A top Department of Homeland Security official said on Tuesday that while it would be difficult for hackers to meaningfully change vote totals in the upcoming elections, they could attack more vulnerable voter registration files, which an expert said could sow “chaos” on Election Day.
"Our assessment is that it would be exceedingly complex to change vote totals, and that in trying to attempt to do so [it’s] likely that something would be noticed," DHS’s National Risk Management Center Director Robert Kolasky said in a Senate hearing. “Voter registration files we’ve assessed as more of a vulnerability than the actual vote count process.”
Though cybersecurity researchers have long sounded the alarm about potential vulnerabilities in the voting machines themselves, Kolasky said one reason the machines are less vulnerable to cyberattacks is that physical security around them has been “greatly enhanced subsequent to the 2016 election.” The machines are not typically connected to the internet.
Lawrence Norden, Deputy Director of the Brennan Center’s Democracy Program, told ABC News that the government’s worry over voter registration is well-founded because a breach could lead not only to the pilfering of personal information about voters, but could alter the voting tallies indirectly by depressing turnout at voting stations.
For instance, hackers could potentially alter voter rolls, so when an individual tries to vote, the files could show he or she doesn’t live in that district, has already voted, or isn’t registered to vote at all. Voter rolls, as opposed to voting machines, Norden said, are more likely to be connected to the internet or other networks and are therefore more vulnerable to remote exploits.
“That’s a big concern,” he said. “There could be chaos at the polls, they’re not finding people’s names, there are long lines and people just go home.”
And foreign hackers have already showed an interest in registration rolls. In the July indictment of 12 purported Russian intelligence officers, Special Counsel Robert Mueller’s team alleged that they “hacked into the computers of a U.S. vendor […] that supplied software used to verify voter registration information” and separately stole information from about approximately 500,000 voters.
In February another DHS official told NBC News that as many as 21 state registration rolls had been targeted by the Russians ahead of the 2016 election and “an exceptionally small number” were successfully penetrated. A Senate report released in May said there was no evidence any information or votes had been changed.
Since the 2016 election, state officials in charge of vote tallies and voter registration have raced to beef up their cybersecurity practices. A report published Tuesday from the Election Assistance Commission said that of the $380 million in grants made available in the Help America Vote Act, nearly 14 percent – about $52 million – will be spent by 29 states specifically on “improv[ing] voter registration systems.”
Some of the cybersecurity upgrades won’t be made until after the midterm elections, but in a recent publication for the Brennan Center, Norden and his coauthors said there are several “last-minute” steps states can still take to help ensure any problems with the registration rolls are mitigated, like periodic integrity testing, keeping backup files offline and establishing a 60-day “blackout window” for all non-critical updates.
Kolasky’s comments to lawmakers came just hours after Microsoft accused hackers linked to Russian intelligence of running websites that appeared designed to steal information by impersonating websites for the Senate and two conservative-leaning think tanks. The Russian government reportedly denied the allegations.
During the hearing Tuesday, Sen. Lindsey Graham (R-S.C.) referenced the Microsoft announcement and asked the officials testifying if the U.S. had done enough to deter Russian aggression in cyberspace since the 2016 election. Michael Moss, a top cyber official at the Office of the Director of National Intelligence had a simple answer.
“Their cyber activities continue unabated," he said.