates to the gathering of information on American citizens by a foreign adversary."
But Twitter is an American company — no one is going to ban it — and it's the way that Meadows' boss communicates with his constituents and, often, with his own government. The question is whether its security flaws can be fixed in the next 16 weeks.