The American election system is a textbook example of federalism at work. States administer elections, and the federal government doesn’t have much say in how they do it. While this decentralized system has its benefits, it also means that there’s no across-the-board standard for election system cybersecurity practices. This lack of standardization has become all the more apparent over the past two years: Hackers probed 21 state systems during the lead-up to the 2016 election and gained access to one. But the federal government and states don’t appear to have made great strides to ensure that this doesn’t happen again. To do so, they’d need to deal with not only their own cybersecurity deficits but also those of the private companies that help states administer elections.
Voting machine manufacturers and the makers of election software and electronic poll books (which are lists of eligible voters) are crucially intertwined with state election systems. All states, to some extent or another, rely on these private companies for election products. But despite the central role these companies play, state regulations of them are relatively lax. That’s a problem, especially at a time when these companies are, along with state governments, targets of foreign agents of chaos.
The recent indictment of Russian military intelligence officers as part of special counsel Robert Mueller’s investigation aligned with previous reports that VR Systems, a company that provides electronic poll books and voter registration management systems to eight states, had been hacked via a phishing scheme aimed at compromising employee login credentials. The compromise of VR Systems allowed the hackers to create convincing emails for phishing attacks, this time on state election officials who used the company’s products. Many state officials appeared not to learn of the compromise until news reports about it last summer. Emails obtained by The Intercept reveal that state officials who use VR Systems responded to the breach by seeking guidance from the Department of Homeland Security.