A series of high-profile breaches and warnings from national intelligence leaders has elections directors in critical battleground states seeking federal help against possible cyberattacks.
Officials in Pennsylvania and Ohio tell CNN they are working closely with the Department of Homeland Security to protect their elections systems from cyberattacks and breaches.
Ohio is going one step further.
“We even asked the National Guard to attempt to penetrate our databases,” said Joshua Eck, a spokesman for Ohio Secretary of State Jon Husted. “We’ve had a number of really positive tests. It has gone well and we’ve been able to find vulnerabilities and fix them.”
A pair of cyberattacks on Illinois’ and Arizona’s voter registration databases over the summer spurred the Obama administration to ring the alarm bells for states as they prepare for what has already been a chaotic campaign.
And top Democrats on the House and Senate intelligence committees publicly accused the Russian government of seeking to alter the election.
“Based on briefings we have received, we have concluded that the Russian intelligence agencies are making a serious and concerted effort to influence the U.S. election,” Sen. Dianne Feinstein and Rep. Adam Schiff, of California, said Thursday.
Cybersecurity experts say the prospect of “rigging” the election, and changing the outcome, is practically impossible. Elections are decentralized: 50 states, plus the District of Columbia, run their own operations, not to mention the thousands of counties across the country that play a major role at the local level.
Different jurisdictions use different voting machines, It isn’t plausible for hackers to breach them all in one fell swoop — penetrating one election system in North Carolina has no impact on Colorado. Furthermore, most voting machines aren’t connected to the Internet, which inoculates them from outside intrusions.
But hackers could still cause plenty of havoc in November, with attacks on registration systems or government websites reporting the results on election night. Many news organizations pull their results from those sites.
“Think about the chaos you could cause if you get one TV network calling the election for one candidate, and another network calling the election for the other,” said Professor Herbert Lin, a cybersecurity expert at Stanford University. “If your intent is to sow doubt and uncertainty, at least in the short term, affecting the media reporting could be really problematic.”
DHS running ‘Cyber hygiene scans’
Homeland Security Secretary Jeh Johnson is the Obama administration’s point man on election security, holding meetings with elections officials from across the country, and offering help to states that are interested.
DHS is offering “cyber hygiene scans” that will remotely search for vulnerabilities in election systems like online voter registration systems and election night reporting infrastructure. It is also offering to send cybersecurity experts to states so they can conduct more aggressive in-person testing the final weeks of the campaign.
Johnson recently laid out other federal resources for states in a memo last week, including a 24/7 center to respond to cyberattacks, and a list of “best practices” on how to secure voter registration databases.
Pennsylvania has accepted the DHS help, both the remote scans and the in-person testing, said Pennsylvania Department of State spokeswoman Wanda Murren. Election authorities in Ohio are also accepting federal help.
But not every state is happy to have the administration involved.
Georgia’s secretary of state publicly scoffed at these efforts and accused the federal government of trying to “subvert the Constitution.”
Georgia Secretary of State Brian Kemp, a Republican, rebuffed the idea, telling Nextgov that the feds might want to “subvert the Constitution to achieve the goal of federalizing elections under the guise of security.” However, his office later walked back the comment, saying they were not flatly refusing the assistance.
A call for comment from Kemp was not immediately returned Thursday.
Florida officials, whose recount debacle in 2000 led to the federal law which ultimately created voter registration databases, declined to say whether they were accepting help from DHS, citing security concerns.
What are the threats?
Perhaps the most serious vulnerability is the integrity of voter registration systems. Hackers can break in and delete or alter individual voter registration records, creating confusion on Election Day when voters show up to their polling place and their names are mysteriously missing from the rolls, or their address is changed.
This summer, hackers broke into a stash of information for about 90,000 voters in Illinois, breaching a database with voters’ names, addresses, sex and birthdays. And officials in Arizona took their voter registration system offline after they learned that a Russian hacker had breached their systems.
Once hackers penetrate a voter registration system, “the scope could be whatever they want,” said Cathie Brown, a cybersecurity expert who served as Virginia’s deputy chief information security officer. “Deleting an entire precinct of voters — that’s absolutely possible. The grander the scope, the more likely they’ll get caught. But they might not get caught until after they’ve done the damage.”
But at least one expert said that state elections directors have been dealing with technological threats for a long time.
“The state and local election officials, this whole notion of security is not new to them this is something they deal with all the time,” said Tim Mattice, executive director of the Elections Center, which trains state and local elections officials on administering elections. Mattice’s organization works with the professional group representing election officials, the National Association of State Election Directors.
Mattice said that when DHS offered up help, most people understood them when they said they were making it voluntary and did not want to be viewed as coming in and taking over state-run elections.
Ironically, Mattice noted that the focus on technological security got serious after Congress passed the national Help America Vote Act in the wake of the 2000 elections, which mandated that states develop integrated voter registration systems — effectively placing all the voter data in systems that could be hacked.
Asked how hackers got through in Illinois and Arizona despite the layers of security that elections officials already have in place, Mattice said it’s the same problem any organization or business faces.
“You could ask Target how they got hacked — these hackers are getting sophisticated,” Mattice said.