The Voting Records in 20 States May Have Been Hacked. But What Does That Mean?

Activity has “reached a threshold of some concern.”

Imago/Zuma


As November 8 approaches, election officials around the country have had to cope with increasing concerns about the security of state voter registration systems. The Department of Homeland Security estimates that hackers have attempted to access voter registration and administration systems in 20 states, and these states and three others have asked the government agency for help with adding extra security to their systems. Adding to the worries were the alleged Russian hacks of Democratic organizations and officials over the summer.

Congressional Democrats have been pushing the White House to publicly blame Russia for the Democratic hacks, and some administration officials have alluded to Russia’s role in public, but no official blame has been laid. John Carlin, the assistant attorney general for national security, told CNN on Monday that he could not confirm any responsible party, but he hinted that the US government has a good idea who is behind the hacks.

“To those outside our borders who are thinking that they can mess with fundamental American institutions or values…we can and will find you,” Carlin said. “And when we do there will be consequences.” Those consequences, he added, range from criminal prosecution to sanctions.

Even as awareness is growing, only the systems in Arizona and Illinois have actually been accessed. A Department of Homeland Security spokesperson didn’t respond to questions about how many states’ systems have been involved and to what extent their systems have been breached, if at all. On August 29, Yahoo News reported the FBI had warned election officials that voter registration data in at least one state had been stolen and that there had been attempts to access registration data in another state. Last week, Politico reported that in “20-plus states…intrusion attempts have become what DHS calls ‘probing of concern'”—the way hackers routinely scan computer systems looking for vulnerabilities is known as “probing.”

A DHS source told Politico that the activity has “reached a threshold of some concern” and all states are “constantly targeted,” but added that the growing hype in the media about hackers trying to swing elections has gotten “blown out of proportion.” The information accessed by the hackers in Illinois (and to a lesser degree, in Arizona) was related to voter registration data, the same kind that is public in many states. In an open letter posted September 26, the National Association of Secretaries of State—which includes the top election officials in 40 states—wrote that the highly decentralized nature of the country’s 9,000-plus election jurisdictions makes it unlikely that election outcomes could be manipulated by hackers. “Machines are standalone and do NOT connect to the internet,” the letter reads. That lack of centrality makes it hard to swing an election because “there is no central point of entry and NO NATIONAL SYSTEM to be attacked.”

Two days later, a bipartisan group of congressional leaders wrote a letter to the National Association of State Election Directors. “States face the challenge of malefactors that are seeking to use cyberattacks to disrupt the administration of our elections,” they wrote, urging the state directors to take full advantage of commercially available tools to secure their systems as well as the help offered by the DHS, which includes risk and vulnerability assessments, information sharing, the dispatch of field-based security advisers, and remote scans of states’ systems.

A major vulnerability in several states’ voting systems has nothing to do with hacking. As reported by Mother Jones nearly two months ago, as many as one-fifth of all voters in the United States live in jurisdictions where voting machines leave no voter-verified paper audit trail. If the machine were to miscount votes or lose vote data, those votes would be lost forever.