Well, shit, I can’t leave town for a few days without all hell breaking loose (I suppose I’ll have to console myself with memories of having sazerac at Arnaud’s…). Anyway, The Intercept is reporting that there’s a NSA report claiming Russian government officials hacked U.S. voting election companies. Some thoughts:
- If this turns out to be true, this blows the lid off of the Russian investigations. It wouldn’t be about propaganda anymore–which to a considerable extent, has an effect because people dupe themselves. This would be different in kind.
- That The Intercept’s own reporting undermines Glenn Greewald’s argument that there’s nothing to the Russian connection is… interesting.
- Lots of people have claimed that the voting system is too distributed to be widely hacked. That is, it’s possible to hack a local race, but not a presidential election. But the voting companies are widely distributed and they can be and have been hacked:
VR Systems doesn’t sell the actual touchscreen machines used to cast a vote, but rather the software and devices that verify and catalogue who’s permitted to vote when they show up on Election Day or for early voting. Companies like VR are “very important” because “a functioning registration system is central to American elections,” explained Lawrence Norden, deputy director of the Brennan Center for Justice at the NYU School of Law. Vendors like VR are also particularly sensitive, according to Norden, because local election offices “are often unlikely to have many or even any IT staff,” meaning “a vendor like this will also provide most of the IT assistance, including the work related to programming and cyber security”—not the kind of people you want unwittingly compromised by a hostile nation state….
Mark Graff, a digital security consultant and former chief cybersecurity officer at Lawrence Livermore National Lab, described such a hypothetical tactic as “effectively a denial of service attack” against would-be voters. But a more worrying prospect, according to Graff, is that hackers would target a company like VR Systems to get closer to the actual tabulation of the vote. An attempt to directly break into or alter the actual voting machines would be more conspicuous and considerably riskier than compromising an adjacent, less visible part of the voting system, like voter registration databases, in the hope that one is networked to the other. Sure enough, VR Systems advertises the fact that its EViD computer polling station equipment line is connected to the internet, and that on Election Day “a voter’s voting history is transmitted immediately to the county database” on a continuous basis. A computer attack can thus spread quickly and invisibly through networked components of a system like germs through a handshake.
Gulp. I told you these claims of very little interconnectedness were overblown.
- That said, this is the more likely avenue of chicanery:
Pamela Smith, president of election integrity watchdog Verified Voting, agreed that even if VR Systems doesn’t facilitate the actual casting of votes, it could make an alluring target for anyone hoping to disrupt the vote.
“If someone has access to a state voter database, they can take malicious action by modifying or removing information,” she said. “This could affect whether someone has the ability to cast a regular ballot, or be required to cast a ‘provisional’ ballot — which would mean it has to be checked for their eligibility before it is included in the vote, and it may mean the voter has to jump through certain hoops such as proving their information to the election official before their eligibility is affirmed.”
Republicans in ‘voter fraud’ states look for things like this. Certain common last names, which happen to be associated with likely Democratic voters, are screened for discrepancies, such as the absence or presence of a middle initial, or “Jr.” or “Sr.”, and then essentially purged from voter rolls*. If you hacked in and started messing about with voter initials and so on with these same names, you could accomplish the same thing. My guess is that these companies aren’t doing much in the way of confirming the integrity of the voting rolls (i.e., ensuring that there is no data corruption).
I realize people view this as a ‘distraction’, that we have to organize, revamp platforms and all of that. At the same time, some people pushing this are looking to shift blame from the ineptitude of the Democratic Party (though allowing these problems to fester is an argument for the Party’s ineptitude). Nobody wants to hear this. But, if this report pans out, we have real problems.
*The voters are contacted for confirmation, but typically in such a way to guarantee they are never actually asked to confirm their registration.