In September 2010, the District of Columbia unveiled a pilot project to enable overseas residents and people serving in the military to vote over the Internet, and invited users to test the system. Within 36 hours, University of Michigan computer scientist J. Alex Halderman and his team were able to hack into it, flipping votes to candidates named after famous computers, like HAL 9000 from 2001: A Space Odyssey, and playing the Michigan fight song, “The Victors,” after every recorded vote. Amazingly, it took two days for election officials in DC to notice the hack and take the system down. The pilot project was eventually scrapped.
Though online voting remains a distant prospect in American politics, this wasn’t the first election system that Halderman hacked. On June 21, 2017, he testified before the Senate Select Intelligence Committee in a hearing on “Russian Interference in the 2016 U.S. Elections.” “My conclusion,” Halderman told the committee, “is that our highly computerized election infrastructure is vulnerable to sabotage, and even to cyber-attacks that could change votes.”
“Dr. Halderman, you’re pretty good at hacking voting machines, by your testimony,” Senator Angus King of Maine observed. “Do you think the Russians are as good as you?”
“The Russians have the resources of a nation-state,” Halderman replied. “I would say their capabilities would significantly exceed mine.”
It is now clear that Russian interference in the 2016 elections went far beyond hacking Democratic National Committee e-mails; it struck at the heart of America’s democratic process. “As of right now, we have evidence of election-related systems in 21 states that were tar-geted,” Jeanette Manfra, the chief cyber-security official at the Department of Homeland Security, testified at the Senate hearing.
Only two of those states have been publicly named: Illinois, where hackers stole 90,000 voter-registration records, including driver’s-license and Social Security numbers; and Arizona, where the voter-registration list was breached via a county-level infiltration. On June 13, Bloomberg reported that “Russian hackers hit systems in a total of 39 states.” And The Intercept, citing a leaked National Security Agency report, stated that “Russian military intelligence executed a cyberattack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials just days before last November’s presidential election.”
“This was a well-planned, well-coordinated, multi-faceted attack on our election process and democ-racy,” said Bill Priestap, assistant director of the FBI’s counter-intelligence division, at the Senate hearing.
“Any doubt it was the Russians?” Senator King asked.
“No, sir,” Priestap answered.
“Any doubt that they’ll be back?”
While there’s still a lot we don’t know about the extent of the hacking and why it occurred, it’s painfully clear that the US voting system is dangerously insecure. Even though voting machines aren’t connected to the Internet, hackers can inject malicious software into them by accessing the computers used to program the machines, which are sometimes online. Five states in their entirety, and some counties in nine others, vote using electronic machines with no paper trail, which could make such a hack almost impossible to detect. And even though 36 states use paper ballots or electronic machines with paper backups, that paper is rarely checked thoroughly enough to ensure the results are accurate (only a little more than half the states require even basic post-election audits). Moreover, 42 states are using machines that are at least a decade old and run primitive software like Windows 2000. This is an election meltdown waiting to happen.
The intelligence community has repeatedly said that no votes were changed by Russian hacking, but DHS officials admitted at the Senate hearing that they have not conducted a forensic analysis of any voting equipment used in the presidential election. I asked Lawrence Norden, a voting and democracy expert at New York University’s Brennan Center for Justice, how confident he was that no votes were altered in 2016. He took a deep breath, sighed, and said, “It’s impossible to know.”
Without changing a single vote, hackers could even more easily wreak havoc on US elections by accessing state voter-registration rolls, as they did in Illinois in 2016. The theft of 90,000 records there went undetected by officials for three weeks, until they finally took the system down for 10 days in response. “Attackers could try to interfere with the ability of voters to cast ballots by deleting them from lists of registered voters, marking them as felons prohibited from voting, or changing party affiliation to keep them from voting in their party’s primary,” notes the Brennan Center in a new report. In states with strict voter-ID laws that require an exact match with voter rolls, changing even a few letters in a person’s name could block thousands from casting a ballot.
“The bigger point here is that what happened in 2016 could easily happen again and go much further,” Halderman says. “In fact, I think it’s only a matter of time before some attacker, be it Russia or another hostile country, really does either sabotage or manipulate the country’s election infrastructure…. Eventually it will happen, unless we take steps to stop it. And so far, very little has changed since 2016.”
Halderman says the solutions are obvious: Record all votes on paper, perform routine audits of ballots, and conduct regular threat assessments, as is done in many industries. But the White House and Congress are doing less than nothing: President Trump regularly refers to reports of Russian hacking as “fake news,” and House Republicans voted to eliminate the Election Assistance Commission, the only federal agency that helps to protect states against hacking. “We’re doing way too little,” Norden says. “The intelligence community has their hair on fire saying the Russians are coming back, but there’s almost zero discussion in Congress about taking steps to protect our elections ahead of 2018 and 2020.” Things are hardly better at the state level, where in most cases there’s no money for new voting machines or added security precautions.
The truth is that the same Republicans who benefited from Russian hacking of the DNC and Clinton campaign e-mails in the 2016 election have been trying for years to suppress Democratic-leaning votes. As civil-rights leader Rev. William Barber notes, “Voter suppression hacked our democracy long before any Russian agents meddled in America’s elections.” Since the 2010 election, 22 states—nearly all of them controlled by Republicans—have passed new laws making it harder to vote, which culminated in the 2016 election being the first in more than 50 years without the full protections of the Voting Rights Act.
According to a new study by the Massachusetts Institute of Technology, 12 percent of the electorate in 2016—16 million Americans—encountered a problem voting, including long lines at the polls, difficulty registering, or faulty voting machines. And last year’s election was decided by just 80,000 votes in three states.
Republicans have accelerated their voter-suppression efforts at the state and federal levels in 2017. According to the Brennan Center, 99 bills to limit access to the ballot have been introduced in 31 states this year, and more states have enacted new voting restrictions in 2017 than in 2016 and 2015 combined. Arkansas, Iowa, North Dakota, and Texas passed new voter-ID laws; Georgia made voter registration more difficult; and Montana is in the process of limiting the use of absentee ballots.
Meanwhile, the Trump administration’s new presidential commission on “election integrity” is preparing to nationalize the GOP’s restrictions on voting under the pretext of combating the virtually nonexistent problem of voter fraud. The commission’s vice chair, Kansas Secretary of State Kris Kobach, has pioneered the voter-suppression efforts in his home state, including requiring proof of citizenship to register, which has blocked one in seven Kansans from registering to vote since 2013 (because most people don’t carry around a copy of their birth certificate, passport, or naturalization papers when they register). If such laws were adopted at the federal level, they would disenfranchise millions of voters.
On June 28, Kobach sent a letter to all 50 states asking for sweeping voter data, including Social Security numbers, party affiliation, felony convictions, and military status. The federal government has never made such a broad request before, and voting-rights advocates fear that such data, in the hands of the Trump administration, will be manipulated to spread lies about voter fraud and purge the rolls in inaccurate and discriminatory ways. “[Vice President Mike] Pence and Kobach are laying the groundwork for voter suppression, plain & simple,” tweeted Vanita Gupta, the former head of the Justice Department’s civil-rights division under President Obama. That same day, the Justice Department also asked states how they plan to remove people from their rolls under the National Voter Registration Act, which seems like further proof of plans to limit voting access.
The good news is that red and blue states alike unexpectedly rebelled against Kobach’s request, with 48 states refusing to turn over sensitive, private voter data. Some of the sharpest criticism came from Republican secretaries of state, like Mississippi’s Delbert Hosemann, who told the Trump administration to “go jump in the Gulf of Mexico.” The opposition at times bordered on the surreal: At least two members of Trump’s handpicked commission, the secretaries of state for Maine and Indiana, rejected Kobach’s request, and even Kobach, as secretary of state for Kansas, couldn’t hand over voters’ Social Security numbers to himself, because they’re not publicly available in his home state. One commission member, Maryland Deputy Secretary of State Luis Borunda, resigned.
The bad news is that under the guise of “election integrity,” Trump’s commission marks the beginning of a nationwide voter-suppression campaign by the GOP. It’s impossible to overstate the threat this poses, at the same time that the administration is practically inviting another hack from Moscow or elsewhere. Whether its enemies are foreign or domestic, American democracy is in grave danger.