It’s not really all that hard to hack American democracy. That fact should be driven home by a recent article from The Intercept detailing the contents of a highly classified NSA report that found evidence of a massive Russian cyberattack on voting software and against over 100 election officials. While the NSA concluded the attack was carried out by the most sophisticated of hackers—the Russian military—their entry methods were relatively vanilla. They gained access to the credentials and documents of a voting system vendor via a spear-phishing attack, and then used those credentials and documents to launch a second spear-phishing attack on local elections officials, which if successful could have compromised election officials’ systems and whatever voter data they possessed.
Russia’s intrusions were instructive. While it’s unclear just how many records they accessed or how deeply they’d compromised systems that could actually electoral outcomes, their probing illustrated how easily elections infrastructure is compromised—and also how officials might not have any idea just how compromised it already is. Using social engineering and phishing, they reached every level of the voting infrastructure, from the private vendors that create electronic ballots to state coordinators and local officials. And according to Bloomberg, the main reason intelligence officials know about that systematic attack was only because a contractor for the Illinois state board of elections noticed an unauthorized download of voter data.
So we found out about that attack, but might there be others? The splintered digital infrastructure across and within states; the use of multiple vendors; the overlapping interfaces between municipalities, counties, and states; and the reliance on of volunteers for data entry and verification in both registration and voting mean that there are literally thousands of entry points to compromise elections in each state.