After Robert Mueller’s indictment of 13 Russians last week, there can be no doubt that the Kremlin meddled with the 2016 election by spreading lies through social media that twisted voters’ judgments. But what about more direct forms of interference: Did Russia shift the election’s outcome by hacking registration rolls or voting machines?
The fact is that it’s impossible to say. In September, the Department of Homeland Security informed officials in 21 states that Russians had hacked into their registration systems in the run-up to the election. Whether the hackers manipulated the rolls—removed names or switched their precincts—no one has investigated; perhaps no one could investigate, as so many months had passed before the hack was revealed.
It is becoming clearer by the day that, whether or not this less visible form of meddling took place in 2016, it could in 2018 and 2020. It is well within the means of even slightly above-average hackers. And U.S. officials are doing little to erect any barricades, though they could do a lot if they wanted.
Some dismiss the threat, noting the vast decentralization of our voting system—100,000 polling stations in 8,000 election precincts. Even if a fair number of voting machines were hacked, it would affect only a small percentage of the votes.
But these numbers ignore a larger systemic problem. In hearings last year before the Senate Intelligence Committee, J. Alex Halderman a professor of computer science at the University of Michigan, testified that only a handful of vendors and contractors provide the equipment used in election machines. “Attackers could target one or a few of these companies and spread malicious code to election equipment that serves millions of voters,” he said. “Furthermore, in close elections, decentralization can actually work against us. An attacker can probe different areas of the most important ‘swing states’ for vulnerabilities, find the areas that have the weakest protection, and strike there.”
For the past decade, Halderman has run the “red teams”—the simulated attacker—in games to test the vulnerability of election machines. In those games, he testified, his team “could reprogram the machine to invisibly cause any candidate to win. We also created malicious software—vote-stealing code—that could spread from machine to machine like a computer virus, and silently change the election outcome.”
In the realm of computer hacking, these sorts of attacks are far from the most sophisticated—and the methods for blocking the attacks aren’t so sophisticated either. “We know what to do,” Bruce Schneier, a noted cybersecurity specialist, said in a phone interview. “It’s not a matter of figuring out the tech. The problem is our political system.”
In a letter to Congress last June, 103 computer scientists warned that the danger to democracy from vote hacking was real and recommended some basic steps to ward off this threat. They were all pretty basic: Replace all paperless voting machines, set minimum cybersecurity standards for voter-registration systems, test optical scanners (computers that read paper ballots) to ensure that they are accurately reading the ballots, and conduct postelection audits to ensure that the scanners and the paper ballots produce the same result.
This month, the Center for American Progress released a study measuring the degree to which each of the 50 states meets these basic standards. The results were alarming. Paperless voting systems—touch screens with no paper backups—are still used in 14 states. Only 26 states require postelection audits. Forty-one states use database software that was created more than a decade ago—so long ago that the vendors no longer track vulnerabilities or send patches to the users.
More distressing still, some of the worst laggards, by these measures, are battleground states. Florida gets an F, judged as “incomplete” or “unsatisfactory” on six of seven security metrics. Pennsylvania and Arizona get D’s. Iowa, Michigan, Nevada, Virginia, and Wisconsin get C’s. No state gets an A. Just 10 get B’s.
A few states have been preparing for the next assault. In New York (one of the states that earned a B) Gov. Andrew Cuomo is requesting $5 million for a multipronged election cybersecurity effort, and a number of officials elsewhere are emulating some of New York’s steps. Colorado and Rhode Island (also B-graded states) passed bills last year requiring postelection audits. Virginia (apparently trying to improve on its C grade) has switched to a statewide paper-ballot system. Alabama (another C state) now requires election officials to undergo cybersecurity training. At least 36 states have asked the Department of Homeland Security for help in assessing their voter registration systems.
This last measure is the result of a decision by the Obama administration, during its last month in office, to designate the American election system as a “critical infrastructure.” (Other critical infrastructures include the electrical power grid, the transportation network, banking and finance, water supplies and dams, and so forth.) Potentially, this is significant: Officials in sectors that receive this designation can receive intelligence briefings, flash warnings, and best-practice seminars on cyberthreats and cybersecurity.
However, the New York Times this week revealed that this program is spotty at best. Some state election officials have benefited from the briefings; others have found them too vague to be useful. The Times article didn’t say so, but many state officials simply didn’t want to take part, and nothing in the rulebook says they have to.
Richard Clarke, who served as the White House cybersecurity chief for Presidents Bill Clinton and George W. Bush, told me that many state officials disliked—and several resisted—Obama’s decision to designate the election process as critical infrastructure. They viewed the step as an unwelcome instance of “federal interference.”
The fact that elections are controlled by the states, and not by the federal government, is one reason for the lackluster adoption of basic security measures. As Bruce Schneier puts it, “The U.S. against Russia is a fair fight. Fifty separate states against Russia—that’s not a fair fight.”
Six U.S. senators—three Republicans and three Democrats—are sponsoring a bill they call the Secure Elections Act, which would set uniform cybersecurity standards for the election process nationwide and provide advice and assistance to states that request help. But even this act—which has been endorsed by several former senior intelligence officials—leaves it up to the states whether to comply with the standards.
However, a close reading of the Constitution reveals that the U.S. Congress has more power over the election process than the bill’s sponsors—or any other legislators on record—want to assume. Article 1, Section 4 reads:
The Times, Places and Manner of holding Elections for Senators and Representatives, shall be prescribed in each State by the Legislature thereof; but the Congress may at any time by Law make or alter such Regulations, except as to the Places of chusing [sic] Senators.
In other words, yes, the states regulate the “times, places and manner” of holding election, but Congress can pass a law to alter those regulations. The fact that the drafters made an explicit exception when it comes to the “Places” where senators are chosen suggests that the Congress can step in to set the law on the “Times” and “Manner” of holding elections. Long ago, Congress set a uniform time (the first Tuesday after the first Monday in November in even-numbered years). There is no reason why Congress could not also set the manner of holding elections—one “manner” being strict and mandatory cybersecurity standards and practices.
Congress, of course, should assert this prerogative for only very good reasons. How about staving off the interference of a hostile foreign power in our democratic process? It’s hard to imagine a better reason than that.