Elections authorities and cyber security experts say a concerted effort to alter the outcome of November’s elections through a cyber attack is nearly impossible, even after hackers gained access to voter registration databases in at least two states. But some of those same experts say hackers with ties to Russia aren’t aiming to change election results; instead, their goal is to create a perception that the results are in question, and to undermine confidence in American democracy. “Russian tampering with elections is not new. It’s only new to the U.S.,” said Chris Porter, who runs strategic intelligence for the cybersecurity firm FireEye Horizons. He pointed to Ukraine, Bulgaria, Romania and the Philippines, where Russian-backed hackers have gained access to electoral systems in recent years. “It’s just enough create scandal,” Porter said. “That’s sufficient for Russian aims.” Last month, officials in Arizona and Illinois discovered their voter registration systems had been hacked, a leak that put thousands of voter registration records up for sale on the black market. In January, more than 17 million voter registration records from Washington, Delaware, Rhode Island and Ohio were stolen.
In the wake of those attacks, Homeland Security Secretary Jeh Johnson held a conference call with state elections administrators, and the Federal Bureau of Investigation issued an advisory warning telling administrators to watch out for possible cyber attacks. On the call, and in subsequent follow-ups, DHS told state officials they had no credible information suggesting an imminent cyber attack.
DHS has also organized an Election Infrastructure Cybersecurity Working Group, aimed at identifying potential vulnerabilities and offering guidance on best practices. Four Secretaries of State, from Georgia, Indiana, California and Connecticut, sit on the federal panel.
Homeland Security personnel have also offered to scan state election systems to prod for vulnerabilities before hackers find them. Wanda Murren, a spokeswoman for Pennsylvania’s Department of State, said her agency would use DHS’s offer of help.
The hacks of voter registration data were more about scooping up personal information than about undermining election results, experts said. That’s because state and county offices maintain two distinct systems for administering elections: One handles registered voters. The other tabulates election results.
The registered voter database may be vulnerable to attacks, but tabulation databases are much less so. Most states and counties do not connect their tabulation systems to the internet at all; actual voting machines that count ballots are not connected to the internet either, and new security systems mean they cannot be infiltrated even with an off-the-shelf thumb drive if a hacker were to gain physical access to a machine.