They knew Russian operatives might try to tamper with the nation’s electronic voting systems. Many people inside the U.S. government and the Obama White House knew. In the summer of 2016, a cluster of volunteers on a federally supervised cybersecurity team crafting 2018 election guidelines felt compelled to do something sooner. Chatting online, they scrambled to draw up ways for state and local officials to patch the most obvious cyber vulnerabilities before Election Day 2016. Their five-page list of recommendations focused on two gaping holes in the U.S. election system. It warned that internet voting by at least some citizens in 32 states was not secure and should be avoided. And, critically, it advised how to guard voting and ballot-counting machines that the experts knew could be penetrated even when disconnected from the internet. But the list was stopped in its tracks. A year later, even as U.S. intelligence agencies warn that Russian operatives have their eyes on 2018 and beyond, America’s more than 7,000 election jurisdictions nationwide still do not have access to those guidelines for shielding the voting process.
… On Aug. 7, 2016, David Wagner, a University of California computer science professor who had a lead role on the working group, wrote in an email: “I’d like to push to see if we can get out something very soon, to provide as a resource for election officials preparing for elections this November. That means we need to move quickly.” Email chains and other records show that, with NIST fully in the loop, the group hurried to prepare the guidelines with the assumption they would be circulated before the election.
But three weeks later, on Aug. 30, NIST pulled the plug. No distribution would be formally considered in 2016 because it was too close to the election, NIST official Andrew Regenscheid told Susan Greenhalgh, a watchdog at the nonprofit Verified Voting who shepherded completion of the recommendations in the working group. Greenhalgh, who said she was stunned, confirmed the decision a couple of days later in a phone call with the head of NIST’s voting unit. “I told them I thought they were making a big mistake,” Greenhalgh said.
From that moment until Election Day, Russia completed what one computer security expert privately described as a “cyber Pearl Harbor.” Meanwhile, many states and counties nationwide opted to allow federal reviews of their cyber hookups in the fall of 2016. They revealed widespread vulnerabilities. In South Carolina alone, National Guard cyber specialists found at least “high” risks in all 46 counties evaluated, 20 of which had issues identified as critical, according to public records obtained by University of South Carolina computer scientist Duncan Buell and Frank Heindl, a Charleston activist.