With 23 days until Election Day, state and local election officials, as well as the FBI and the Department of Homeland Security, are on their highest-ever level of alert for hackers trying to meddle with the vote.
But it’s not vote rigging or the takeover of electronic voting booths that has officials most concerned. There is no master switch that hackers could use to turn off voting systems in every state. And even in states that use electronic voting booths, paper backups could help combat any malicious tampering with the final count.
Rather, officials are more concerned by the discovery in recent weeks that hackers, including ones believed to be working for the Russian government, are trying to access voter registration files, perhaps to alter or delete them, in more than 20 states. Every state is required to keep a centralized—and computerized—master list of who is eligible to vote. If the state cannot verify that someone really is registered, his vote might not count.
"The real concern is not that your vote will be hacked, which is harder to do, it’s that your voter registration files may be hacked, and as a result, you will be deprived the right to vote,” David Heyman, a former assistant secretary at the Department of Homeland Security, told The Daily Beast.
Registration files are the soft underbelly of election security. On their face, the files themselves may not appear especially valuable. Many states actually make parts of their voter files public. Typically, they contain names and addresses, but sometimes also driver’s license and Social Security numbers, which states are supposed to keep separate from any files that are open to the public.
But tampering with those files—say by deleting names from the voter rolls, or changing addresses so that voters suddenly become ineligible to vote in a particular precinct—could wreak havoc with elections, leading to long lines at polling places or rumors that vote counts were also being manipulated.
The emphasis, election experts say, should be on the word “could.” There’s never been an attack on voter registration files that swayed a national election.
But there’s a contagion effect at play this year, particularly because of Republican nominee Donald Trump’s repeated insistence that the election system is “rigged,” and that the only way he would lose in certain swing states is if someone tampered with the vote. In that environment, word of hackers even attempting to get access to voter files could undermine some people’s already shaky confidence in the election's legitimacy and give powerful ammunition to those who would question its results.
That’s one reason why 33 states and 11 county or local governments have asked Homeland Security to help scan their election systems for security weaknesses and signs of suspicious activity—like whether they’ve already been hacked. That’s the largest number of states that have ever asked for computer security assistance around an election, and it reflects both the significance of the threat as well as the extent of nation-wide preparations. Usually federal officials tend to keep quiet about their cyber security operations, but this time, they’re advertising them.
“We've been out there saying to state election officials, if you need help just ask us for it,” Homeland Security Secretary Jeh Johnson testified to Congress last month.
This unprecedented focus on election security was prompted both by a suspected Russian campaign to hack emails and documents from U.S. political organizations, as well as the news that, last summer, election systems were compromised by hackers in Arizona and Illinois, where the perpetrators are believed to have absconded with files on 200,000 voters.
“When you suddenly had two states with reports of registration breaches, regardless of the effect or the impact, which appear to have been minor, it gave everybody a sense that this isn’t necessarily theoretical anymore,” Pam Smith, the president of Verified Voting, a nonprofit group that advocates transparency and security in U.S. elections, told The Daily Beast.
With that in mind, elections experts laid out a number of scenarios for how Russia or any other malicious actor might disrupt the vote in November, and what governments would do in response.
Hackers Delete Voters’ Names
Purely from a computer security standpoint, this is the worst case scenario. In theory, if hackers gained entry to and control over voter registration files, they could strike names from the master list, effectively rendering those voters ineligible.
First, the intruders would have to get into the system. One way to do that could be via websites that states have set up that allow voters to register or check their status. In Illinois, it appears that hackers used this public-facing registration portal to enter the voter files connected to it.
Congress inadvertently helped create this vulnerability when it passed the Help America Vote Act after the 2000 Florida recount debacle. The law requires every state to have a single “interactive computerized” list of every registered voter in the state. There’s no requirement that such a list be accessible via the Internet, but if they are, either directly or via registration portals, they’re at risk.
The number of potential access points has proliferated. Today, 32 states and the District of Columbia allow online registration; in 2008, only two states did, Arizona and Washington. Elections experts said there is no authoritative count of which of these states’ voter registration files are accessible via the Internet, either directly or through registration portals.
But there’s a contingency plan if the worst should happen. States make backup records of the voter registration file, sometimes at the end of every workday. Even if hackers deleted the files, states could revert to the last backup to check if someone is eligible to vote.
“Most states I’ve talked to take nightly backups of that data,” David Becker, the Executive Director of the Center for Election Innovation and Research, a nonprofit research center that works to improve the administration of elections in the United States, told The Daily Beast. “And whatever the backup media is, it’s not connected to the Internet. It’s on a removable hard drive, for instance.”
Ballots Aren’t Counted on Election Day
If a voter shows up at his polling place to find that he’s not listed as eligible, he can still vote. Federal law requires that so-called provisional ballots be issued to any voter who believes he’s eligible. Experts advise checking before Election Day whether the state has a voter’s correct information. But in the event something goes wrong, demand the provisional ballot, they say.
But beware: That ballot might not be counted right away. States use different procedures, and different schedules, for adjudicating which provisional ballots really do belong to eligible voters. So, a voter may still be able to cast a ballot, but “it could mean a lot more work for you and the election official to get those provisional ballots adjudicated correctly,” Smith said. “It could be disruptive in a really bad way for voters if they had to jump through hoops unnecessarily.”
Voters might also not be allowed to vote for every race on the ballot. If someone shows up to vote in what she thinks is her home precinct, for example, but her registration file shows she lives somewhere else, she might be permitted only to vote for top-of-the-ticket races like president and senator, but not for her local candidates.
And hackers who alter addresses could cause problems for absentee and early voters. Some states have already begun the early voting process by mail, and ballots are now being sent to military and government personnel living abroad.
“If someone changed the address [in a voter file], a ballot could go astray, and you might not realize it until it’s too late and can’t get another one,” Smith said.
But here, too, there’s a defense mechanism built in. If an unusual number of voters report that they haven’t received their expected ballots, that will signal to elections officials that something is amiss, Becker said. “We’d discover it before Election Day and be able to come up with contingencies.”
Similarly, if officials note an unusual number of provisional ballots being issued on Election Day, “That’d be the red flag that something happened,” Becker said. In that case, officials would go to the backup files.
Long Lines Form at Polling Places
But fielding reports of irregularities and checking back ups takes time. And people already in a hurry to vote might lose patience. Thus, hacking voter registration files produces “the possibility of a snowball effect,” said Heyman, the former Homeland Security official. “Once something like this is reported and lines begin to form, and rumors begin to spread, it may lead to a form of voter suppression as busy, frustrated voters may simply choose to not even attempt to go to the polls.”
If there are backups at the polls, elections officials would move quickly to distribute correct copies of the voter registration files to polling places, Becker said. And if poll workers can verify a voter’s status, he can avoid casting a provisional ballot.
“This might lead to longer lines” as officials sort things out, Becker said. “A little more delay in the process. Hopefully not chaos.”
Rumors Spread That the Vote Count is Being Rigged
Of course, if those rumors spread that more than just voter files have been hacked, or people are being turned away at polling places, officials would have the added challenge of trying to separate fact from fiction. The hackers would have every motivation to persuade voters that isolated problems are actually widespread, or that elections officials were working on behalf of a particular candidate. In the frenzy of Election Day, it’s not clear how state election officials would combat an active “disinformation campaign” that spreads through social media.
Indeed, it may have already begun. Last Tuesday, a hacker going by the name Guccifer 2.0—a suspected front for the Russian government—leaked documents purporting to come from the Clinton Foundation but that were actually pieced together from other sources and, in some cases, apparently doctored to make it seem that the foundation was engaging in pay-for-play schemes. Trump, who calls his rival “crooked Hillary,” has alleged that she has a record of corrupt practices that would mar her presidency.
Dispelling online propaganda is an exceptionally difficult and sometimes futile task, which is another reason security experts say they're moving fast to stop a problem from ever arising.
Asked why this particular election has been the focus of so much attention by hackers, Becker said it was “a natural evolution of seeing more and more of our government data being held online.” Hackers may have been insatiably drawn to the prospect of meddling in the election regardless of who is running.
“Nobody's being blasé about this,” Smith said. “The election officials I’ve spoken to are taking extra steps,” Smith said, to ensure that there are backups in place and that everyone involved in the election process is watching out for security vulnerabilities and suspicious activity.
“2016 will probably be the most secure election from a digital perspective that we’ve seen,” Becker said.