The Fix

Russia hacked vital election infrastructure before the election. Did they rig the vote?

Some time within the week of November 3, 2016, the FBI held a hastily convened conference call with Florida’s 67 county election supervisors who operate a specific type of election voting system. They had sobering news for the officials: Russia had successfully hacked the vendor of Florida’s electronic voting machines. The FBI and Homeland Security were so concerned, a second call was organized with Florida state officials to share information on the cyber threat

The Russian hack of a voting machine manufacturer came amidst a frenzy of activity by Kremlin hackers who had successfully gained access to the State Voters Rolls in Arizona and Illinois. What gave investigators pause, however, was the fact that the Florida hack had a different target. It wasn’t just collecting voter identities; it was aimed at the manufacturers of the voting machines across the state.

Almost 20 percent of Americans vote on digital systems that don’t produce a paper trail. This includes several states such as New Jersey, Georgia, Louisiana, and South Carolina as well as several jurisdictions in swing or battleground states like Wisconsin, Florida, Pennsylvania, Texas, and Indiana. Many of the machines are more than 10 years old and contain software no longer maintained by its manufacturers – we’re talking Microsoft XP or older – and are not updated with the latest security patches. James Scott, a senior fellow at the Institute of Critical Infrastructure Technology,  posed a rhetorical question in an interview with NPR:

“With the kind of stealth and sophistication that’s already out there, why wouldn’t a nation-state, cyber-criminal gang or activist group go into election systems that are completely vulnerable?”

Tampering with an electronic voting booth is fairly simple. According to a study by the Vulnerability Assessment Team at Argonne National Laboratory in 2012, voting machines can be hacked with just $10.50 in parts and an 8th grade science education. All you’d have to do is unlock or pick the lock, switch out the memory card, and reboot the machine. This was ably demonstrated by Andrew Appel, a Princeton professor in a 2014 YouTube video. Once in place, the hacked machine could count a completely different vote than the one intended by the voter. Most polling stations are in gyms or schools and machines are set up well before voting day so it’s not impossible to gain access to them. Also, every machine needs to be reset before every poll so they have to be opened by someone.

This kind of invasion would require a carefully coordinated attack on thousands, or at least hundreds, of voting machines. Of course you could reprogram the machines in each state at once, if you gained access to the source codes for the machines allowing you to reprogram all the memory cards at once.

According to Salon:

Voting machine companies and election officials have long sought to protect source code and the memory cards that store ballot programming and election results for each machine as a way to guard against potential outside manipulation of election results.

But a determined hacker could gain access to those source codes by hacking the manufacturer’s mainframe, as Russia is suspected of doing. They could theoretically access the codes, change them, and resave them without anyone actually knowing.

And that’s not the only weak spot. Experts warn that the entire ecosystem is vulnerable. For example, once votes are cast, the data is transferred into a database for immediate counting. The tabulation equipment is also dated and doesn’t have the basic security like encryption or strong passwords, so if you didn’t rig the vote in the actual machines, you could do it at the counting point.

To be clear, the FBI only knows there were hacks of Russian origin of the voting machine manufacturer server, and hacks of state voters rolls in at least two states but no actual manipulation of data voting machines. There are clues, however, that something went awry on voting day. Data analysts have been poring over the election results and they are finding some serious head-scratchers.

Take Wisconsin, for example. President Donald J. Trump won the state by a mere 3,000 votes, but statistical analysis of the result showed Hillary Clinton received 7 percent fewer votes in counties that voted on electronic-voting machines.

There are other discrepancies, too. Exit polls, normally reliable predictors of actual poll outcomes, seemed way off compared to actual results last year. Shortly after the election, the National Association of Voting Officials, a group of polling experts, sent a letter to election officials across the country:

“Our examination of the exit data collected by Edison Exit Polling shows a large number and unprecedented discrepancy between the exit polling and the final vote count at minimum in certain states – the so-called swing states of Wisconsin, North Carolina, Pennsylvania and Florida. It strongly suggests inappropriate and external meddling of our nation’s most sacred act – the act of its citizens voting.” 

NAVO points to the following:

The hacking of the most recent software updates that are applied to the machines before the election.

Modifying the running code in the machine via wireless technology.

Physically hacking the machines while voting.

And…

Modifying the tallying software local to the precinct or the database at the election center.

The NAVO analysis of exit polls vs. actual results (the full letter can be read here: 2016-election-not-democratic) points to the same vulnerabilities I’ve detailed above. There’s also anecdotal evidence of votes being counted incorrectly on voting day. In Florida, for example, there were widespread examples of voting machine malfunctions, as Ruben Major points out in his blog:

On November 7, 2017 at 3:39PM, during early voting, a report came into the U.S. Department of Justice Voting Section stating that there was a “paper trail showing Donald Trump” when the voter selected Hillary Clinton.  

The election results have been widely accepted as fair since the election, except by the current administration (for different reasons… I’ll go into in another post). But now we’ve seen a pattern of an extraordinary efforts by Kremlin officials to meet with Trump’s key advisors, discussing top-secret information with them, attempts to set up secret back-channel communications with Moscow, the firing of FBI Director James Comey who was in charge of the Trump-Russia investigation, unexplained Trump server connections with a Russian bank, and an extraordinary fake news operation, it’s becoming harder to gloss over the hacks of voter registration rolls and equipment manufacturers.

We may never know what happened in Florida, Wisconsin, or Pennsylvania to deliver the anomalies in counties that used electronic voting machines or between exit and actual polling results, because the machines don’t leave a paper trail. The FBI is still actively investigating Russia’s hacks of voters rolls and voting machines and, considering the context of the unprecedented effort by Russia to undermine the US democracy, investigators cannot be letting any of this go.