A spate of hacking attacks has put U.S. states on edge ahead of November’s presidential vote as election officials rush to plug cybersecurity gaps with help from the federal government.
Nine states have asked for “cyber hygiene” scans in which the Department of Homeland Security looks for vulnerabilities in election authorities’ networks that are connected to the internet, according to a DHS official who asked not to be identified because the information isn’t public. With less than two months before the election, DHS wants more states to sign up.
The threat — primarily from foreign hackers or intelligence agencies — affects states that are reliably Democratic or Republican as well as key battlegrounds including Pennsylvania and Ohio, officials and cybersecurity experts said. While hackers may not be able to change the actual outcome from afar, they could sow doubts by manipulating voter registration websites, voter databases and systems used to track results on election night.
“We’re certainly on high alert,” said Dean Logan, the registrar-recorder and county clerk in Los Angeles County, the nation’s biggest electoral district. “Across the whole network of services and online applications for the county there are frequent indications of attempts to get into those systems.”
Most states use voting equipment that can generate a paper record, allowing for audits or recounts if the result is close or tampering is suspected. Among the exceptions is Pennsylvania, which both Hillary Clinton and Donald Trump are targeting as a priority.
The electronic voting machines in 50 of Pennsylvania’s 67 counties leave no paper trail, according to Verified Voting, a California-based nonprofit that monitors voting methods. Many of those counties use touch-screen machines, which are especially vulnerable, according to Andrew Appel, a computer science professor at Princeton University who stores in a warehouse the old voting machines that his research teams have hacked over the past dozen years.
Though the touch-screen machines aren’t connected to the internet — where hackers can do damage from around the world — someone with physical access to the devices could employ techniques such as inserting a cartridge carrying malware that could reprogram their software, he said. Similar machines are used in Louisiana, New Jersey, South Carolina, Tennessee and Texas.
“There’s no way to know that they have been hacked,” Appel said. “And there’s no way to recover what the vote should have been, and there’s no way to know that the votes may be wrong.”
Marian Schneider, Pennsylvania’s deputy secretary for elections and administration, said her state is taking advantage of DHS’s offer to scan computer systems and is considering hiring a contractor to bolster cybersecurity.
“We’re going to be making sure that there are no exploitable vulnerabilities in our systems,” said Schneider, whose agency oversees everything from state voter registration databases to aggregating local election results.
In a recent simulation, Symantec Corp. said its workers were able to easily hack into an electronic voting machine. It was possible to switch votes as well as change the volume of data, said Samir Kapuria, senior vice president and general manager of Symantec’s cybersecurity group.
“It was pretty vulnerable to multiple attacks both physically as well as when that information got transmitted upstream for the tabulation systems,” Kapuria said, without providing the machine’s maker or saying where it is used. Symantec is working with the manufacturer to make improvements, he added.
DHS’s major concern isn’t necessarily a hacker changing ballots on Election Day, but an actor stirring up enough confusion in the “election infrastructure” as to undermine public confidence in the vote, according to the agency’s official.
In an Aug. 1 speech in Columbus, Ohio, Republican presidential nominee Donald Trump said that he’s “afraid the election is going to be rigged, I have to be honest,” and he said cheating would be the reason if he loses Pennsylvania.
The DHS “cyber hygiene” assessments are quick tests that let states know of holes they should urgently fix. The department also is in talks with some states to do on-site visits to scan election authorities’ internal networks that aren’t linked to the internet. But with less than two months to go, few states will receive such a deep dive. States have told the feds it would be disruptive at this point to examine individual voting machines, so DHS will have to save those tests for after the election.
Concern about election tampering rose after hackers attacked servers at the Democratic National Committee and related organizations, taking internal emails and data that were made public on the WikiLeaks website. The revelations prompted DNC Chairwoman Debbie Wasserman Schultz to resign days before Clinton was formally named the party’s nominee.
The FBI has “high confidence” recent attacks were orchestrated by Russia, according to a person familiar with the agency’s probe. President Vladimir Putin has rejected the accusations.
FBI Director James Comey has said his agency is working “very hard to understand” whether a foreign government is hacking U.S. systems in order to influence elections or other national affairs.
Working against foreign hackers is the sheer complexity of the decentralized U.S. electoral system, which has about 9,000 separate jurisdictions where citizens go to vote.
“The beauty of the American voting system is that it’s diverse among the 50 states and it’s clunky as heck,” Comey said Sept. 8 at a conference in Washington. “It is hard for an actor to reach our voting processes.”
Besides the voting machines, hackers looking to cause chaos on Election Day could alter voter registration records and electronic poll-books, used to verify voters’ identities at precincts. Local jurisdictions also worry about hackers tampering with websites that tell people where to vote or provide other information about the voting process.
During California’s June presidential primary, a number of voters in Riverside County found that their party affiliations had been changed, according to District Attorney Michael Hestrin. He said it appeared hackers accessed voter-registration data. In some cases, voters even found their race, address and birth date changed, Riverside County Republican Party Chairman Scott Mann said. Others didn’t find themselves in poll-books, Mann said.
Meddling with systems that tabulate and report the votes on election night — whether state election boards or media organizations — is another potential entry point for those wanting to cause mischief and undercut public confidence.
Ohio Secretary of State Jon Husted, a two-term Republican, said the state’s elections systems have been modernized with cybersecurity upgrades in recent years, and “there’s been nothing that’s occurred that’s given us any alarm.”
Even before the FBI warned state officials last month to improve election security, Husted said his office consulted with the agency and with the state’s cybersecurity experts. It even had the National Guard try to hack into Ohio’s election system to identify any vulnerabilities.
“Everything that we should be doing, we were already doing before these alerts came about,” Husted said in an interview in Columbus. “If you waited until the FBI called two weeks ago, then you were late.”