WASHINGTON — In a little-noticed episode in 2016, an unusual number of voters in Riverside, California, complained that they were turned away at the polls during the primary because their voter registration information had been changed.
The Riverside County district attorney, Mike Hestrin, investigated and determined that the voter records of dozens of people had been tampered with by hackers. Hestrin said this week that federal officials confirmed his suspicions in a private conversation, saying the details were classified.
Last year, a cybersecurity company found a software flaw in Riverside County’s voter registration lookup system, which it believes could have been the source of the breach. The cybersecurity company, RiskIQ, said it was similar to the vulnerability that appears to have allowed hackers — Russian military hackers, U.S. officials have told NBC News — to breach the voter rolls in two Florida counties in 2016.
RiskIQ analysts said they assess that a vulnerability may still exist in Riverside and elsewhere. The only way to know for sure would be to attempt a hack, something they are not authorized to do. The office of the Riverside County Registrar of Voters did not respond to requests for comment.
“I’m very concerned,” Hestrin said. “I think that our current system has numerous vulnerabilities.”
Officials of the FBI and the Department of Homeland Security have said repeatedly that they have not observed a significant effort by Russian state actors to target election infrastructure this year, and Homeland Security’s top cybersecurity official said this will be the “most protected, most secure” election in American history.
Despite government efforts, however, America’s patchwork of state and county election computer networks remains vulnerable to cyberattacks that could cause chaos on Election Day and undermine confidence in a balloting process that is already under significant strain, election security experts said.
“A lot of good stuff has been done,” said Gregory Touhill, the former chief information security officer and deputy assistant secretary of cybersecurity and communications for Homeland Security. “But let’s face it, we’ve got 54 states and territories, over 3,000 counties, tens of thousands of precincts. The risk landscape is pretty broad.”
U.S. intelligence officials have said disinformation is the main Russian threat this year, a difference from 2016, when Russian operatives augmented their social media efforts with a hacking campaign targeting voting systems in all 50 states.
Nonetheless, the government has taken the hacking threat seriously. Led by Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, the Trump administration has made unprecedented strides to try to secure the 2020 vote, experts said, and the possibility that hackers could infiltrate voting machines and tamper with results on a large scale appears remote.
A symbol of the Homeland Security effort is an intrusion detection system known as “Albert sensors,” which are part of the agency’s “Einstein program,” designed to protect federal government networks against malicious software.
But the fragmented nature of America’s election system, in which balloting is often run at the county government level, presents a vast array of what the experts call “attack surfaces” that remain unprotected. Many state and local election-related websites are not covered by the Albert sensors, experts say.
Another vulnerability is third-party vendors, such as VR Systems, a company the Russians hacked in 2016 to gain access in Florida, according to government documents. VR Systems has disputed that its network was breached.
Even systems protected by Homeland Security’s malware detection are not immune. Last week, CISA disclosed that a federal agency’s network had been breached by an attacker that used sophisticated malware to fool the agency’s cyber defenses, infiltrate the network and steal data. In an unusual move, CISA did not say which agency was hacked or what was taken, and it did not explain the secrecy.
RiskIQ specializes in mapping the internet and identifying hidden weak spots in networks. The company examined how local election systems might defend themselves from distributed denial of service attacks, or DDoS attacks, when hackers use bots and other techniques to overwhelm servers and cause websites to crash. That is what happened on Election Night in May 2018 in Knox County, Tennessee, officials there said. The attack took down the Knox County Election Commission site displaying results of the county mayoral primary.
RiskIQ researched state and local internet-exposed election infrastructures and found that many did not employ DDoS protections, even though free DDoS services are offered by large service providers, such as Google, Cloudflare and Akamai.
Internet service providers, or ISPs, are the last line of defense against a DDoS attack for many systems. But TAG Cyber CEO Ed Amoroso, a former top information technology official at AT&T, said DDoS attacks against multiple election results sites could overwhelm the ability of ISPs to mitigate them.
“If it goes beyond a handful, then the ISPs wouldn’t be able to handle it,” he said. “We’re teetering on the edge of a really serious problem.”
Amoroso said the way ISPs deal with DDoS attacks — by diverting internet traffic and filtering out requests by bots — could be misinterpreted in the election context and portrayed as something sinister.
“People might say, ‘Wait a second, you’re diverting election results to a secret room run by Verizon?'” he said.
A related threat, experts said, comes from ransomware attacks. Last year, the U.S. was hit by what the cybersecurity company Emsisoft called “an unprecedented and unrelenting barrage of ransomware attacks that impacted at least 966 government agencies, educational establishments and healthcare providers.”
The attacks shut down government systems, and the fear is that if they are aimed at election offices, they could cripple Election Night reporting or other components that typically are part of a smoothly functioning election.
Last week, Tyler Technologies, a Texas company that sells software to state and local governments, said it had been hit by a ransomware attack, but it declined to provide details.
The company said that it had learned of “several suspicious logins to client systems” and that it was working with the FBI.
Acknowledging the risks, the FBI issued a public warning last week that “foreign actors and cybercriminals could create new websites, change existing websites, and create or share corresponding social media content to spread false information in an attempt to discredit the electoral process and undermine confidence in U.S. democratic institutions.”
A recent report by the Senate Intelligence Committee said: “In 2016, cybersecurity for electoral infrastructure at the state and local level was sorely lacking; for example, voter registration databases were not as secure as they could have been. Aging voting equipment, particularly voting machines that had no paper record of votes, were vulnerable to exploitation by a committed adversary.”
It added: “Despite the focus on this issue since 2016, some of these vulnerabilities remain.”