The Facts About Election "Hacking" and a Plan to Counter the Threat

This morning, the Senate Intelligence Committee will hold a hearing on “Russian Interference in the 2016 Elections.” This comes in the context of recent revelations from former FBI Director James Comey, as well as multiple leaks and recent reports in The Intercept, Bloomberg, Politico, and McClatchy, alleging widespread hacking of election systems. Some of these reports have claimed, without much information to support the allegations, that “Russian hackers hit systems in 39 states.”

Meanwhile, the chair and ranking member of the Senate Intelligence Committee, Senators Burr and Warner, appear to be working cooperatively and constructively to assess this threat, in the best tradition of the Senate. As the Senate continues its important review of this attack on American democracy, it’s important that we review what the facts are (without hysteria or hyperbole) and what we can do to protect our system going forward.

FACT:    The threat is real. There is unanimity of opinion in the intelligence community that hackers working on behalf of the Russian government undertook a coordinated effort to undermine our election system. They appeared to have two goals: 1) to possibly tamper with the vote totals themselves, to favor their preferred candidate, and 2) to undermine Americans confidence and trust in their election system, and thus undermine our faith in our democracy itself. To their credit, few now deny that this threat is real, as more and more evidence accumulates and is made public. We now live in a world where foreign governments wage war on our country not with traditional weapons, but by attempting to undermine Americans’ faith in our democratic institutions.

FACT:    One state voter registration database was accessed, and another faced threat of access, but there’s no evidence that any other state’s voter database was accessed or compromised. It is confirmed that hackers accessed thousands of records in the Illinois state voter database, though it appears no data was altered. It is also confirmed that the Arizona state voter database had a possible breach, but it appears that the state shut down access to the database before any breach could occur. Those are the only two confirmed hacks of state voter databases we know of currently, and any suggestion to the contrary is not supported by the evidence currently available. We also know of possible access to voter data held by third parties in states like Florida and Georgia, but it’s important to note that in both cases, the official voter databases in those states remained secure. And even in those cases, there is no evidence currently linking the breach of systems run by election vendors like VR systems, to problems at the polls or with the election in places like Durham County, NC. Any suggestion to the contrary, as in the McClatchy piece, would appear to based purely on speculation.

FACT:    There is no evidence to support the idea that “39 states election systems were hacked.” The evidence supports the idea that many states had their systems “scanned” or “pinged” during the past election season, perhaps by the Russian government or others. But there’s a huge chasm between scanning or probing a system and actually getting inside. As discussed above, we have one confirmed breach of a state system, and one other possible breach. To date that is the extent of the evidence that exists.

FACT:    After almost a year’s worth of leaks, and after investigation by Congress and many others, there remains zero evidence that hackers affected the vote counts. Despite the hysteria, it appears that the decentralization of the American system, with thousands of separate election jurisdictions, all using different combinations of technologies, paired with auditable paper ballots cast by around three out every four American voters, was successful in preventing any hacking of the vote itself. As Senator Warner, who as ranking member of the Intelligence Committee is privy to far more intelligence on this issue than the media or the public, pointed out in a statement yesterday, he is “not aware of evidence that the 2016 voting process itself was subjected to manipulation….” Comey also confirmed that he saw “no indication … whatsoever” that ballots were altered in 2016. Similarly, researchers analyzed the votes in Michigan and Wisconsin and determined that “voting technology did not distort the votes in Wisconsin or Michigan…. If there was a hack, it appears not to have changed the results.”

FACT:    Nevertheless, the hackers were undoubtedly successful in their second goal, diminishing confidence in our system of democracy. As Democracy Fund reports, even several months ago, well over one-third of all American voters were significantly concerned about the integrity of our election machinery and the vote counts. The Russians didn’t need to be successful in altering the vote counts to achieve their goal – they just needed to sow the seeds of distrust among American voters. And they’re likely celebrating being successful beyond their wildest dreams. How could they have known that so many Americans would be complicit in their efforts, engaging in widespread speculation and rumor-mongering to encourage that distrust, rather than waiting for the facts. In doing so, many in the media and elsewhere have done the hackers’ work for them.

But the big question remains – where do we go from here? Here is a suggested plan of action:

1.       Re-dedicate ourselves to relying solely upon facts and evidence. Rampant speculation and rumor-mongering are not helping bring about a real solution.

2.       Election officials are not the problem, they are part of the solution. Those who charge election officials with incompetence, or worse, indifference to the threat, are not helping bring about a solution. In the McClatchy piece, for instance, there is an implication that election officials are oblivious to the problem or incapable of fixing it, and yet the reporters did not speak to a single election official for the piece to get their perspective. As Dean Logan, the registrar-recorder of Los Angeles County, California told me, “this article feeds into what has now become an age-old default into framing election integrity as a divide between academia/science/advocacy and election officials…. Framing this as an issue of deficiency in local and state election officials is not going to combat those dynamics and has a good chance of enhancing them.”

3.       Acknowledge that this threat is real, and that it’s not going away. While there is no evidence the 2016 vote was hacked, that doesn’t mean that Russia and others will not try to tamper with future elections. Most election officials are actively working to meet this threat, but it needs an even greater unity of response from the election community. We must collectively avoid the instinct to be defensive about existing protections, and instead commit ourselves to addressing this very real challenge.

4.       Stronger audits of process and ballots will be necessary. In previous posts, I’ve encouraged forensic audits of voter registration activity in 2016 and auditable ballot technology (mainly paper) followed by robust audits of those ballots. While this might not mean a one-size-fits-all system for every state, each state can benefit from looking at its technology and audit requirements to ensure that they can reach the one goal that matters – to confirm that the technology accurately reported the intent of the voters as they cast their ballots.

5.       Review of security protocols and training. Similarly, it would benefit all election offices to review who has access to sensitive systems and ensure proper training and security protocols are in place, like two factor authentication and other protections.

6.       Better two-way communication between federal law enforcement and the intelligence community, and state and local election officials. The professionals who administer elections in the states and counties have a legitimate concern that they are learning about threats from leaks and innuendo rather than from direct communication from federal sources who have knowledge of potential threats. I realize this tension is not always easy to resolve, but it is untenable for election officials to learn of legitimate threats through leaks to the media long after the fact, rather than have the opportunity to address the threats as they present themselves. While there is undoubtedly a lot of good-faith effort to engage between the feds and local election officials, there is obviously a lot of work we can do to improve that communication.

7.       Reinvest in election infrastructure. We cannot expect all these improvements to election technology, security, and procedures to come about without a significant investment. Around 25 percent of American voters rely upon paperless, unauditable systems, and replacing those systems could to cost hundreds of millions of dollars, and additional security and training will require funds as well. State and local election officials are already facing fiscal challenges, and this makes investing in new technology and systems an urgent priority. Whether funding comes from federal or state sources, or a combination, make no mistake, the necessary protections cannot be put in place without additional support.