A spate of hacking attacks has put U.S. states on edge, with election officials rushing to plug cybersecurity gaps with help from the federal government.
Nine states have asked for “cyberhygiene” scans in which the Department of Homeland Security looks for vulnerabilities in election authorities’ networks that are connected to the internet, according to a DHS official. With the election coming up soon, DHS wants more states to sign up.
The threat — primarily from foreign hackers or intelligence agencies — affects states that are reliably Democratic or Republican as well as key battleground states, including Pennsylvania and Ohio, officials and cybersecurity experts said.
While hackers may not be able to change the outcome from afar, they could sow doubt by manipulating voter registration websites, voter databases and systems used to track results on election night.
“We’re certainly on high alert,” said Dean Logan, the registrar-recorder and county clerk in Los Angeles County, the nation’s biggest electoral district. “Across the whole network of services and online applications for the county, there are frequent indications of attempts to get into those systems.”
Most states use voting equipment that can generate a paper record, allowing for audits or recounts if the result is close or tampering is suspected. Among the exceptions is Pennsylvania, which both Democrat Hillary Clinton and Republican Donald Trump are targeting as a priority.
The electronic voting machines in 50 of Pennsylvania’s 67 counties leave no paper trail, according to Verified Voting, a California-based nonprofit that monitors voting methods. Many of those counties use touch-screen machines, which are especially vulnerable, according to Andrew Appel, a computer science professor at Princeton University who stores in a warehouse the old voting machines that his research teams have hacked over the past dozen years.
Though the touch-screen machines aren’t connected to the internet — where hackers can do damage from around the world — someone with physical access to the devices could employ techniques such as inserting a cartridge carrying malware that could reprogram their software, he said. Similar machines are used in Louisiana, New Jersey, South Carolina, Tennessee and Texas.
“There’s no way to know that they have been hacked,” Appel said. “And there’s no way to recover what the vote should have been, and there’s no way to know that the votes may be wrong.”
Marian Schneider, Pennsylvania’s deputy secretary for elections and administration, said her state is taking advantage of DHS’s offer to scan computer systems and is considering hiring a contractor to bolster cybersecurity.
“We’re going to be making sure that there are no exploitable vulnerabilities in our systems,” said Schneider, whose agency oversees everything from state voter registration databases to aggregating local election results.
In a recent simulation, Symantec Corp. said its workers were able to easily hack into an electronic voting machine. It was possible to switch votes as well as change the volume of data, said Samir Kapuria, senior vice president and general manager of Symantec’s cybersecurity group.
“It was pretty vulnerable to multiple attacks both physically as well as when that information got transmitted upstream for the tabulation systems,” Kapuria said, without providing the machine’s maker or saying where it is used. Symantec is working with the manufacturer to make improvements, he added.
DHS’s major concern isn’t necessarily a hacker changing ballots on Election Day, but someone stirring up enough confusion in the “election infrastructure” to undermine public confidence in the vote, according to the agency’s official.
In an Aug. 1 speech in Columbus, Ohio, Trump said he was “afraid the election is going to be rigged, I have to be honest,” and said cheating would be the reason if he loses Pennsylvania.
The DHS “cyberhygiene” assessments are quick tests that let states know of holes they should urgently fix. The department also is in talks with some states to do on-site visits to scan election authorities’ internal networks that aren’t linked to the internet.
But with less than two months to go, few states will receive such a deep dive. States have told the feds it would be disruptive at this point to examine individual voting machines, so DHS will have to save those tests for after the election.
Concern about election tampering rose after hackers attacked servers at the Democratic National Committee and related organizations, taking internal emails and data that were later made public on the WikiLeaks website. The revelations prompted DNC Chairwoman Debbie Wasserman Schultz to resign days before Clinton was formally named the party’s nominee.
The FBI has “high confidence” recent attacks were orchestrated by Russia, according to a person familiar with the agency’s probe. President Vladimir Putin has rejected the accusations.
Federal Bureau of Investigation Director James Comey has said his agency is working “very hard to understand” whether a foreign government is hacking U.S. systems in order to influence elections or other national affairs.
Working against foreign hackers is the sheer complexity of the decentralized U.S. electoral system, which has about 9,000 separate jurisdictions where citizens go to vote.
“The beauty of the American voting system is that it’s diverse among the 50 states and it’s clunky as heck,” Comey said Sept. 8 at a conference in Washington. “It is hard for an actor to reach our voting processes.”
DHS said in a statement that it has “confidence in the overall integrity of our electoral systems” but added, “We must face the reality that cyberintrusions and attacks in this country are increasingly sophisticated, from a range of increasingly capable actors that include nation-states, cyberhacktivists, and criminals.”
Besides the voting machines, hackers looking to cause chaos on Election Day could alter voter registration records and electronic poll-books, used to verify voters’ identities at precincts. Local jurisdictions also worry about hackers tampering with websites that tell people where to vote or provide other information about the voting process.
During California’s June presidential primary, a number of voters in Riverside County found that their party affiliations had been changed, according to District Attorney Michael Hestrin. He said it appeared hackers accessed voter-registration data. In some cases, voters even found their race, address and birth date changed, Riverside County Republican Party Chairman Scott Mann said. Others didn’t find themselves in poll-books, Mann said.
Meddling with systems that tabulate and report the votes on election night — whether state election boards or media organizations — is another potential entry point for those wanting to cause mischief and undercut public confidence.
Ohio Secretary of State Jon Husted, a two-term Republican, said the state’s elections systems have been modernized with cybersecurity upgrades in recent years, and “there’s been nothing that’s occurred that’s given us any alarm.”
Even before the FBI warned state officials last month to improve election security, Husted said his office consulted with the agency and with the state’s cybersecurity experts. It even had the National Guard try to hack into Ohio’s election system to identify any vulnerabilities.
“Everything that we should be doing, we were already doing before these alerts came about,” Husted said in an interview in Columbus. “If you waited until the FBI called two weeks ago, then you were late.”