WASHINGTON — When Chris Grayson pointed his web browser in the direction of Georgia’s elections system earlier this year, what he found there shocked him.
The Santa Monica, Calif., cybersecurity researcher effortlessly downloaded the confidential voter file of every registered Georgian. He hit upon unprotected folders with passwords, apparently for accessing voting machines. He found the off-the-shelf software patches used to keep the system secure, several of which Grayson said could be easily infected by a savvy teen hacker.
“It was like, holy smokes, this is all on the internet with no authentication?” Grayson said in an interview. “There were so many things wrong with this.”
American elections only recently seemed impenetrable: too many different systems, different jurisdictions and different machines – online and offline – to hack. But confidence in the system’s invulnerability is eroding after national security officials revealed that during the 2016 presidential race Russian hackers attempted to infiltrate elections systems in 21 states. Officials won’t identify which states, but say in some cases culprits got inside networks to look around.
Federal law enforcement officials say they are confident the vote count was not disrupted in 2016. But they worry about upcoming cycles.
“The cyber threat to elections in 2016 was significantly more severe than in previous years,” said Bob Kolasky, the acting deputy undersecretary for national protection at the Department of Homeland Security, which is trying to help states shore up their systems. “We anticipate going forward it will be a more significant threat than we’ve had in past.”
Among the most alarmed have been pedigreed computer security scholars, who warn that a well-timed hack of a vendor that serves multiple states could be enough to cause chaos even in systems that were thought to be walled off from one another. And they say security lapses like those in Georgia reveal the ease with which hackers can slip in.
The most shocking part about Georgia’s problems may have been that election officials were warned months before. A friend of Grayson’s named Logan Lamb had discovered the vulnerabilities prior to the 2016 presidential election and alerted the keepers of the system. They assured Lamb the problem was fixed.
It wasn’t. Soon after Grayson tapped in and alerted university officials that they still had a problem, the FBI was called to investigate. But its quick finding that the security lapses had not been exploited by malicious hackers was met skeptically by more than a dozen computer security scholars at institutions such as Yale, MIT, UC Berkeley, Brown, Princeton and the Lawrence Livermore Laboratory, who unsuccessfully urged Georgia to immediately sideline its voting machines and use paper ballots.
The vulnerabilities exposed have rattled Georgia. Rep. Hank Johnson, a long-serving Democrat in the Atlanta suburbs, says he now questions the results from an April congressional election in which Democrat Jon Ossoff fell just a few thousand votes short of winning the seat he would ultimately lose in a runoff. No evidence of tampering with vote tallies emerged in that election, but the computer scientists who wrote to Georgia officials, including the former White House deputy chief technology officer, had warned that the equipment was susceptible to stealth vote count corruption.
“It really makes me suspicious of the result that night,” said Johnson, who is pushing legislation that would force officials nationwide to shore up their elections security. “I’m sorry to have such a lack of trust in the result. But it is due to what I learned since that time about the vulnerability of Georgia’s system.”
Such discord and uncertainty is exactly what intelligence officials say operatives from Russia and other hostile nations are seeking as they target U.S. elections systems.
The possible scenarios for interference are unnerving. Worries range from cyber criminals changing vote counts – as they did successfully a few years ago in Ukraine – to a mass corruption of voter registration that could paralyze key precincts on Election Day.
Not all election officials are heeding the warnings. The Department of Homeland Security’s simple step in the waning days of the Obama administration of designating elections systems as “critical infrastructure” – entitling state and local officials to department help securing their systems and responding to potential attacks as they emerge – drew rebukes across the country.
Conservative elections chiefs warned of federal intrusion, arguing the best defense against cyber tampering is leaving intact the existing, decentralized patchwork of locally controlled elections that they insist is too diffuse for hackers to overtake. Now progressives have their own worries about the Trump administration, especially as a White House task force attempts to validate the president’s unfounded allegations that rampant voter fraud cost him the popular vote.
Particular concern is focused on voter registration. The databases appear to be the most vulnerable link in elections.
Copy the Story LinkSend questions/comments to the editors.
Success. Please wait for the page to reload. If the page does not reload within 5 seconds, please refresh the page.
Enter your email and password to access comments.
Hi, to comment on stories you must . This profile is in addition to your subscription and website login.
Already have a commenting profile? .
Invalid username/password.
Please check your email to confirm and complete your registration.
Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.
Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.