When Chris Grayson pointed his Web browser in the direction of Georgia's elections system earlier this year, what he found there shocked him.
The Santa Monica cybersecurity researcher effortlessly downloaded the confidential voter file of every registered Georgian. He hit upon unprotected folders with passwords, apparently for accessing voting machines. He found the off-the-shelf software patches used to keep the system secure, several of which Grayson said could be easily infected by a savvy 15-year-old hacker.
"It was like, holy smokes, this is all on the Internet with no authentication?" Grayson said in an interview. "There were so many things wrong with this."
American elections only recently seemed impenetrable: too many different systems, different jurisdictions and different machines — online and offline — to hack. But confidence in the system's invulnerability is eroding after national security officials revealed that during the 2016 presidential race Russian hackers attempted to infiltrate elections systems in 21 states. Officials won't identify which states, but say in some cases culprits got inside networks to look around.
Federal law enforcement officials say they are confident the vote count was not disrupted in 2016. But they worry about upcoming cycles.
"The cyber threat to elections in 2016 was significantly more severe than in previous years," said Bob Kolasky, the acting deputy undersecretary for national protection at the Department of Homeland Security, which is trying to help states shore up their systems. "We anticipate going forward it will be a more significant threat than we've had in past."
Among the most alarmed have been pedigreed computer security scholars, who warn that a well-timed hack of a vendor that serves multiple states could be enough to cause chaos even in systems that were thought to be walled off from one another. And they say security lapses like those in Georgia reveal the ease with which hackers can slip in.
The most shocking part about Georgia's problems may have been that election officials were warned months before. A friend of Grayson's named Logan Lamb had discovered the vulnerabilities prior to the 2016 presidential election and alerted the keepers of the system. They assured Lamb the problem was fixed.
It wasn’t. Soon after Grayson tapped in and alerted university officials that they still had a problem, the FBI was called to investigate. But its quick finding that the security lapses had not been exploited by malicious hackers was met skeptically by more than a dozen computer security scholars at institutions such as Yale, MIT, UC Berkeley,
The vulnerabilities exposed have rattled Georgia. Rep.
"It really makes me suspicious of the result that night," said Johnson, who is pushing legislation that would force officials nationwide to shore up their elections security. "I'm sorry to have such a lack of trust in the result. But it is due to what I learned since that time about the vulnerability of Georgia's system."
Such discord and uncertainty is exactly what intelligence officials say operatives from Russia and other hostile nations are seeking as they target U.S. elections systems.
The possible scenarios for interference are unnerving. Worries range from cyber criminals changing vote counts – as they did successfully a few years ago in Ukraine – to a mass corruption of voter registration that could paralyze key precincts on election day.
Not all election officials are heeding the warnings. The Department of Homeland Security's simple step in the waning days of the Obama administration of designating elections systems as "critical infrastructure" — entitling state and local officials to department help securing their systems and responding to potential attacks as they emerge — drew rebukes across the country.
Conservative elections chiefs warned of federal intrusion, arguing the best defense against cyber tampering is leaving intact the existing, decentralized patchwork of locally controlled elections that they insist is too diffuse for hackers to overtake. Now progressives have their own worries about the
The National Assn. of Secretaries of State pilloried the federal help in an official resolution that declared DHS "has no authority to interfere with elections, even in the name of national security."
Georgia Secretary of State Brian Kemp, a Republican, went further. He accused the Obama administration of trying to hack into the state's system in mid-November. An independent investigation by the department's inspector general found this month that no such hacking took place.
More than 40 states use voting systems that are over a decade old. The vulnerabilities of the dated equipment are chilling, according to J. Alex Halderman, director of the Center for Computer Security and Society at the University of Michigan.
"As a technical matter, it is certainly possible votes could be changed and an election outcome in a close election could be flipped," he said, explaining that even voting equipment disconnected from the Internet can be corrupted by compromised software that is ultimately distributed to elections officials online. "The technical ability is there and we wouldn't be able to catch it. The state of technical defense is very primitive in our election system now."
Halderman said he accepts the findings of U.S. intelligence agencies that such tampering did not alter vote counts from the last presidential election. But he warned that during it, hackers planted a lot of seeds to make future disruptions.
Red flags are going up around the country, even as secretaries of state try to assure an increasingly concerned electorate that they have things under control. Particular concern is focused right now on voter registration. The databases appear to be the most vulnerable link in elections and erasing tens of thousands of voters from the rolls on election day would be a surefire way to create a chaos scenario.
Hackers are already aggressively probing ways in. Both Illinois and Arizona shut down their voter registration systems for a week last summer after they were penetrated. Just before the presidential election, hackers showed they could break into VR Systems, a Florida company that election officials in eight states, including California, rely on to keep track of who is eligible to cast a ballot on election day. The hackers used a "phishing" probe to trick at least one employee into revealing their login information to access the company system, according to a National Security Agency document leaked to the Intercept, a media outlet. Once inside, the hackers were able to present themselves online as employees of the firm and send unsuspecting local elections officials malware masquerading as legitimate company software.
Company officials said in a statement that no hacker emails targeting local officials were opened.
It was cold comfort to security experts.
"Our elections systems are more connected than they seem," said Halderman, warning that hackers who find their way into the network of a poorly secured elections board through such phishing schemes could unleash malware with potential to corrupt not just registration files but even voting machines. "VR Systems had customers across a number of states that could be targeted or breached by them being breached. They send software updates, have contact info. The way a remote attacker operates is by following those chains of interconnections. … People are saying we have 50 different states, lots of local election officials in different offices running separate systems, so how could someone possibly do a widespread attack? This is exactly how."
In the aftermath of the VR Systems incident, elections officials in Kentucky have told vendors looking to bid on a big voter registration contract there that under no circumstances can the voter logs that poll workers use on election day be connected to the state's main voter registration database online.
Other states are taking precautions. Gov. Jerry Brown signed a new law requiring the state to alert voters when their registration has been changed after the Riverside County District Attorney's Office heard of about three dozen voters who said they were either removed from the voting rolls or had their party changed without consent, which Dist. Atty. Mike Hestrin attributes to hacking.
"This was a wake-up call," Hestrin said.Some California counties have also joined Colorado and New Mexico in conducting robust audits of paper backup ballots to ensure they match the digital vote results, which many computer security experts advocate as the best defense against election hacking. Vendors of voting machines were chastened over the weekend after the DefCon hacking conference in Las Vegas highlighted how programmers can penetrate the machines in as little as 90 minutes if left in the same room with them. Some found passwords for the administrative functions of the equipment on Google.
Not everyone in Washington is alarmed. The group many computer security experts say is best equipped to develop national protocols and help elections officials find and address their vulnerabilities is the bipartisan Elections Assistance Commission. But the group has been targeted for elimination by the White House and Republicans in Congress.
That confounds Dan Wallach, a computer security scholar at Rice University who recently testified in Congress about election system vulnerabilities and who says a strong EAC is vital to national security, particularly as vulnerabilities in voter registration systems emerge.
"The systems we are using today to manage voter registration were never built with this kind of a threat in mind," Wallach said in an interview. "If I can destroy voting registration data, it does not matter how good the rest of your system is. You will have lines and a giant mess when people turn up to vote."
Follow me: @evanhalper