As U.S. officials explore whether Russia is trying to tamper with the presidential election, states are grappling with how to secure their systems and prevent cyberattacks between now and Election Day.
Arizona and Illinois have already experienced attempted hacks of their voter databases and last week, U.S. officials said they are expanding their inquiry because investigators believe additional states have also seen hackers successfully probe their election systems. Officials have not publicly said yet who they believe was behind the Arizona and Illinois breaches, but as was the case with the Democratic National Committee (DNC) hack, Russia is suspected to be responsible.
More than a half-dozen cybersecurity experts CBS News spoke to said it’s clear Russia, which has among the best hackers in the world, is trying to influence the U.S. election and that the chances of more cyberattacks between now and Election Day are high.
Voter registration or voter roll databases might be one piece of election systems that could be susceptible to further attacks, experts told CBS. Officials in Arizona and Illinois said voters’ information was not meddled with, but it could be problematic if they break into the system and delete files.
“The real danger is whether they can delete voter registrations,” said Herbert Lin, a senior research scholar for cyber policy and security at Stanford University’s Center for International Security and Cooperation. “Let’s say they wanted to intervene on the side of [Donald] Trump. Then what you would do is find a way of invalidating the voter registrations, deleting the voter registrations of 10 percent of the Democrats in the state. That would make 10 percent of them ineligible to vote.”
Theoretically, another type of advanced attack, experts said, would be to target and modify software for voting machines so that it could affect what names are displayed or how votes are counted, though experts believe this would be too tricky to execute.
“You could, in theory, hack into that software and change it so that it would tally something differently. But again, those types of things are really hard to do just in terms of actually doing it, and doing it in an undetected way is much, much more difficult,” said Daniel Castro, vice president at the Information Technology and Innovation Foundation.
Some experts are concerned about states that use touch-screen voting machines that leave no paper trail. Five states are completely paperless: Delaware, Georgia, Louisiana, New Jersey and South Carolina. Nine other states have some counties that use paperless systems: Arkansas, Indiana, Kansas, Kentucky, Mississippi, Pennsylvania, Tennessee, Texas and Virginia.
States are already on the look-out for possible insecurities. Last week, Washington state revealed that its online tool that allows voters to register, update personal information and view a voter guide was accidentally accessible through the website’s development code.
There was never a “security breach” or “hack of the voter system,” the secretary of state’s office said in an advisory, and it was quickly fixed. But the incident reinforces concerns that state election systems could be vulnerable to potential cyberattacks.
Experts told CBS News that the ultimate goal of these hackers is not to necessarily change the outcome of the election; their main objective is to de-legitimize the outcome by sowing doubt, uncertainty and suspicion through a series of cyberattacks.
“I would argue that this is one of the most significant cyber attacks that, to my knowledge, has ever been conducted against the United States. The attackers are trying to undermine the trust in the electoral process,” said Alexander Klimburg, associate at the Harvard Kennedy School’s Belfer Center for Science and International Affairs, and author of a forthcoming book called The Dark Web.
“The challenge in cyber operations is that the only limitation in what you can do is your own creativity,” Klimburg said. “Whatever you can imagine doing is pretty much possible in cyber terms.”
So far, Obama administration officials have made no clear-cut statement either identifying the Russian government as being behind the cyberattacks or threatening retaliation. But Russian President Vladimir Putin, in an interview last week with Bloomberg denied that his government had anything directly to do with the DNC hack. “I don’t know anything about it, and on a state level Russia has never done this,” he said.
The Department of Homeland Security has offered states support and assistance in protecting against cyberattacks. Beside the general security recommendations made to make systems more secure, like changing passwords and installing firewalls, one expert said the most important action states can take is performing full compromise assessments to determine if a network has already been intruded and monitoring all computers on a network that have anything to do with vote tallying or the transfer of voter registration information.
Experts stress that hackers might not intend to use these attacks to sway the election -- in Trump’s favor, for example -- but they are part of Russia’s long-term strategy to challenge Western democracy and to disrupt and weaken the U.S. political system.
“They’ve already achieved some of their goal,” said James Lewis, senior vice president and director of the strategic technologies program at the Center for Strategic and International Studies (CSIS). “When they get closer to November, they’ll want to keep up the pressure, keep up the confusion. They’ll probably look for ways, if Trump loses, to plant information or create leads that suggest somehow the election is rigged.”
Trump has repeatedly warned that the election might be “rigged” and said in an interview with Larry King last week that it’s “pretty unlikely” that Russia would interfere.
But Lewis said he believes Russia is behind the DNC attack and intrusions at the state level and said there are a couple of factors that are likely motivating these hackers.
“Some of the goals are to see if you can drive a wedge between the U.S. and Europe and some of it is just grudge match,” he said. “They still haven’t forgiven us for what happened at the end of the Cold War.”
But FBI Director James Comey said last Thursday that any cyberattacks won’t affect the outcome of the 2016 race because it would be too complicated to attack the nation’s diverse voting systems on a large scale.
“The actual vote counting is clunky,” Comey said. “In a way, that is a blessing because it makes it more resilient and farther away from an actor who might be looking to crawl down a fiber optic cable.”
Dmitri Alperovitch is the founder and chief technology officer of CrowdStrike, which has been investigating the hacks at the DNC and DCCC, and that identified two groups, linked to Russian intelligence agencies G.R.U. and F.S.B., infiltrated the DNC independent of each other.
While Alperovitch agrees that Russia is trying to mainly cause havoc in the U.S. election system, he said “we can’t discount the possibility” that hackers could actually change the outcome of the race.
“If it’s close, and if it’s really going to come down to a few votes in a few counties, sort of similar to the 2000 Bush vs. Gore race, then you don’t need to hack into every state and every county,” he said. “You may need to do one hack and swing a few hundred votes.”
Since states and local jurisdictions run elections and use different systems, some experts and officials say its decentralized nature could in itself protect against a large-scale attack. But the fact that there isn’t a universal system to hack into also presents a downside.
“What that means from an attacker’s point of view is you can look through every state in the nation and look for the ones that have some weaknesses,” said Steve Grobman, chief technology officer of Intel Security. “There’s an incredible advantage for the adversary here in that it’s not like there’s one locked door that is built out of the field that they have to figure out how to penetrate. They basically have 50 doors that are made from all sorts of different vendors and all sorts of different technologies and they can wiggle them all, look at them all, and find the loosest one.”
It would be difficult, however, to manipulate the vote broadly, Grobman said.
Instead, Grobman said his top concern is how they could influence the election before Election Day in which hackers would release authentic data and intertwine it with data that they would fabricate, giving it the appearance of it all being believable.
“One of my concerns is that this is exactly what would happen in the election cycle where late in October, we would see a release of data that would have some piece of damning content that would potentially influence the outcome of the election and...people would assume it’s credible, especially if it’s intertwined with authentic, stolen data,” he said. “The problem would be there wouldn’t be enough time to research and validate that it would be a fabrication.”
“The Russians are going to decide the Americans are still ambivalent about how to respond to us,” Lewis said about the latest comments from key administration officials, “And they’ll see that as a greenlight.”
Asked what the chances are of Russia taking more action -- undetected or detected -- before the election, Lewis said, “100 percent.”