The furor over the cyberattacks injecting turmoil into Hillary Clinton’s presidential campaign obscures a more pervasive danger to the U.S. political process: Much of it has only lax security against hackers, with few if any federal cops on the beat.

No one regulator is responsible for requiring campaigns, political operations and state and local agencies to protect the sanctity of the voter rolls, voters’ personal data, donors’ financial information or even the election outcomes themselves. And as the Democrats saw in Philadelphia this past week, the result can be chaos.


The most extreme danger, of course, is that cyber intruders could hack the voting machinery to pick winners and losers. But even less-ambitious exploits could sway the results in a close election — anything from tampering with parties’ volunteer schedules and get-out-the-vote operations to deleting the registrations of frequent voters or knocking registration databases offline. Cyber scams aimed at campaign donors’ financial data, such as a just-disclosed hack aimed at the Democratic Congressional Campaign Committee, could deter future contributors by making them fear identity theft.

Or, as happened this past week to the Democratic National Committee, online thieves could get hold of a political operation’s embarrassing internal emails, creating headaches for a presidential candidate just before she accepts her party’s nomination.

All that data is in the hands of a hodgepodge of public agencies and private groups, with varying levels of security and no one regulator overseeing it all. Interviews with dozens of election officials, political operatives and cybersecurity experts revealed rising anxiety about the threat, 16 years after Florida’s hanging chads demonstrated the election system’s vulnerability to run-of-the-mill fumbles.

“We don’t have any central laws governing this process,” said Ion Sancho, the supervisor of elections for Leon County, Fla., who stirred a nationwide debate a decade ago by raising questions about the security of touchscreen voting machines.

It's even more true for political parties and campaigns, despite the huge impact their lapses can have on the outcome of an election.

That must change, security and some elections experts said this week, after the release of the stolen DNC emails stoked a rift between the Democrats’ Clinton and Bernie Sanders wings, forced the resignation of Chairwoman Debbie Wasserman Schultz and fueled Democratic speculation that Russian intelligence services are trying to steer the election toward Donald Trump. News of the DCCC hack broke Thursday night just as Clinton was preparing to accept her nomination, while her campaign acknowledged Friday that the DNC breach had affected a data analytics program it also uses.

These kinds of breaches are unacceptable, 32 experts from the bipartisan Aspen Institute Homeland Security Group said Thursday, writing that candidates’ and campaigns’ lax attention to security “threatens public confidence in the political process.”

“Just as the federal government offers, and candidates routinely accept, Secret Service protection for their candidates, so too should campaigns and candidates be offered and accept assistance in securing their communications,” wrote the officials, including former CIA Director Michael Hayden and former Homeland Security Secretary Michael Chertoff. They added that “voting processes and results must receive security akin to that we expect for critical infrastructure” — akin to the heightened scrutiny given to the electrical grid or the financial industry.

"I think that the voting structure absolutely should be treated like the banking infrastructure,” agreed Jenny Durkan, head of the cybersecurity group at the law firm Quinn Emanuel, in a POLITICO interview.

Election-related targets far from D.C. have also fallen victim to breaches this month, including voter registration systems in Arizona and Illinois that had to go offline after suspected foreign hackers infiltrated them.

“Very candidly, the elections industry is catching up," said Jeramy Gray, assistant registrar for information technology in Los Angeles County. He said he's gotten reports of hundreds of potential cyber attacks on the county's websites and digital services from the U.S. and abroad, including its elections-related websites.

The nation’s political system might seem to be at stake, but federal agencies have only a slight hand in regulating election security, leaving most true oversight to occur at the state and local levels. The federal Election Assistance Commission and the National Institute of Standards and Technology work on standards or guidelines that states can follow, but those are voluntary. The Department of Homeland Security is on call to respond to cyberattacks, and the FBI can investigate breaches, but safeguarding elections isn’t their main mission. The Federal Election Commission enforces campaign finance laws but has no authority over data breaches of campaigns or voter rolls.

Even the scale of the problem is hard to pin down, aside from high-profile hacks such as the cyber break-in at the DNC and repeated attacks on Trump’s campaign and business websites. (In March, the hacker collective Anonymous said it was declaring “total war” on the Republican nominee.) Hackers have made multiple attacks on the U.S. presidential campaigns in at least the last three election cycles, including Barack Obama’s in 2008, and Director of National Intelligence James Clapper warned in May that "we'll probably have more of it.”

At least in the U.S., no proven cyberattack has managed to change an election's outcome. But the concept is far from outlandish: In South Africa, cyber intruders tried to depress the African National Congress’ vote total in the historic 1994 election that brought Nelson Mandela to power, as a former election monitor revealed in a book 16 years later.

Lower-level potential hacks, such as stealing candidates’ internal strategy documents, messing with campaign event schedules or deceiving voters about when the polls are open, mirror political dirty tricks from less plugged-in eras. But thanks to the internet, foreign intelligence agencies and hackers around the globe can also try to meddle in elections large and small.

Campaigns, parties, PACs and political operatives may not even realize how many potent weapons are lying around in their computer networks and databases. In some cases, nonprofit organizations across the political spectrum have customer and donor info “going back decades just sitting there,” said John Wethington, vice president of the Americas for data security firm Ground Labs.

“Cyber criminals don't always attack the way we think they might,” said Jonathan Sander, vice president of Lieberman Software, which offers cyber protection to businesses and government agencies. “And there is lots of tech that's more critical than it seems until it's been owned by the bad guys."

Hackers could even use the news media as a weapon, Sander said. “Bad guys could send false messages out through county or state channels like local TV, radio, or text messages claiming polling locations had changed or closed early,” he said. “They would only need to hack media systems to make that happen.”

Campaigns’ Election Day ground games are also ripe for hacks that could tilt a close race, said Herb Lin, a senior cyber policy scholar at the Hoover Institution. “There are get-out-the-vote operations, and sometimes for example people say, ‘We’ll give you a ride to the polls.’ That’s going to be locally managed. It’s some person on a spreadsheet in a local precinct.

“You don’t need to stop it,” Lin said. “All you need to do is muck it up a little bit. … And if you muck it up just a little bit, you may be able to throw things your way enough to make a difference."

Political campaigns are especially vulnerable to cyber mischief, being inherently short-lived operations where security is traditionally a low priority.

Even among government agencies, local and state election agencies aren’t equally equipped to deal with the threat.

“It’s so decentralized and you’ve got big counties and small, counties that have a whole IT staff in their office, and counties that have nothing remotely like that, and their election officials are part-time,” said Pamela Smith, president of election watchdog Verified Voting. “There’s a broad diversity of jurisdictions.”

In the week since the DNC’s internal communications went public, concern about the issue “has exploded” on an email list made up of election officials and advocates helping advise the federal government on future voting security, said Joseph Kiniry, CEO of the company Free & Fair. “I can’t even keep up with it right now.”

Still, Florida’s Sancho said only a minority of county election officials nationwide see a clear need for strict federal standards, as well as the funding or buy-in for technological upgrades.

“You have to overcome the belief that it’s not needed, that we’re fine,” he said. “That’s a ludicrous belief, but it’s one that really permeates the election business in the United States.”

For example, Sancho said his county had to save up for years to buy a system called ClearAudit that allows it to double-check each vote, and a handful of other Florida counties have adopted it as well — but Washington has been little help. "There’s no more money coming for voting technology — none,’” he said. “Excuse me, some of these devices, they shouldn’t be using these devices.”

Other state and local election officials in Florida and other key swing states say they've taken strides to protect their technology from meddling, disputing the notion that security is uniformly weak.

“We’re certainly aware of all the stuff that’s been going on,” said Edgardo Cortes, a commissioner with the Virginia Department of Elections. “We house a lot of sensitive data on the election side, so we want to make sure that our voters are confident that their data’s secure with us.”

Among other steps, he said, Virginia has changed the way it displays election results, pushing the data to local internet providers' servers so people can read it there instead of “hitting our system directly. … [That has] not only made the election night reporting more secure, but it’s also kept it running on election night.”

The board has also decertified voting systems that used wireless technology, which it viewed as posing too many risks.

Josh Eck, a spokesman for the Ohio Secretary of State Jon Husted, said his state has a thorough process for tallying and reporting electronic votes that requires a member from each party to collect the memory cards and travel in the same vehicle to physically hand over the results. Local officials then tally the votes and input the outcome into the statewide election reporting system.

“At every step of the way, there is always an original record that was un-impacted by technology,” Eck said, adding that “nobody’s ever raised a suspicion that there’s been an issue with security.”

Ohio also mandates that all voting machines pass a certification process conducted by the federal Election Assistance Commission. The independent agency deconstructs and rebuilds all voting machines to check the security of each component, Eck said.

But EAC-certified machines are not deployed throughout much of the central Midwest, West Coast or Northeast. States determine individually what standards they want to set.

In Florida, Department of State spokeswoman Meredith Beatrice said her agency's information technology staff have been working closely with all 67 counties and holding meetings with security staff in other states to prepare for this year's elections.

"We are engaged in ongoing security preparation, as we do for every election cycle,” Beatrice said. (She declined to say whether any cybersecurity meetings have occurred since the DNC breach.) Sancho noted that Florida, unlike some states, also keeps its statewide voter registration database separate from each county’s voter rolls, making it easier to check against tampering.

Florida and Virginia are also among a number of states that have turned away from a mid-2000s embrace of touchscreen electronic voting machines — a hangover from the Bush v. Gore era that wound up creating its own security complaints.

After the national trauma created by Florida's old-fashioned punchcard ballots in the 2000 election, several states seized on a $3 billion federal investment to switch to ATM-like touchscreens. But the lack of a paper trail in those machines led to complaints that vote-tampering would be difficult to detect, as well as liberal conspiracy theories that George W. Bush's campaign might have stolen the 2004 election in Ohio.

Florida wound up being a pioneer of the back-to-paper movement, following a 2006 U.S. congressional race in which opponents of Republican victor Vern Buchanan charged that more than 16,000 electronic votes had disappeared . (A federal judge dismissed that claim as “ conjecture .”) The following year, then-Gov. Charlie Crist signed a law moving the state to optically scanned paper ballots.

This November, about 70 percent of U.S. voters will cast paper ballots, Verified Voting’s Smith said.

Eric Geller and Bob King contributed to this report.

