States Race to Secure Their Voting Systems Before Hackers Strike Again

Russian efforts to access voter databases and electoral sites during the 2016 campaign exposed critical gaps in America’s voting infrastructure.

Russian efforts to access voter databases and electoral sites during the 2016 campaign exposed critical gaps in America’s voting infrastructure.

November 1, 2017

American intelligence agencies were watching the 2016 election closely. The month before Election Day, they released a statement warning that they detected efforts by the Russian government to undermine voters’ trust in the election process. Among those efforts was the highly publicized leak of emails stolen from the Democratic National Committee.

But Russia’s attempts at interference didn’t end there. In recent months, officials have sounded the alarm on Russian efforts to more directly influence the election through attempts to hack state electoral systems.

“There were concerns about could the Russians do something with the voter registration rolls, make names disappear, replace some things, and prevent some people from voting,” said former CIA director John Brennan in an interview for Putin’s Revenge, FRONTLINE’s months-long investigation into the origins of Russia’s election meddling.

This June, Bloomberg reported that Russian hackers targeted various systems in 39 states during the summer and fall of 2016.

Then, in September, the Department of Homeland Security (DHS) notified election officials in 21 states that hackers linked to Russia sought access to their voter registration files and public election sites.

“It was a growing list, but it seemed to be a random list,” said Jeh Johnson, the former secretary at DHS, in an interview with FRONTLINE.

The targets included battleground states like Ohio, Florida, Pennsylvania, Virginia, Iowa and Wisconsin.

Election officials in 19 of the states have said that their systems were not breached, and there has been no evidence that voting machines were compromised or votes changed due to the Russian interference.

But in Illinois, officials said hackers did manage to access the voter registration database and view around 90,000 records in the summer before the election. And in Arizona, the password and credentials of an election official were stolen by hackers, according to officials there.

Russian President Vladimir Putin has denied that his government was behind the hacking efforts. Nevertheless, the incidents have exposed critical gaps in the nation’s election infrastructure, according to former intelligence officials and cybersecurity experts, and ignited a tense debate between state and federal officials over how best to secure voting systems ahead of elections in 2018 and 2020.

“We know from more than a decade of research into voting machines and other election equipment that most of the equipment we use in the U.S. is just full of vulnerabilities,” said Alex Halderman, a professor of computer science and an expert in cybersecurity at the University of Michigan. “We know that there are routes that attackers could potentially use to remotely compromise everything from the electronic poll books that are used to check-in voters at the polling place, to the voting machines themselves, to the voter registration systems. These are not well-secured systems.”

Even without hacking into voting machines directly, potential attackers could cause chaos and disruption by tampering with voter registration data, said Halderman, deleting or altering records to cause delays at polling stations or have voters turned away on Election Day.

In the wake of last year’s attacks, states are stepping up firewalls and encryption of their voter databases; boosting password security among election employees; monitoring their networks for threats; and testing any election infrastructure that’s connected to the internet to see how easy it would be for hackers to get in. Many are also creating cybersecurity task forces.

In West Virginia, election officials are hiring a cybersecurity expert from the National Guard. Wisconsin is working to get an employee who works with the state’s voter registration system certified as a “white hat” hacker, someone trained to think like a hacker and test for vulnerabilities.

“Efforts to share cybersecurity best practices of all kinds are absolutely lighting up the elections world right now,” said Wendy Underhill, director of elections and redistricting at the National Conference of State Legislatures, which tracks the issue among states. “Election officials across the nation are doubling down on it, learning from each other, and talking more closely with their IT people and other resources.”

But for all the high-tech measures under way, some states have made the decision to turn back to paper ballots as a safeguard. Unlike many electronic voting machines, paper balloting provides a trail that can be audited if election results come into question.

In September, for example, Virginia decided to end the use of touchscreen voting machines ahead of its election next week. And when Rhode Island got new voting equipment in 2016, it too required machines that used paper ballots.

Rhode Island will soon join Colorado as one of the first states to require advanced, “risk limiting” auditing procedures — considered the gold standard by election security experts — to verify its vote tallies. Currently, 18 states don’t mandate post-election audits at all, and most states have yet to adopt the more rigorous checks.

“Part of the problem we have in government is that technology moves much faster than government does,” said Jim Condos, the secretary of state in Vermont. “No matter what we do today, tomorrow’s a new day, and we’re always looking to the future and how we can stay ahead of bad actors.”

As states grapple with the evolving vulnerabilities in election security, DHS has been working to improve its coordination and communication with them. Election officials in several states said the agency did not directly inform them that their systems had been targeted until 10 months after Election Day.

For example, when Michael Haas, Wisconsin’s chief election official, testified in June before the Senate Intelligence Committee about cybersecurity, he didn’t know his state was among the 21 states targeted by Russian hackers. It turned out that DHS notified the chief information officers in the affected states, but didn’t “consistently” inform senior election officials, according to Bob Kolasky, acting deputy under-secretary at the agency’s National Protection and Programs Directorate.

The department is now working to get election officials security clearances so that they can receive information about threats. “It’s one thing for me to say, ‘You really should take this seriously,’ and it’s another for us to give a brief on why I’m saying you really should take this seriously,” said Kolasky. “What can be shared at a classified level provides more context on the nature of the threat.”

DHS has also designated elections as “critical infrastructure,” in an effort to provide states with federal support in securing elections. But according to Johnson, the move was resisted by some state election officials.

“Surprisingly, we got a lot of pushback from them,” he said. “They perceived a critical infrastructure designation as somehow a federal takeover, or federal regulations. And I spent a lot of time telling them, that’s not what this is. It just simply is prioritizing our assistance if they ask for it.”

In February, the National Association of Secretaries of States passed a resolution opposing the designation, saying that it was passed “without sufficient state consultation or analysis.” The group’s president, Indiana Secretary of State Connie Lawson, said the Homeland Security department should have a role in election security, but that it should be limited.

“I think the federal government can be helpful if they can provide, in a timely way, threat information that states wouldn’t know about if it was going on in another state,” said Lawson. She noted that her state is now one of six working with the department to test a new DHS-funded program called the Multi-State Information Sharing and Analysis Center, which is designed to help monitor networks for anomalous behavior or threats and share that information with election officials.

DHS and states are also working to develop a set of national standards for securing elections from cyber threats. While the standards would be voluntary, experts say creating them is critically important.

Halderman noted that it’s not only Russia that’s capable of interfering in future elections, but also countries like China, Iran and North Korea. “In my opinion, it’s only a matter of time until we do suffer a very, very serious attack on our election infrastructure, unless we get much more serious about securing it.”

Priyanka Boghani

Priyanka Boghani, Digital Reporter & Producer, FRONTLINE



In order to foster a civil and literate discussion that respects all participants, FRONTLINE has the following guidelines for commentary. By submitting comments here, you are consenting to these rules:

Readers' comments that include profanity, obscenity, personal attacks, harassment, or are defamatory, sexist, racist, violate a third party's right to privacy, or are otherwise inappropriate, will be removed. Entries that are unsigned or are "signed" by someone other than the actual author will be removed. We reserve the right to not post comments that are more than 400 words. We will take steps to block users who repeatedly violate our commenting rules, terms of use, or privacy policies. You are fully responsible for your comments.

blog comments powered by Disqus

More Stories

In Wake of Ruth Bader Ginsburg’s Death, McConnell Reverses Course on Supreme Court Vacancy; Vows Vote on Nominee
It’s a markedly different approach than he took in the previous presidential election year of 2016, when a different Supreme Court justice died more than eight months before voters went to the polls.
September 19, 2020
Handling of Public Protests a 'Stress Test' for Police Reform
Violent outbursts have marked the period of unrest since George Floyd died May 25, after Minneapolis police officer Derek Chauvin pinned the 46-year-old Black man to the ground by his neck. In many cases, police have responded with force to disperse protesters, captured on cameras nationwide — including in Cleveland, Chicago, Seattle and Portland, all cities that were already under court-enforced agreements to reform their police departments. Independent monitors overseeing those agreements say it's possible police could find themselves out of compliance for how they've responded to the recent unrest.
September 18, 2020
Amid George Floyd Protests, a Critical Question: Can the Feds Fix American Policing?
As millions of people rallied in the streets this summer demanding an end to police violence, more than a dozen cities were quietly working on their own police reform process — in conference rooms and court hearings.  
September 16, 2020
A Newark Officer Was Filmed Punching Someone. Jelani Cobb Asked a Police Union Head If It Was Justified.
Their resulting conversation in the new FRONTLINE documentary “Policing the Police 2020” illustrates the debate over use of force in policing: what’s legal, what’s justified and whether those definitions should change.
September 15, 2020