On Monday night, the Intercept published a leaked National Security Agency report that recounts a Russian military intelligence cyberattack against a voter registration software company. According to the report, Russian government hackers appear to have used “data obtained from that operation to … launch a voter registration–themed spear-phishing campaign targeting U.S. local government organizations.” On one level, this story was not particularly surprising. Even before the Intercept article, we knew—based upon previous news reports, as well as a January report from American intelligence agencies—that hackers working on behalf of the Russian government were targeting state and local voter registration databases. And there is nothing in the NSA report or the Intercept piece that supports the idea that Russian hacks against election offices and registration system prevented anyone from voting or changed vote totals in any way. (It always bears repeating that the voter registration system and vote tallying systems are different. An attack against the registration system will not change vote totals on a voting machine.)
But the leaked NSA report adds disturbing details to this knowledge, making it clear that the attacks against local election offices and the voter registration system were even more extensive than was previously known and that they came after President Obama personally told Vladimir Putin to “cut it out.” In other words, we cannot assume America’s election infrastructure is somehow immune to cyberattack. It’s wishful thinking to believe something that happened in Ukraine or Bulgaria couldn’t happen here.
Despite the alarms raised by these revelations in recent days, there has been little discussion of solutions. But the way forward is relatively clear. Protecting our elections against foreign attackers ultimately requires the will to squarely address known vulnerabilities—a will that has been lacking in Washington.
The details about Russian hacking cast into stark relief Congress’ stunning passivity around the issue of election infrastructure security—not just for the past few months, but for more than a decade.