When the Department of Homeland Security notified 21 states that Russian actors had targeted their elections systems in the months leading up to the 2016 presidential election, the impacted states rolled out a series of defiant statements. “Oregon’s security measures thwarted Russian government attempts to access the Secretary of State computer network during the 2016 general election,” chest-thumped Oregon Secretary of State Dennis Richardson. The Florida secretary of state’s office, which oversees elections, was triumphant: “Florida was unsuccessfully targeted by hackers last year.” In Iowa, Secretary of State Paul Pate trumpeted the Hawkeye State’s cyber sophistication: “Iowa’s elections system was successful in blocking attempted outside intrusions.” Not to be out done, media reports took those proclamations one step further, claiming that “Russians tried to hack Oregon elections system in 2016” and “Federal government notifies 21 states — including Iowa — of election hacking.” But in most cases, according to the DHS, Russian actors scanned the public-facing websites of state agencies, apparently looking for vulnerabilities. The DHS said that in almost all of the cases, there was no evidence the operatives attempted to exploit any vulnerabilities. It was not, in other words, a thwarted bank robbery. Instead, Russian operatives surveyed the bank from the sidewalk, and then headed home.

While the states are busy celebrating their successes, they are doing far too little to ensure that operatives don’t get in next time they show up and actually try to infiltrate, say cybersecurity experts. “The fact that they were scanning meant they were looking for vulnerabilities. If they come back next time, they’re going to come back much deeper,” said Latanya Sweeney, a professor of government and technology at Harvard University and author of a recent report on the possibilities of voter identity theft. “This really begs the question of not how secure were our websites last year, but how easy it is for them to hear of a vulnerability, test for it, and improve? How flexible and malleable are the systems and the infrastructures to be [able to be] changed and updated on the fly? I do think that our study shows that they’re very sluggish and very slow and very resistant, which is not good.” The Harvard report, titled “Voter Identity Theft: Submitting Changes to Voter Registrations Online to Disrupt Elections,” concludes that online attackers can alter voter registration information in as many as 35 states and the District of Columbia by buying personal information through either legitimate or illegitimate sources. Voter registration information is public, and many states allow citizens to make changes online, even if they registered in person or by mail. A determined hacker could buy voter lists from the 36 jurisdictions that allow online registration, and separately buy the personal information used to confirm a voter’s identification – such as Social Security or drivers’ license numbers – to get in and make changes. Many states have backend processes to verify changes to voter data. In Connecticut, one of the 21 states the DHS said was targeted by Russian actors, “the online voter registration system is separate from the official voter roll, so when a change is made to the online system, before that change gets made in the central voter database, it physically goes to the office of the registrar, who must confirm and manually make the change,” Gabe Rosenberg, communications director at the Connecticut secretary of state’s office, told The Intercept. But that’s not necessarily enough, said Ji Su Yoo, a Harvard research analyst who co-authored the study with Sweeney. “If a human is in the loop and there’s an abnormal amount of requests [to change voter information] throughout the day, a human can be useful in saying there’s a red flag,” Yoo told The Intercept. “Another way to beat the human in the system is to insidiously just put in a few requests at a time and have the machine submit changes in a randomized order.” This type of breach is not theoretical. In Riverside County, California, someone with access to voters’ personal information changed party affiliation information for up to hundreds of voters before the 2016 Republican Party primary. California Secretary of State Alex Padilla responded to that incident much like states have been responding to the DHS’s most recent revelations, by saying there was no evidence of a breach of the voter database. The response is problematic, Sweeney said, because it points out the difficulty in distinguishing between changes made by actual voters and those made by an imposter. “This is harmful because even if an attack happens, those responsible for our systems would be unable to detect the problems,” Sweeney told The Intercept. Voting software is another potential target for hackers. The Intercept has previously reported on a top-secret National Security Agency report detailing a cyberattack by a Russian intelligence agency on at least one U.S. voting software supplier. The attackers sent spear-phishing emails to more than 100 local election officials just days before the November election, according to the highly classified report that was provided anonymously to The Intercept. A spokesperson for one state elections division said his office appreciates The Intercept’s reporting on the NSA document, describing it as “seminal.” But that official would only agree to speak anonymously. In public, election officials prefer to take a nothing-to-see-here attitude. Although the DHS announcement last week unleashed a media frenzy that often conflated a scan of public-facing websites with attempts to breach election systems, the agency did not actually reveal much new information. In short, federal officials on September 22 called election officials in every state to notify them whether there had been attempts to target their election systems prior to the 2016 election. The Associated Press later identified the 21 states that were notified there had been an attempt on their systems, but in most cases, “only preparatory activity like scanning was observed,” DHS spokesperson Scott McConnell told The Intercept in a statement. “In some cases, this involved direct scanning of targeted systems. In other cases, malicious actors scanned for vulnerabilities in networks that may be connected to those systems or have similar characteristics in order to gain information about how to later penetrate their target.” To be clear, a network scan is not a hack, or even an attempt at one. But we already knew that. In June, Jeanette Manfra, DHS acting undersecretary for cybersecurity and communications, testified before the U.S. Senate Intelligence Committee that the Russians targeted 21 election systems, and that a small number were breached, but she did not identify them. Arizona and Illinois last year confirmed that hackers had targeted their voter registration systems. Manfra told the Senate committee that the states had been notified, but officials in at least three states – Alabama, California, and North Dakota – said they were clueless before the recent announcement.



People cheer as voting results for Wisconsin come in at Republican presidential nominee Donald Trump?s election night event at the New York Hilton Midtown on November 8, 2016 in New York City. Photo: Mark Wilson/Getty Images