With just a little more than a year to go before the 2020 US presidential election, security experts and lawmakers say progress has been made to guard against foreign interference. But they warn the country’s election infrastructure could be vulnerable to the types of hacking operations that took place in the lead-up to the 2016 election.
One such attack was directed at the Illinois State Board of Elections, an agency that oversees and facilitates parts of election processes in the state, including a statewide voter registration system.
“One of our IT people noticed that our [voter registration] system was running extremely slowly,” said Matt Dietrich, a spokesperson for the agency. “It had practically shut down.”
The IT member inspected the system, and discovered that an intruder had exploited a vulnerability on the board’s online voter application, broken into the statewide voter registration database and gained access to voter information, including names, addresses and drivers’ license numbers.
“It was terrifying. ... We took the entire system down.”
“It was terrifying. ... We took the entire system down,” Dietrich said.
In the immediate aftermath of the incident — which took place in July 2016 — Dietrich says the agency didn’t know who was behind the intrusion. But in July 2018, then-Special Counsel Robert Mueller indicted 12 Russian military officers over alleged cyber operations to interfere with the 2016 US presidential election.
Dietrich remembers the day the indictments came out. He opened up his computer, and immediately did a word search for “Illinois” to see if the state was mentioned in the document. It wasn’t. “But there was a paragraph that described a board of elections, and it obviously was referring to us. And so, we had a press conference that day where we said, ‘This, obviously, is us.’”
Illinois was not alone. Earlier this year, the US Senate Intelligence Committee, which has been investigating Russia’s attempts to interfere with the 2016 election, concluded that election systems in all 50 states were targeted by hackers linked to the Russian government. The number of successful penetrations appears to have been much smaller; Russian operatives were able to get into Illinois’ system as well as the voter databases of two counties in Florida.
Other states were compromised as well, according to reports. Russian hackers also targeted “private technology firms responsible for manufacturing and administering election-related software and hardware, such as voter registration software and electronic polling stations,” according to the Mueller report, released in May. But there’s no evidence that the Russians manipulated vote tallies, election results or voter data.
In the aftermath of the 2016 elections, state and federal officials have been taking steps to make election systems more secure.
The Illinois State Board of Elections created the Cyber Navigator Program to train election authorities on cybersecurity and provide risk assessments of hardware and software and funding to smaller jurisdictions looking to bolster their defense systems. Other states, including Florida, are also taking cybersecurity measures ahead of 2020.
“There's a much greater awareness among election officials that security is an extremely important part of their job.”
“There's a much greater awareness among election officials that security is an extremely important part of their job,” said Larry Norden, director of the Brennan Center for Justice at NYU Law.
Marian Schneider, president of Verified Voting, an election security nonprofit, says the Department of Homeland Security’s designation of election systems as critical infrastructure in 2017 was also a step in the right direction.
“What that did is, elevate elections in the priority of things that have to be protected,” Schneider said. “And it opened up communication between all levels of government, especially between the federal government and state election officials.”
Other election security experts say they’re encouraged to see better communication between government officials and the private sector.
Despite the progress, the country is heading into the election with “endless” vulnerable points in the election infrastructure, according to Norden.
“American elections are very decentralized,” Norden said. “We have 8,000, at least, election jurisdictions in the US. In some ways, that means we're running 8,000 different elections during a big federal election, like a presidential election. And one of the things that we saw in 2016 was that local election offices were clearly a target.”
Norden says those local offices often have no IT support — and no cybersecurity staff.
“[That makes them] a weak link in the election security system and potentially vulnerable to the kinds of attacks that we saw in 2016.”