Cross-posted at Slate.
Much of the analysis following special counsel Robert Mueller’s Friday indictment of 12 Russian intelligence officers has focused on their alleged conspiracy to hack into Clinton campaign and Democratic Party computers and email systems during the 2016 election, and on questions about coordination between then-candidate Donald Trump’s campaign and the Russian infiltrators.
But the indictment also included new revelations about the extent of Russia’s attacks on our election systems in 2016—and those details provide a warning that we need to get serious about preparing for even more damaging attacks in this year’s midterms.
The latest indictment alleges that Russian intelligence officers hacked into the website of a yet-unidentified state board of elections. Among other new information, it alleges Russia used that hack to steal information related to 500,000 voters. That figure’s surprising. We already know that hackers targeted election systems in 21 states and allegedly hacked into the computers of a private U.S. elections systems vendor. (The indictment did not name the vendor, but details seem to match a reported hack of the company VR Systems; VR Systems has denied any breach had occurred.) But, thus far, officials have only confirmed that databases from the Illinois election systems had ever actually been compromised. What’s more, reports previously indicated the records of only about 100,000 voters had been accessed in the Illinois breach. That means the reach of Russia’s infiltration of election systems likely went deeper than we’d understood.
Perhaps most importantly, as Wired’s Kim Zetter identifies, the indictments suggest the Russians’ attack against U.S. election infrastructure may have been an afterthought. The indictment puts the research and execution of the state board of election and vendor attacks in June through October of 2016—well into the election, and months after the initial hacks of the Democratic National Committee and Hillary Clinton’s campaign. As she notes, we would be wise to assume future attacks will involve more advanced planning. Combine this with the fact that the Russians undoubtedly learned information from their 2016 efforts, and there is reason to believe future attacks on our election infrastructure could be far more damaging.
The good news is that many officials tasked with protecting our election infrastructure take this threat seriously. Election officials, the Department of Homeland Security, and the federal Election Assistance Commission have all been working diligently to ensure they can catch and prevent future attempts to breach election infrastructure. Congress has provided states with $380 million to increase election system security. A new government coordinating council now allows the federal government and local election officials to share information like never before. And many states have made serious investments in new security.
This is critical work, but it’s not enough. The truth is: We can never have 100 percent unhackable elections. If Russian intelligence agencies (or other foreign powers) have decided that they want to make a concerted effort to attack our elections, they will, at some point, be successful.
The single most important thing states and counties can do in the next few months is to ensure that every polling place in the country has contingency plans in place to deal with a successful breach. That means ensuring that, in spite of a successful attack, people can vote on Election Day, and we have a way of ensuring all of those votes will eventually be counted accurately.
To start, it’s worth focusing on three critical election systems that cyberattackers are most likely to target—and to look at some of the actions that local jurisdictions should take to detect and recover from successful attacks against them.
Electronic poll books: Thirty-two states use e–poll books, usually in the form of mobile computers or tablets, that allow poll workers to digitally look up voters’ registration information instead of manually searching through paper lists of names. Most e–poll books come equipped with technology that allows them to communicate with, at minimum, nearby e–poll book units in the same polling location to share real-time voter check-in information. E–poll books may communicate this information over wired or wireless network connections. But e–poll books that communicate over wireless networks present unique security challenges because, unlike a wired network, a wireless network can be monitored and attacked from a distance.
While the indictment doesn’t allege that e–poll books were hacked in the 2016 election, there’s reason to believe they could be an enticing target for hackers. If a jurisdiction is unprepared for e–poll book failures, voters could be told they are not registered or forced to wait for hours to vote while election officials scramble to fix the e–poll books or locate and print paper backups.
For jurisdictions using this technology, there are two important steps to take to curtail a potential hack. First, they should limit or eliminate wireless connectivity, including Wi-Fi and Bluetooth, to decrease the risk of a successful attack. Second, election officials should ensure that every polling place using e–poll books on Election Day also has backup printed paper poll books on hand in the event of a real or suspected e–poll book failure (something that’s not just helpful in the case of a hack but also for run-of-the-mill software and device glitches). Currently, only 17 states of the 32 states using e–poll books require backup paper poll books on Election Day.
Voter registration systems: The voter registration system maintains the official list of registered voters, including individuals’ names, phone numbers, addresses, district assignment information, and, in some states, political party affiliation. Mueller’s indictments confirm that voter registration systems were indeed a target of the Russians in 2016. Though the only substantial successful hack we know of involved stealing basic voter registration info (likely names, addresses, and the last four digits of Social Security numbers in the case of the Illinois). But other types of breaches could present potential nightmare scenarios. Imagine hackers could somehow delete or change voter registration information, so voters would show up at the polls only to find their names missing or registered to the wrong precinct. Or nimble hackers might make it impossible for election officials to access certain voter files when it comes time to create new poll books.
To ensure such attacks would not disrupt an election, officials should download an electronic copy of the voter information on a daily basis. This will allow them to reconstruct a list should they discover a hack and to access a list if the official database becomes unavailable at any point.
Officials should also ensure that every polling place has enough provisional ballots to last through at least two hours of peak voting time, so that if necessary, they can print and deliver more as needed without forcing voters to wait. Federal law requires that polling places provide provisional ballots, which allow an individual to record a vote even in the event poll workers can’t find the individual’s names on a registration list. These paper ballots are only counted if election officials can later confirm that the individual was eligible to vote at that polling place. In the event of a hack, provisional ballots would ensure that individuals are able to cast a ballot while providing election officials additional time to determine eligibility using backup lists.
Voting machines: There are no allegations in the Mueller indictments that Russians targeted voting machines in the 2016 election. Nevertheless, this is obviously a critical system to protect from cyberattacks. There are many steps jurisdictions should be taking to ensure that hackers cannot reach voting machines in a way that impacts the integrity of the election. Among those: conducting pre-election “logic and accuracy” testing for every machine. This is akin to running a mini-election on each machine before it’s put in use, to ensure each machine is counting votes accurately.
After the election is over, but before results are certified, jurisdictions should also conduct post-election audits. For polling places in about two-thirds of the country, this means comparing a manual count of the paper ballots voters cast to the tally generated by the digital scanners that most of these jurisdictions employ to read said paper ballots. For polling places that use direct-recording electronic voting machines—which allow individuals to log votes by manually touching a screen, monitor, or other device—this means assuring these machines include “voter-verified paper audit trails.” These paper printouts provide a permanent record of the votes cast by the individual and give voters the opportunity to review a paper record of their choices before casting their ballots.
Unfortunately, 13 states are still using at least some direct-recording electronic voting machines that have no paper trail as their primary polling place equipment, making audits in these states impossible. These machines should be replaced as soon as possible. Come November, it’s also critical for any states using any kind of electronic voting machines to have emergency paper ballots that can be deployed immediately in case machines breakdown—whether that breakdown is caused by a system failure or hack.
All of the steps discussed above are critical not just to detect and recover from a hack against our election infrastructure but to instill greater public confidence in our election systems more generally. As of now, it doesn’t look like Russians altered or erased any voter registrations, meddled with any polling places, or changed any votes in the 2016 election. But they were also after another central goal: to cast doubt on the integrity of American democratic systems and institutions. Regardless of their ability to successfully hack election systems in the future, we still need to keep wary of the discord even suspicion of such sabotage can sow. Election officials who adopt strong contingency plans, and make those plans known to their voters, can help reassure citizens that, regardless of what threats we face, voters will be able to cast ballots that will be accurately counted.
To be sure, the 2018 midterms could go off without a hitch. But instead of wishful thinking, states and counties need to hope for the best but prepare for the worst.