Last September, in the run-up to the election, we learned that Russians had attempted to attack 33 states’ voter registration databases, later revised upward to 39 states. I was asked to testify about this in Congress, and my main concern was that the Russians might attempt to simply delete voters altogether, creating electoral chaos. All the pieces were in place, but the election came and went without wide-scale problems. What happened? We know that the Obama and Putin had a “blunt” meeting at the G20 that same September, so it’s possible that Obama was able to rattle Putin enough to make him pull back. Maybe Putin decided that leaking stolen emails was good enough. We may never know the full story, but what is clear is that we need to adequately defend ourselves against future nation-state attacks on our elections, whether from Russia or elsewhere. As James Comey warned the Senate Intelligence Committee recently, “They will be back.”
Computer security experts who deal with nation-state activities use the term “advanced persistent threats” (APT) as a shorthand to indicate that our adversaries have significant capabilities, including both engineering resources and spycraft, to quietly break into our computers, spread out across our networks, and avoid detection. It’s common for APT attacks to last for months to years prior to detection.
Given these threats, we need to conduct a serious analysis of where our elections stand. Harris County’s Hart InterCivic eSlate voting machines, for example, haven’t had any major security updates following studies conducted a decade ago by the states of California and Ohio. (I was part of the California effort.) In short, an attacker need only tamper with a single voting machine. After that, the infection can spread “virally” to every machine in the county.