For weeks, U.S. Sen. Angus King has been telling anyone who’ll listen that the biggest, most worrisome thing about Russian interference in the 2016 election isn’t getting enough attention and has nothing to do with President Trump. King has warned in congressional hearings, television appearances and interviews with reporters that Moscow tried and is still trying to compromise American voting systems – and that if nothing’s done it might very well change the results of an election. … While intelligence officials say there is no evidence that vote counts were changed last November, a leading expert on security threats to voting machines said this possibility cannot be excluded without a forensic audit of the results. Even voting and vote counting machines that are not connected to the internet can be and could have been compromised when they received software programming them to display or recognize this year’s ballots, said J. Alex Halderman, director of the University of Michigan Center for Computer Security and Society.
“I am more pessimistic than the Department of Homeland Security officials who (testified) about whether they would have been able to detect such an attack were it carried out,” Halderman said after testifying before the Senate Intelligence Committee, which both King and Sen. Susan Collins, R-Maine, sit on. “The most direct and scientific way to establish that there had not been interference in our election would be to look at the physical evidence and to perform computer forensics on the voting machines and other election equipment.”
Halderman said his team has successfully hacked widely used voting machines during security tests and has been able to reprogram them to spread software from machine to machine that allowed them to change vote counts undetected. Russia could introduce such code to devices by infecting pre-election programming. In Michigan, he said, 75 percent of counties outsource this programming to just two companies, emailing them the ballot design to load into the machines. “It’s a path sophisticated hackers like Russia might well exploit,” he said, adding that the malware could be passed from machine to machine via the thumb drives and memory cards their software patches are delivered on.
While 70 percent of U.S. votes are made with paper ballots or backups, five states and jurisdictions in nine more do not, according to Verified Voting, a nonprofit in Carlsbad, California, that focuses on electoral security. In those jurisdictions, the group says, it is impossible to conduct a post-election audit to detect a hack or software error.