Elizabeth Weise

USATODAY

SAN FRANCISCO — Russian military hackers said to have infiltrated the U.S. election system would have had several potential avenues to influence U.S. elections — including by tampering with voting rolls, interference that could have had an important impact in swing states.

Whether or not this happened isn't outlined in a leaked National Security Agency report that led to the arrest Monday of a federal contractor with top-secret security clearance. There has been no evidence votes were changed in the 2016 presidential election, though officials in North Carolina are actively investigating attempts to compromise the state's electronic poll book software.

Online news site The Intercept said the report it obtained said Russian military intelligence executed a cyber attack on VR Systems, a Florida-based U.S. supplier of voting software. Hackers used the VR Systems account to send deceptive emails to more than 100 local election officials in the days leading up to the November presidential election, according to The Intercept.

What was the end game of hackers — and did they influence the election? Cyber security experts say the hacks could simply have been aimed at sowing distrust among the public about the outcome of the 2016 presidential race, a fear that was top of mind among secretaries of state and voting fairness organizations leading up to November 8. Other possible scenarios include trying to keep voters off registrations lists or planting Trojan software programs in election networks to be used at a future date, say cyber security experts.

None of the techniques required for these hacks would be especially hard for a reasonably sophisticated nation state, said Alex Halderman, a nationally known expert on electronic voting and voting system security at the University of Michigan.

In this case, the Russians identified staff at VR Systems that provided consulting and support services to local election entities across the United States, The Intercept reported. Posing as staff at those vendors, hackers sent local election workers carefully-faked phishing emails that contained malware hidden in a Microsoft Word document. When the worker opened the document, that would have allowed the attackers to gain a beachhead in multiple election jurisdiction networks.

VR Systems did not respond to a USA TODAY request for comment Tuesday. In an earlier statement, it said it was aware of a "handful" of customers who received the fraudulent email. "Of those, we have no indication that any of them clicked on the attachment or were compromised as a result," it said.

The NSA report appears to be confirmation that Russian interference in the U.S. 2016 election went well beyond email leaks and information-centric attacks. It shows that the Russians, specifically the Russian General Staff Main Intelligence Directorate, was trying to attack the machinery of the election itself.

Russian President Vladimir Putin said last week that his country has never engaged in hacking other nations’ elections, but did say that it was possible that hackers with “patriotic leanings” might try to fight those who spoke badly of Russia, the Associated Press reported.

Related:

Sen. Mark Warner: More state election systems were targeted by Russians

Accused NSA leaker Reality Leigh Winner left easily followed trail, FBI says

Russian hacking attempt targets small elections-technology industry

One possibility — affecting voter registration rolls — would not be difficult, say experts. While election systems are usually county or even municipality-based in the United States, under federal law each state must create a state-wide list of potential voters. Disruptions to those lists could have been used to launch large scale purging of voter rolls, said Harri Hursti, a co-founder of Nordic Innovation Labs, which provides cyber audits of election systems.

As most polling places only keep a limited number of provisional ballots on hand, it could have resulted in a meaningful number of voters being unable to cast their ballots, said Hursti, who in 2005 showed it was possible to hack into a Diebold voting machine and change vote tallies, a technique now known as “the Hursti Hack.”

No specific evidence of such attacks has emerged. However, North Carolina did report malfunctions of laptops used to verify voter registration in key jurisdictions, resulting in long lines and waits as polling places ran out of provisional ballots. The state elections board extended voting hours up to an hour at eight precincts in Durham county, which used. The state had been pegged as one of the tightest in the nation between the two main presidential candidates in the weeks leading up to the election.

In a statement Tuesday, North Carolina's State Board of Elections said it was "actively investigating reported attempts to compromise VR Systems’ electronic poll book software, which is used on Election Day in 21 of North Carolina’s 100 counties to help check in voters who show up to cast ballots in person."

The software was not used in any ballot marking or vote tabulation in the state, the board said.

Other states have had their poll books probed as well. Last August election officials reported that a suspected Russian hacker had probed a voter registration database in Arizona and another unidentified attacker gained entry to one in Illinois over the summer, prompting the FBI to warn states their election boards should conduct vulnerability scans.

In perhaps an extreme case, experts say the attack described in the NSA report could easily have been used to install Trojan programs into election system computers. These are programs that appear to be something innocuous and lay in wait until called upon to act by whoever planted them.

“If it were me, I’d wait until we got close to a big election and I could determine which jurisdictions mattered. Then I would infect machines in those areas and manipulate the vote tallies, taking into account local election laws and what triggers a recount – and making sure the outcomes were realistic in their potential in their potential swings,” said Joseph Kiniry, CEO at Free & Fair, an election security firm in Portland, Ore.

Counting paper is key

Going forward, experts say two things are necessary to ensure the accuracy and trustworthiness of future elections — paper ballots and audits.

Paper ballots are extremely difficult to change on a large scale, so they're considered the gold standard for safe voting. The good news is that about 70% of votes cast in the United States at this point are on paper ballots.

The bad news is that the majority of those ballots are counted by machines. The only way to confirm that vote totals haven’t been tampered with is to audit the results of every election soon after it is completed, using the paper ballots. It’s not necessary to re-count all of them, merely confirm that a statistically significant number were accurately read and counted by whatever machines are used in the election district.

That isn't happening right now.

“Few states and locales currently do audits that are sufficiently robust to know that the outcome is correct in all races,” said Susan Greenhalgh, an election specialist at Verified Voting, a non-profit that focuses on election accuracy and integrity.

The leak of the NSA report is an opportunity for Congress to put standards for post-election audits and security in place, say experts.

“Maybe we dodged a bullet this time" and there was no actual vote tampering. "Next time we may not be so lucky,” said Bruce McConnell, a global vice president for the EastWest Institute, an international conflict resolution think tank and formerly deputy undersecretary for cyber security with the U.S. Department of Homeland Security in the Obama administration.