Elections authorities and cyber security experts say a concerted effort to alter the outcome of November’s elections through a cyber attack is nearly impossible, even after hackers gained access to voter registration databases in at least two states.
But some of those same experts say hackers with ties to Russia aren’t aiming to change election results; instead, their goal is to create a perception that the results are in question, and to undermine confidence in American democracy.
“Russian tampering with elections is not new. It’s only new to the U.S.,” said Chris Porter, who runs strategic intelligence for the cybersecurity firm FireEye Horizons. He pointed to Ukraine, Bulgaria, Romania and the Philippines, where Russian-backed hackers have gained access to electoral systems in recent years.
“It’s just enough create scandal,” Porter said. “That’s sufficient for Russian aims.”
Last month, officials in Arizona and Illinois discovered their voter registration systems had been hacked, a leak that put thousands of voter registration records up for sale on the black market. In January, more than 17 million voter registration records from Washington, Delaware, Rhode Island and Ohio were stolen.
In the wake of those attacks, Homeland Security Secretary Jeh Johnson held a conference call with state elections administrators, and the Federal Bureau of Investigation issued an advisory warning telling administrators to watch out for possible cyber attacks. On the call, and in subsequent follow-ups, DHS told state officials they had no credible information suggesting an imminent cyber attack.
DHS has also organized an Election Infrastructure Cybersecurity Working Group, aimed at identifying potential vulnerabilities and offering guidance on best practices. Four Secretaries of State, from Georgia, Indiana, California and Connecticut, sit on the federal panel.
Homeland Security personnel have also offered to scan state election systems to prod for vulnerabilities before hackers find them. Wanda Murren, a spokeswoman for Pennsylvania’s Department of State, said her agency would use DHS’s offer of help.
The hacks of voter registration data were more about scooping up personal information than about undermining election results, experts said. That’s because state and county offices maintain two distinct systems for administering elections: One handles registered voters. The other tabulates election results.
The registered voter database may be vulnerable to attacks, but tabulation databases are much less so. Most states and counties do not connect their tabulation systems to the internet at all; actual voting machines that count ballots are not connected to the internet either, and new security systems mean they cannot be infiltrated even with an off-the-shelf thumb drive if a hacker were to gain physical access to a machine.
“If you’re Tom Cruise in ‘Ghost Protocol,’ I’m not saying they can’t be gotten into, but they are secure from intrusion in the very best way we know of to secure them,” said Wayne Williams, Colorado’s Secretary of State.
Williams said his office has consulted with the FBI on bolstering security. He employs a full-time staffer tasked with nothing but computer security, and access to voting machines and tabulation databases is controlled by lock and key, video surveillance and tamper-evident protections.
Other election administrators said a key difference between other nations where Russian-backed hackers have infiltrated elections systems and the United States is centralization. When a pro-Russian hacking group gained access to Ukraine’s elections commission, it only had to infiltrate one organization. The decentralization of the American election system means hackers would have to gain access to thousands of county and municipal systems, and to hundreds of thousands of machines, to make a dent in the electoral outcome.
Take Wisconsin, another swing state up for grabs this year. Michael Haas, administrator of the state elections division, said clerks in each of the state’s 72 counties are responsible for programming voting equipment, and that the state’s 1,854 municipal clerks have to conduct public tests of voting machines before polls open. Counties and cities use machines manufactured by different brands.
“There is no single entity that has the ability to control the outcome of the election,” Haas said. “If there was an effort to attack systems across the country, the decentralized system does act as a barrier.”
In Florida, Secretary of State Ken Detzner has directed his staff to implement new software, hardware and firewalls to protect voter registration databases, spokeswoman Meredith Beatrice said in an email. Florida, too, leaves tabulation databases in the hands of the state’s 67 counties, rather than at the state level.
Officials in several states declined to discuss specifics about new software and hardware protections, citing security concerns.
But even if new security and inherent decentralization acts as a hurdle to cyber attackers, Porter warned, the integrity of American elections remain vulnerable to public perception. In countries where Russian-backed hackers have gained access to elections systems, those hackers have not actually altered election results — but they have undermined public confidence nonetheless.
“The key to this is going to be at the state level for the public to be educated that just in case something does happen and there’s a temporary disruption in one state or one locale, it’s important for people to understand that the national election wasn’t actually impacted,” Porter said. “The public is going to react very negatively to even the insinuation that voter systems were hacked.”