The U.S. Election System Remains Deeply Vulnerable, But States Would Rather Celebrate Fake Success

When the Department of Homeland Security notified 21 states that Russian actors had targeted their elections systems in the months leading up to the 2016 presidential election, the impacted states rolled out a series of defiant statements. “Oregon’s security measures thwarted Russian government attempts to access the Secretary of State computer network during the 2016 general election,” chest-thumped Oregon Secretary of State Dennis Richardson.

The Florida secretary of state’s office, which oversees elections, was triumphant: “Florida was unsuccessfully targeted by hackers last year.”

In Iowa, Secretary of State Paul Pate trumpeted the Hawkeye State’s cyber sophistication: “Iowa’s elections system was successful in blocking attempted outside intrusions.”

Not to be out done, media reports took those proclamations one step further, claiming that “Russians tried to hack Oregon elections system in 2016” and “Federal government notifies 21 states — including Iowa — of election hacking.”

But in most cases, according to the DHS, Russian actors scanned the public-facing websites of state agencies, apparently looking for vulnerabilities. The DHS said that in almost all of the cases, there was no evidence the operatives attempted to exploit any vulnerabilities. It was not, in other words, a thwarted bank robbery. Instead, Russian operatives surveyed the bank from the sidewalk, and then headed home.

While the states are busy celebrating their successes, they are doing far too little to ensure that operatives don’t get in next time they show up and actually try to infiltrate, say cybersecurity experts.

“The fact that they were scanning meant they were looking for vulnerabilities. If they come back next time, they’re going to come back much deeper,” said Latanya Sweeney, a professor of government and technology at Harvard University and author of a recent report on the possibilities of voter identity theft. “This really begs the question of not how secure were our websites last year, but how easy it is for them to hear of a vulnerability, test for it, and improve? How flexible and malleable are the systems and the infrastructures to be [able to be] changed and updated on the fly? I do think that our study shows that they’re very sluggish and very slow and very resistant, which is not good.”

The Harvard report, titled “Voter Identity Theft: Submitting Changes to Voter Registrations Online to Disrupt Elections,” concludes that online attackers can alter voter registration information in as many as 35 states and the District of Columbia by buying personal information through either legitimate or illegitimate sources. Voter registration information is public, and many states allow citizens to make changes online, even if they registered in person or by mail. A determined hacker could buy voter lists from the 36 jurisdictions that allow online registration, and separately buy the personal information used to confirm a voter’s identification – such as Social Security or drivers’ license numbers – to get in and make changes.

Many states have backend processes to verify changes to voter data. In Connecticut, one of the 21 states the DHS said was targeted by Russian actors, “the online voter registration system is separate from the official voter roll, so when a change is made to the online system, before that change gets made in the central voter database, it physically goes to the office of the registrar, who must confirm and manually make the change,” Gabe Rosenberg, communications director at the Connecticut secretary of state’s office, told The Intercept.

But that’s not necessarily enough, said Ji Su Yoo, a Harvard research analyst who co-authored the study with Sweeney. “If a human is in the loop and there’s an abnormal amount of requests [to change voter information] throughout the day, a human can be useful in saying there’s a red flag,” Yoo told The Intercept. “Another way to beat the human in the system is to insidiously just put in a few requests at a time and have the machine submit changes in a randomized order.”

This type of breach is not theoretical. In Riverside County, California, someone with access to voters’ personal information changed party affiliation information for up to hundreds of voters before the 2016 Republican Party primary. California Secretary of State Alex Padilla responded to that incident much like states have been responding to the DHS’s most recent revelations, by saying there was no evidence of a breach of the voter database. The response is problematic, Sweeney said, because it points out the difficulty in distinguishing between changes made by actual voters and those made by an imposter. “This is harmful because even if an attack happens, those responsible for our systems would be unable to detect the problems,” Sweeney told The Intercept.

Voting software is another potential target for hackers. The Intercept has previously reported on a top-secret National Security Agency report detailing a cyberattack by a Russian intelligence agency on at least one U.S. voting software supplier. The attackers sent spear-phishing emails to more than 100 local election officials just days before the November election, according to the highly classified report that was provided anonymously to The Intercept. A spokesperson for one state elections division said his office appreciates The Intercept’s reporting on the NSA document, describing it as “seminal.” But that official would only agree to speak anonymously. In public, election officials prefer to take a nothing-to-see-here attitude.

Although the DHS announcement last week unleashed a media frenzy that often conflated a scan of public-facing websites with attempts to breach election systems, the agency did not actually reveal much new information. In short, federal officials on September 22 called election officials in every state to notify them whether there had been attempts to target their election systems prior to the 2016 election. The Associated Press later identified the 21 states that were notified there had been an attempt on their systems, but in most cases, “only preparatory activity like scanning was observed,” DHS spokesperson Scott McConnell told The Intercept in a statement.  “In some cases, this involved direct scanning of targeted systems.  In other cases, malicious actors scanned for vulnerabilities in networks that may be connected to those systems or have similar characteristics in order to gain information about how to later penetrate their target.” To be clear, a network scan is not a hack, or even an attempt at one.

But we already knew that. In June, Jeanette Manfra, DHS acting undersecretary for cybersecurity and communications, testified before the U.S. Senate Intelligence Committee that the Russians targeted 21 election systems, and that a small number were breached, but she did not identify them. Arizona and Illinois last year confirmed that hackers had targeted their voter registration systems. Manfra told the Senate committee that the states had been notified, but officials in at least three states – Alabama, California, and North Dakota – said they were clueless before the recent announcement.

The DHS also got it wrong in at least three states: Wisconsin, California, and Texas. While the agency initially said that Russian actors probed election systems, last Tuesday it reversed itself with regard to Wisconsin, saying that the Russians had tried to access a computer system run by the Department of Workforce Development. “Either someone was right on Friday and this memo today is a cover-up, or they were wrong on Friday and we deserve an apology,” Mark Thomsen, chair of the Wisconsin Elections Commission, said to reporters, referring to an email his office received from the DHS about the mix-up. In California, the scanning activity targeted the Department of Technology’s network, not any website affiliated with the elections system, officials said. And Texas Secretary of State Rolando Pablos on Thursday asked the DHS to “formally correct its erroneous notification to the State of Texas on Friday, September 22, 2017 that the [secretary of state] agency web site was targeted by malicious cyber actors before the November 2016 General Election.” It was a website “not related to the election mission” that was scanned, Pablos wrote in a letter to the DHS.

The federal government has not admitted its mistake. “The Department stands by its assessment that Internet-connected networks in 21 states were the target of Russian government cyber actors seeking vulnerabilities and access to U.S. election infrastructure,” McConnell wrote to The Intercept on Thursday, adding that he would not discuss individual states.

The lack of clarity surrounding DHS’s revelations was compounded by election officials’ responses. In an apparent attempt to minimize the probes and boast about the strength of their security systems, they overstated what actually happened. Oregon’s secretary of state, for example, said in a statement that the DHS confirmed “that Oregon’s security measures thwarted Russian government attempts to access the Secretary of State computer network during the 2016 general election.”

“We block upwards of 14 million attempts to access our network every day,” Oregon’s Chief Information Security Officer Lisa Vasa said in the statement, which was similar to statements released by other elections offices. In a piece headlined “Russians tried to hack Oregon election systems in 2016,” the Associated Press subsequently reported that the Russian government “tried but failed to access the Oregon Secretary of State’s computer network.” But a network scan, which is what the DHS said happened, is not exactly an attempt to access a network and it is definitely not a hack – rather, it is a search for a vulnerability in a system.

In conversations about probes of election systems, it is important to make a distinction between changes to voter registration and a hack that impacts the tallying of the votes, said Lawrence Norden, deputy director of the Democracy Project at New York University’s Brennan Center for Justice. “Having said that, I have seen no evidence from DHS or anybody else that there was an attack on the counting of the votes, but I think all of this should be a warning shot and a wake-up call for some of us that we’re lucky that we have this now, and we’re doing everything we can to ensure that all systems are protected from tampering,” Norden told The Intercept. Because voter registration is public, Norden added, there’s a good chance people would notice if registration systems are tampered with.

Still, most states lack the mechanisms to deal with large-scale changes to voter registration, said Bruce Schneier, a cybersecurity specialist at Harvard’s Berkman Center who has written frequently about the security vulnerabilities of U.S. election systems. “Imagine an election in a state office, where 20 percent of the people can’t vote, and everyone says the voting roll was hacked. There’s no system to deal with that — there’s no plan, no rules,” he said.

“Unfortunately, in all elections, after it’s over, half the country doesn’t want to revisit it,” Schneier told The Intercept, which is why elections offices should prioritize developing a plan to deal with these issues. “The time to create a plan is before the battle lines are drawn, before we know who the hack favored, before we know who won and who lost.”

Top photo: Virginia State House Delegate Mark Keam, right, watches a demonstration of a voting machine by a staff of Fairfax County Office of Elections during the annual KORUS festival, a Korean cultural festival, Oct. 2, 2016 in Tysons Corner, Va.

Correction: Oct. 3, 2017, 1:53 p.m.
Due to an editing error, an earlier version of this story incorrectly referred to Iowa as the Cornhusker State. Iowa is the Hawkeye State.

Top photo: People vote for the next US president in the general election at a polling station in a school gymnasium in New York, November 8, 2016.