Local officials consistently play down suspicions about the long lines at polling places on Election Day 2016 that led some discouraged voters in heavily Democratic Durham County, N.C., to leave without casting a ballot.
Minor glitches in the way new electronic poll books were put to use had simply gummed things up, according to local elections officials there. Elections Board Chairman William Brian Jr. assured Durham residents that “an extensive investigation” showed there was nothing to worry about with the county’s new registration software.
He was wrong.
What Brian and other election officials across eight states didn’t know until the leak of a classified intelligence is that Russian operatives hacked into the Florida headquarters of VR Systems, Inc., the vendor that sold them digital products to manage voter registrations.
A week before the election, the hackers sent emails using a VR Systems address to 122 state and local election officials across the country, inviting them to open an attachment wired with malicious software that spoofed “legitimate elections-related services,” the report said. The malware was designed to retrieve enough additional information to set the stage for serious mischief, said the National Security Agency report disclosed by the Intercept, an investigative web site.
That wasn’t the only type of attack.
The new revelations about the Kremlin’s broad and sophisticated cyber offensive targeting Democrat Hillary Clinton and aimed at seating Donald Trump in the Oval Office have set off a wave of worry about the security of the nation’s voting systems. State election officials, facing questions as to whether they ignored oddities or red flags, have responded by accusing intelligence agencies of failing to alert them of the risks.
The truth is a hodge-podge of electronic machinery that enables Americans to exercise their most sacred democratic right is weakly guarded by state and local agencies. Those officials are quick to assure the voting public that their systems are secure, but they lack the resources and technical know-how to defend against cyber intrusions, or even to perform forensic examinations to ensure nothing happened.
Election officials in Illinois, another state that VR Systems lists as a customer, did not find out they were hacked by Russian operatives late last June until a week or two later. By then, the Russian operatives had downloaded about 90,000 voter registration records, leading to an investigation by the FBI and the U.S. Department of Homeland Security, said Ken Menzel, general counsel of the Illinois Board of Elections. Menzel confirmed a Bloomberg report that the Russians appeared to have made unsuccessful attempts to alter or delete some records.
In Georgia, where a nationally watched congressional runoff race is scheduled for Tuesday, Politico magazine reported that a U.S. hacker from a national laboratory seeking to expose vulnerabilities in election systems was able to easily download millions of voter records from Kennesaw State University’s Center for Election Systems, which manages them. Election watchdog groups say subsequent warnings to the state about a hole in their system went unheeded for months.
David Jefferson, a computer scientist at the Lawrence Livermore National Laboratory in California who has acted in his personal capacity in trying to safeguard election integrity, said he believes it is “absolutely possible” that the Russians affected last year’s election.
“And we have done almost nothing to seriously examine that,” he said.
“The Russians really were engaged in a pattern of attacks against the machinery of the election, and not merely a pattern of propaganda or information warfare and selective leaking,” said Alex Halderman, a University of Michigan computer science professor. “The question is, how far did they get in that pattern of attacks, and were they successful?”
Election officials across the country may not even know if they’ve been attacked, computer scientists say, pointing to the scenario that played out in Durham County.
State and local voting systems appear to be easy prey for sophisticated hackers.
Five states use electronic voting machines with no paper backups, precluding audits that might verify the accuracy of their vote counts. They include Georgia, scene of Tuesday’s 6th District runoff election, Delaware, Louisiana, New Jersey and South Carolina. Parts of another nine states also are paperless, including the crucial swing state of Pennsylvania.
Although Congress has discouraged use of internet voting because of the potential for hackers to tamper with ballots, some 32 states allow military and overseas voters to transmit ballots online or via insecure fax machines. Alaska, Washington state and Hawaii have been the most permissive.
“If we don’t fix our badly broken system before the next major presidential election, we’re going to be hacked into,” said Barbara Simons, author of “Broken Ballots,” a 2012 book about election security published by Stanford University. “It might not just be Russia. It might be North Korea, China, Iran or partisans.”
While the Netherlands opted to shift to paper ballots when alerted the Russians were trying to swing its election outcome to the right, U.S. election officials have stood pat.
But former FBI Director James Comey, in widely watched testimony to the Senate Intelligence Committee on June 8, said “there should be no fuzz” about Russia’s barrage of millions of social media messages spreading falsehoods about Clinton.
“The Russians interfered in our election during the 2016 cycle,” he said. “They did it with purpose. They did it with sophistication. They did it with overwhelming technical efforts ... And it is very, very serious.”
America’s saving grace could be its decentralized system in which cities, counties and states have used federal grants to procure a wide variety of voting equipment, limiting the potential impact of a single attack.
But that doesn’t mean targeted attacks couldn’t tip the outcome of closely divided races, even for the presidency.
On Jan. 6, American intelligence agencies issued a declassified report accusing Russia of the cyber attack ultimately aimed at helping Trump, calling it the Kremlin’s “boldest” operation ever aimed at influencing the United States. In a brief notation, the report said that, while the Russians targeted state and local voting systems, they did not attempt to corrupt vote-tallying equipment.
On the same day the report was released, in one of his last acts as U.S. secretary of Homeland Security, Jeh Johnson proclaimed the nation’s election systems to be “Critical Infrastructure,” a designation that not only makes their security a higher priority, but improves the climate for federal-state cooperation. Because state and local officials exert total control over their operations, the agency only can investigate a vulnerability or possible breach if asked to do so – an obstacle the new designation didn’t change.
A senior Homeland Security official, in an interview with McClatchy, batted down as wildly exaggerated a Bloomberg report stating that Russian cyber operatives had made “hits” on voting systems in 39 states. Every web site is constantly scanned by “bad actors,” just as burglars might case homes in a neighborhood. That doesn’t equate to hacking, said the official, who spoke on condition of anonymity because of the sensitivity of the matter.
“The ability to manipulate the vote tally, that’s quite complicated,” the Homeland Security official said. “We didn’t see an ability to really accomplish that even in an individual voting machine. You have to have physical access to do that. It’s not as easy as you think.”
Some of the nation’s top experts in voting security disagree.
Lawrence Livermore’s Jefferson voiced frustration with the “defensive” refrain of denials from state and local election officials, including the National Association of Secretaries of State.
“Election officials do not talk about vulnerabilities,” Jefferson said, “because that would give the advantage to the attacker. And they don’t want to undermine public confidence in elections.”
Halderman said Homeland Security officials told him they were unaware of a single county in any state that had conducted post-election forensic examinations of their voting equipment.
The Homeland Security official who spoke with McClatchy said the main concern for agency cyber specialists is not about vote-tampering; it’s related to the ability of intruders to sow confusion and chaos. That could entail schemes to foul voter registration data by, for example, removing the names of voters from the rolls so they are turned away at polling stations.
“This scenario is what we witnessed on the ground in North Carolina on Election Day,” said Susan Greenhalgh, a spokeswoman for the election watchdog group Verified Voting.
"If attackers wanted to impact an election through an attack on a vendor like VR Systems,” she said, “they could manipulate or delete voter records impacting a voter's ability to cast a regular ballot. Or, they could cause the E-Pollbooks (electronic databases of voters) to malfunction, hampering the check-in process and creating long lines.”
North Carolina was considered to be a swing state in the presidential race, and Durham County, with an African-American population of more than 37 percent, had voted more than 75 percent in favor of putting and keeping Barack Obama in the White House. Last year’s governor’s race was a dead heat entering Election Day.
The chaos in Durham County led to 90-minute delays. Some voters rang a Voter Protection Hotline to complain that their names had disappeared from the registration system or that they were told they already had voted.
The county hired a contractor to investigate the foul-up, but the inquiry never examined whether the system was hacked.
Twenty other North Carolina counties used the system, including Mecklenburg County, encompassing most of Charlotte. Though none reported problems on the scale of Durham County, release of the NSA report prompted the North Carolina Board of Elections to order a new investigation.
A former FBI agent is leading the inquiry. Critics say the three-member investigative team again lacks expertise in forensics.
Mindy Perkins, VR Systems’ president and chief executive officer, said in a statement that the company immediately notified all of its customers as soon as it was alerted “to an obviously fraudulent email purporting to come from VR Systems” and advised them not to click on the attachment.
“We are only aware of a handful of our customers who actually received the fraudulent email,” she said. “We have no indication that any of them clicked on the attachment or were compromised as a result.”
She said the company has “policies and procedures in effect to protect our customers and our company.”
Even so, Russia succeeded in sneaking up on U.S. agencies, voting system vendors and intelligence agencies.
Halderman, the University of Michigan expert, said he believes the best solution is for states to require paper trails for all voting equipment and post-election audits to ensure the vote counts are authentic.
“There’s no guarantee that we’ll know we’re under attack,” he said, “unless we do the quality control that we need by doing these audits to detect manipulation.”
(Update: The number of states in which some jurisdictions use voting machines without paper ballot backups has been updated in this story and the corresponding map)