“More attention to securing voting systems hasn’t eliminated critical technical and human threats to our elections,” said Matthew Weil, executive director of the Bipartisan Policy Center’s Democracy Program. “And this cycle is practice for 2024.”
The federal government has worked since 2016 to improve coordination with state and local officials on everything from fixing digital vulnerabilities to promoting trusted sources of information. Biden administration officials say that’s one reason that they’ve seen less foreign interference than in 2016.
But as CISA Director Jen Easterly, whose agency leads federal election security efforts, told reporters recently, “The current election threat environment is more complex than it has ever been.” She cited the ways that multiple different threats, from cyberattacks to disinformation to the harassment of election officials, are overlapping.
Here are the threats to watch for as the final votes of the midterms are cast.
Mis- and disinformation
Lies and conspiracy theories about the security of election systems are what most worry election supervisors and federal cybersecurity and intelligence officials, because those falsehoods can inflame mistrust that discourages people from voting and provoke anger that spurs people to threaten violence against election administrators.
Russia stoked divisions during the 2016 campaign, and federal agencies recently warned that
foreign actors may once again spread falsehoods about supposed hacks of election systems. But in recent years, domestic sources of mis- and disinformation have become the more widespread and potent threat. Election-related falsehoods are ubiquitous in right-wing circles, and foreign adversaries eagerly exploit these lies whenever possible.
U.S. officials remain on alert for false announcements of a rescheduled election or corrupted ballots from
spoofed email addresses and websites purporting to represent election offices; false claims of hacked voter data; or last-minute thefts and leaks of campaign communications.
And while disinformation gets a lot of attention because it is spread deliberately, honest poll-worker mistakes at precincts and glitches such as brief voting machine outages can lead to innocent misunderstandings that generate misinformation.
Crashing election office and campaign websites
Hackers have one relatively low-tech tool for knocking campaigns off balance and disrupting voters’ access to reliable election information: forcing websites to crash using automated tools that simulate massive floods of people visiting those sites.
A few major tech companies, including
Cloudflare and Google, offer free protection against these “distributed denial-of-service attacks” to election offices and political campaigns, but many websites remain unprotected.
A Russian DDoS campaign recently knocked
several state government websites offline, although those attacks did not specifically target election sites.
Fortunately, DDoS attacks only temporarily disrupt sites, and they do not mean there are vulnerabilities in computer networks that would expose servers to more serious types of attacks, such as data theft or corruption.
The federal government has
urged the public not to overreact to DDoS attacks, noting that election websites run separately from the databases that store vote tallies and registration data.
Even so, eleventh-hour website outages could pose problems for political campaigns or election officials hoping to promote critical messages — such as campaign talking points, polling-place updates or encouragements to stay in line — at the last minute.
Campaign social media account hijacking
Hackers could take over candidates’ or campaigns’ social media accounts on Election Day and make inflammatory comments designed to alienate voters or spread false information about how or when to vote. These impersonation schemes could fuel distrust of the election process and knock campaigns off balance in the home stretch of the contest.
The specter of targeted account hijacking isn’t theoretical. Twitter already experienced
a massive hack in July 2020 in which a teenager took over accounts belonging to politicians, business leaders and other celebrities — including then-candidate Joe Biden. And now Twitter owner Elon Musk’s initiation of mass layoffs has sparked fears that the cuts could hit the company’s security team.
“Account security is especially important in an election — it would be disastrous for candidates to turn into sock puppets,” said Eddie Perez, a board member at the OSET Institute, a nonpartisan election technology nonprofit. Perez was formerly a director of product management at Twitter overseeing a team that handled
“civic integrity” issues.
Cyberattacks on voter registration databases
States have spent years upgrading the security of their voter registration databases, which form the bedrock of a well-functioning election system. But no technology is perfectly secure, and vulnerabilities likely remain in some states’ networks. Russian hackers breached Illinois’ voter database in 2016, and Iranian hackers penetrated a state database in 2020.
Hackers with access to a voter registration system could sow chaos in two ways. By tampering with voter data, they could make it more difficult or time-consuming for poll workers to check in voters at polling places. And by stealing voter data, hackers could engage in targeted harassment.
Many states do, however, print out paper copies of voter rolls and distribute them to local officials, creating a backup source of information that they can use to check in voters if the electronic database fails or becomes unreliable.
Federal officials recently said that cyberattacks on election infrastructure
wouldn’t be able to corrupt voter data, disrupt voting or change results.
Targeted voter harassment
This relatively novel threat represents an evolution in how foreign governments use hacking campaigns to meddle in U.S. elections. After stealing voter records from a state election database in 2020, Iranian operatives
threatened those voters with unspecified consequences if they didn’t vote to reelect then-President Donald Trump. The messages, which contained false allegations of vulnerabilities in election technology, were designed to look like they came from the Proud Boys, a right-wing extremist group.
The U.S. government quickly linked Tehran to the emails, warned election officials about them and
disclosed the campaign publicly. Federal prosecutors subsequently indicted two Iranian men for the operation.
It’s unclear how effective the messages were at convincing victims to vote for Trump, so Tehran and other U.S. adversaries may not try it again. Still, be on the lookout for similarly inflammatory emails.
Wireless modems enabling hacks of voting machines or vote tallies
At least seven states and Washington, D.C., use wireless modems to transmit unofficial election-night results to their central offices. These modems use telecommunications networks that are vulnerable to hackers, and malicious actors could exploit them to tamper with unofficial vote data, corrupt voting machines or compromise the computers used to tally official results.
“We now have to worry about anybody getting access to a communication network that is fundamentally open,” Matt Blaze, a Georgetown University computer science and law professor who studies voting systems,
told POLITICO last month.
At least seven states and Washington, D.C., use wireless modems to transmit unofficial election-night results to their central offices. | Joe Raedle/Getty Images
These attacks are much more difficult and time-consuming — and thus much less likely to occur — than spreading falsehoods on social media or temporarily taking down websites. And states that use paper ballots and post-election audits would likely catch and correct erroneous results.
Even so, temporarily incorrect information could fuel doubts about results, especially if the hackers bragged about their accomplishments. And if subsequent audits that correct digital tampering dramatically change vote tallies, bad-faith actors might seize on those changes to falsely allege fraud.