When it comes to election cybersecurity, decentralized system is viewed as both blessing and curse
Different jurisdictions each manage their elections a little bit differently.
Washington state’s top election official says she first learned that Russians might have attempted to hack her state’s election systems on the news.
Secretary of State Kim Wyman's staff had noticed suspicious cyber activity on her department’s servers in 2016, but she says the Department of Homeland Security never alerted them to a cyber threat from foreign actors.
When DHS Assistant Secretary Jeanette Manfra testified before Congress in June 2017 that voter-registration databases in 21 states had been targeted, Wyman reached out to the department for more information – and came up empty.
“I asked which states,” Wyman said, “and initially, they said they couldn’t tell us because we didn’t have security clearances.”
Only months later, in September, when the DHS reached out to election officials in those 21 states, did she learn that Washington had been among them.
Wyman and top election officials in other states say cybersecurity coordination has improved, but with elections overseen by about 10,000 different voting jurisdictions across the 50 states, according to the National Council of State Legislatures, it’s inevitable that different jurisdictions each manage their elections a little bit differently.
Election security experts, however, say the decentralized system makes it harder not only for officials trying to protect the U.S. election from hackers but also for hackers trying to penetrate those protections.
“You’ve got a ton of different systems that work in different ways … and that complexity fundamentally makes it more challenging to use a single vulnerability or chain of vulnerabilities to exploit a large number of systems simultaneously,” Steve Povolny, head of advanced threat research at McAfee, told ABC News. “There’s some comfort in the complexity, but as far as if there was a nation state, or a very determined group, trying to compromise this system, I think it ends up playing more into their favor than against them.”
Concerns about election hacking span a range of potential threats. They include hacking of voting machines and electronic pollbooks - tablet devices that allow poll workers to check in voters at polling places, instead of using paper lists of who’s registered to vote there - which officials insist are not connected to the Internet) and the computers that program them; closed networks that transmit results from counties to states; and state and county websites themselves, which display results on election night.
But election mechanics vary from state to state and from county to country, making cybersecurity difficult to assess. States can steer counties toward best practices—like using two-factor authentication to log into state voter registration systems—but with upwards of 100 counties in some states, those standards are difficult to enforce.
In Pennsylvania, for example, 67 counties use 10 different kinds of voting machines. Experts have voiced concerns about how those machines are programmed, suggesting that computers used to set the ballots could be infected with malware, corrupting votes on a large scale.
In Tennessee, one of the largest counties – Knoxville – programs voting machines itself. But across the state in Lake County, election officials receive pre-programmed memory cards from the company that manufactures its machines.
In Wisconsin, municipalities are required to program voting machines with computers isolated from the Internet – one of the recommendations cybersecurity experts have prioritized – but acknowledge that they have no way of knowing whether that mandate is being followed.
“Do we actually have people who physically go out and check those things?” Wisconsin Election Commission spokesman Reid Magney told ABC News. “No, we don’t have the resources for that.”
And yet, the disjointed nature of American elections theoretically also makes votes tougher to hack. For a hacker to manipulate elections on a large scale, he or she would have to access an array of systems – all of them different. And that’s harder than hacking one, centralized system.
“I love that we have a decentralized election system,” Sen. Amy Klobuchar, a Minnesota Democrat, told an election-readiness summit this month. “I think that’s one of our protections—that we don’t have everything the same in every single state.”
With a patchwork of voting machines, state registration databases, and counties that do or do not use electronic pollbooks – provided and serviced by different vendors – hacking opportunities are widespread, but they’re also limited in scope.
“The Russians were probably surprised in 2016 about the decentralized nature of the American electoral system, and that helped a lot, you know,” said James Lewis, senior vice president of the Center for Strategic and International Studies, on a recent conference call with reporters. “It’s hard to hack thousands of different systems.”
To attack a U.S. election, hackers would have to target U.S. elections in a more nuanced way, one that would require in-depth knowledge of voting districts and key counties. Federal and state officials are on the lookout for such attempts and have put in place systems to share threat information across states and counties.
“What we’re looking for now is a more sophisticated approach would target some key electoral districts, either for House or Senate races,” Lewis said. “We haven’t seen that.”
Correction: This story has been updated to correct the description of DHS Assistant Secretary Jeanette Manfra's June 2017 testimony. Manfra did not name any individual states at that time. Washington Secretary of State Kim Wyman learned of the attempt to probe systems in her state later.