Russia’s intrusions were instructive. While it’s unclear just how many records they accessed or how deeply they’d compromised systems that could actually electoral outcomes, their probing illustrated how easily elections infrastructure is compromised—and also how officials might not have any idea just how compromised it already is. Using social engineering and phishing, they reached every level of the voting infrastructure, from the private vendors that create electronic ballots to state coordinators and local officials. And according to Bloomberg, the main reason intelligence officials know about that systematic attack was only because a contractor for the Illinois state board of elections noticed an unauthorized download of voter data.
So we found out about that attack, but might there be others? The splintered digital infrastructure across and within states; the use of multiple vendors; the overlapping interfaces between municipalities, counties, and states; and the reliance on of volunteers for data entry and verification in both registration and voting mean that there are literally thousands of entry points to compromise elections in each state.
Another case study is the state of Georgia, where organizations have filed lawsuits against the state over the security of its elections in advance of the special election in the 6th Congressional District. A June 14 Politico investigation revealed just how insecure the entire system is, and how much more insecure it was in the past. Last August, cybersecurity researcher Logan Lamb probed the Kennesaw State University’s Center for Election Systems—which programs voting machines for the entire state—and found a structure that basically begged to be hacked.
It had no password protection, and was available on a public site without encryption and lacking even basic security updates. Lamb found millions of registration records, credentials for the central elections server, files for the electronic ballot equipment, and database information for the Global Election Management Systems (GEMS) used by many states for preparing ballots and counting votes. In other words, with rather basic tools that fall well outside the realm of sophisticated “hacking,” as it is known, Lamb would have had a wide-open entry point to disrupting Georgia elections last fall, had he been a malicious actor.
Employees at the Kennesaw State Center for Election Systems have shored up the more obvious security flaws since Lamb notified them—setting off a statewide panic about a compromised vote in the process—but pressing structural issues exist, and are currently under review in court. Outside analyses have found the center’s private network to be carelessly maintained by non-technical staff, and have found some evidence that voting systems currently in place might have been accessible on the public internet. Since some elections equipment still uses older versions of Windows software that are completely vulnerable to modern malware, even a single mixup in public and private networks—and there appear to have been many possible mixups—could have thoroughly compromised every ballot in the state at any time since the national move to more comprehensive electronic voting in 2002.