When the Department of Homeland Security notified 21 states that Russian actors had targeted their elections systems in the months leading up to the 2016 presidential election, the impacted states rolled out a series of defiant statements. … But in most cases, according to the DHS, Russian actors scanned the public-facing websites of state agencies, apparently looking for vulnerabilities. The DHS said that in almost all of the cases, there was no evidence the operatives attempted to exploit any vulnerabilities. It was not, in other words, a thwarted bank robbery. Instead, Russian operatives surveyed the bank from the sidewalk, and then headed home. While the states are busy celebrating their successes, they are doing far too little to ensure that operatives don’t get in next time they show up and actually try to infiltrate, say cybersecurity experts.
… In conversations about probes of election systems, it is important to make a distinction between changes to voter registration and a hack that impacts the tallying of the votes, said Lawrence Norden, deputy director of the Democracy Project at New York University’s Brennan Center for Justice. “Having said that, I have seen no evidence from DHS or anybody else that there was an attack on the counting of the votes, but I think all of this should be a warning shot and a wake-up call for some of us that we’re lucky that we have this now, and we’re doing everything we can to ensure that all systems are protected from tampering,” Norden told The Intercept. Because voter registration is public, Norden added, there’s a good chance people would notice if registration systems are tampered with.
Still, most states lack the mechanisms to deal with large-scale changes to voter registration, said Bruce Schneier, a cybersecurity specialist at Harvard’s Berkman Center who has written frequently about the security vulnerabilities of U.S. election systems. “Imagine an election in a state office, where 20 percent of the people can’t vote, and everyone says the voting roll was hacked. There’s no system to deal with that — there’s no plan, no rules,” he said.
“Unfortunately, in all elections, after it’s over, half the country doesn’t want to revisit it,” Schneier told The Intercept, which is why elections offices should prioritize developing a plan to deal with these issues. “The time to create a plan is before the battle lines are drawn, before we know who the hack favored, before we know who won and who lost.”