Why foreign election interference fizzled in 2020

As the 2020 presidential campaign ramped up in August, US intelligence agencies warned that Russia, China, and Iran would attempt to interfere in the elections using disinformation campaigns or potentially disrupting voting processes. While officials continue to believe that Russia should remain the primary concern, Iran stole the headlines this election season with a brazen email campaign, while China steadily expanded efforts to shape US policy. US agencies and social media companies had four years to prepare after the high-profile Russian onslaught of hacked material and fake news in 2016, and the initial evidence suggests the new policies and playbooks they deployed helped limit the damage in 2020.  

One scenario that worried US officials was the possibility of highly visible tactics on Election Day that would create distrust about the integrity of the vote, such as the flooding of election websites with overwhelming traffic or the shutdown of voting infrastructure with ransomware. Officials also warned that a close contest that took days to resolve could be fertile ground for foreign disinformation campaigns. But while the 2020 contest stretched on for days, no real evidence of successful foreign disinformation campaigns has materialized. Quick action by US agencies to identify and publicize potential disinformation activities, “hunt forward” missions to build intelligence and offensive cyber campaigns, as well as rapid takedowns by social media companies seem to have helped prevent the dramatic foreign efforts observed in 2016.

Federal agencies acted fast:

Thirteen days before the election, a surprise federal government press conference revealed that Russia and Iran had both obtained US voter registration information, possibly from publicly available sources. While Russian usage was reported to be narrowly localized in its targets, Iran used the data to send barrages of spoofed emails to sow chaos. The emails warned Democratic voters in Florida, Alaska, and elsewhere that “we will come after you” if they did not vote for President Trump. The threatening messages claimed to be from the far-right group called the Proud Boys. While Director of National Intelligence John Ratcliffe argued that “these actions are desperate attempts by desperate adversaries,” FBI Director Chris Wray insisted that claims online that question the voting process should be met with “a healthy dose of skepticism.”

The National Security Agency had been watching the Iranians for a while, which allowed for rapid attribution and a public release on their tactics. A joint cybersecurity advisory provided technical details on how the Iranians responsible for the intimidating emails obtained voter registration data by scanning state election websites with widely-used tools and advanced open source queries while attempting intrusion methods. Access in one state, namely Alaska, involved an abuse of a misconfiguration that made the website available, but did not constitute a direct compromise of the site. The advisory gave mitigation recommendations for organizations to effectively detect and block further attempts to steal voter files.

Subscribe to Fast Thinking email alerts

Sign up to receive rapid insight in your inbox from Atlantic Council experts on global events as they unfold.

  • This field is for validation purposes and should be left unchanged.

Taking the fight abroad:

US Cyber Command took the response further, conducting a covert cyber operation against the hackers working for the Iranian Islamic Revolutionary Guard Corps, and the Russian state-run group Dragonfly. Cyber Command uses its global reach to search for disinformation or hacking operations that are underway and conducts pre-emptive strikes to stop them. Director of the National Security Agency and Commander of the Cyber Command General Paul Nakasone was “very confident in actions” over the past several weeks to ensure adversaries were not going to interfere in the election. Cyber Command also expanded overseas missions over the past two years, sending teams to Europe to monitor the Russians, and to the Middle East and Asia to find Iranian and Chinese hackers on partner networks. During these hunt forward missions, the teams tried to identify the tools foreign adversaries use to break into computer networks, and then these findings were used to help defend critical networks and update antivirus products to better protect users.

The malicious software uncovered by Cyber Command during these overseas missions was used by other government agencies to help state and local officials shore up election system defenses. The Cybersecurity and Infrastructure Security Agency (CISA) also helped election officials from roughly 8,800 voting precincts find and fix security gaps in vote-registration, tallying, and reporting systems. CISA encouraged them to patch systems to reduce entry points, configure firewalls to block data, and limit applications to prevent malicious software from running and spreading throughout a network. After the election, CISA director Christopher Krebs reported that “we have no evidence any foreign adversary was capable of preventing Americans from voting or changing vote tallies,” suggesting that these steps might have deterred adversary access or interference by making it simply too hard.

In addition, US Cyber Command hacked command and control servers for the Russian-speaking TrickBot criminal operation and temporarily cut off access to thousands of infected computers used for global ransomware attacks. In a parallel takedown effort, Microsoft had seen TrickBot surveillance capabilities that would allow determination of which infected computers belonged to election officials and lock them. The connection of TrickBot operators to the Kremlin is questionable, but nonetheless the first publicly confirmed US military actions against cybercriminals sent a signal that interference will not be tolerated. Another warning of potential punishment was the recent indictment of Sandworm, a hacker team affiliated with Russian military intelligence and responsible for worldwide disruptive cyberattacks, including on the 2017 French presidential election.

Emphasis on rapid takedowns:

US officials were on alert for disinformation spreading on social media as the votes were tallied. False narratives discrediting the election processes and outcomes could be more damaging than cyberattacks. Officials were also quick too act. When fake Twitter accounts impersonating the Associated Press attempted to call election results prematurely, the CISA director immediately tweeted “Don’t fall for it!” linking to an agency guide that says, “malicious actors can use fake personas and impersonate real accounts.” Twitter permanently suspended the accounts in question.

Facebook was prepared with “break glass” options to prevent election unrest, to include suppressing inflammatory posts. The social media giant employed them not against foreign entities, but a domestic group called “Stop the Steal” that was organizing protests of vote counts across the country. Facebook removed the group, of more than 361,000 members, over calls for violence—although the platform has not been able to eliminate widespread use of the hashtag.

Foreign action dwarfed by domestic misinformation

Overall, foreign disinformation campaigns appeared to be smaller in reach and impact than in 2016.  Researchers at the Election Integrity Partnership—which includes the Atlantic Council’s Digital Forensic Research Lab—found limited activity by Russian trolls. They report in 2020 that assets linked to the Russian Internet Research Agency promoted unverified claims of massive ballot tampering with hyper-partisan headlines. The false information was shared by US citizens and spread across fringe social media sites visited by right-wing groups. This election cycle, Russian seemed to rely on state-controlled news outlets to push rhetoric on voter fraud, while boosting President Trump’s vocal claims of a rigged election. A Russia Today headline read “Ohio county elections board confirms mailing 50,000 WRONG BALLOTS, denies Trump’s ‘rigged’ race claim.” 

While seemingly unable to reproduce their massive disinformation campaign from 2016, the Kremlin saw the US election as a chance to cast Western democracy as prone to chaos on Russian state television in order to discredit liberal ideas in their own country.

Meanwhile in China, state media and commentariat followed the same pattern, lambasting democracy in the face of potential violence and court battles. In Hong Kong, newspapers seized on election turmoil as evidence of hypocrisy by Washington.

Thanks to the efforts of US agencies, the chaotic aftermath of the presidential election saw no massively successful foreign interference campaigns. But President Trump’s continued baseless claims of voter fraud did achieve the erosion of trust in the voting process that many of these foreign adversaries were hoping for. The lessons of 2016 seem to have been heeded by those looking to protect us from disinformation from abroad, but the real threat in 2020 came from misinformation within the United States.

Scott Jasper teaches at the Naval Postgraduate School and is the author of Russian Cyber Operations: Coding the Boundaries of Conflict. You can follow him @ScotJasper.

Further reading:

Image: A woman uses her mobile phone to check the election results as Joe Biden’s lead increases, in Houston, Texas, U.S., November 6, 2020. REUTERS/Callaghan O'Hare