On July 12, 2016, Matthew Emmons, an IT technician, was settling into a quiet workday when a colleague approached his cubicle in the Springfield strip-mall office of the Illinois State Board of Elections. Servers holding the personal information of more than 7.5 million voters had ground to a halt, and there was something he had to see.
Within minutes, a handful of techs had anxiously gathered around a monitor showing the registration database servers hitting total capacity. “We knew we were under attack,” Emmons, now the IT director, recalls. “These are very powerful servers, and it had locked those things up.”
Emmons and his colleagues took the servers offline and started to investigate. What they discovered was mysterious and terrifying. The site’s online voter database had been overloaded by repeated queries. At peak, five requests arrived every second, and though now blocked by a new firewall, they continued to bombard the site for a month. These queries, known as SQL (pronounced “sequel”) injections, are among the most common types of computer attacks, allowing the hacker to send commands to a database to extract, modify, or erase what’s inside.
But what shocked the techs most was when the attack had begun. Activity logs showed that whoever had penetrated the database had been snooping inside for almost three weeks, learning about the system’s structure, figuring out what they could and could not do, and pilfering personal information on half a million voters. If the attackers hadn’t overloaded the servers, Emmons and his colleagues might have never known they were there.
Only later would the Illinois team officially learn, from a Senate hearing nearly a year after the incident, that they’d suffered the first known shot in a Russian campaign that would target every state. “It was a little scary, knowing that it’s a nation,” Emmons says. “This is a part of running elections in the United States now.”
To this day, it’s unclear why, after weeks of quietly poking around, the intruders shut down the servers with a blast of queries. Were they hoping to draw attention and trigger public panic? Or did someone sitting behind a keyboard in Moscow or Minsk botch a more sophisticated project?
“I have to be a little careful because of how we were briefed on that,” says Rep. Mike Quigley, a Chicago Democrat who serves on the House Intelligence Committee and is one of his caucus’ strongest advocates for election security funding. Seated in his Capitol Hill office, Quigley paused, tapping his fingers on his leg. “All I can say on the record is I don’t believe they wanted to be found.”
Listen to reporters Pema Levy and AJ Vicens discuss Russia’s threat to the 2018 midterm elections on this episode of the Mother Jones Podcast.
As President Barack Obama prepared to leave office, his administration had no doubt that Russia had mounted a devastating disinformation campaign and hacked our electoral systems—and would likely do it again. But President-elect Donald Trump was notably uninterested in the threat. When FBI Director James Comey and other leaders of the intelligence community visited Trump Tower in January 2017 to explain how the country had been attacked, Comey recalled in his memoir, Trump’s team had “no questions about what the future Russian threat might be.” Instead, Comey wrote, they launched “immediately into a strategy session…about how they could spin what we’d just told them.”
The meeting set the tone for the administration. After four months as attorney general, Jeff Sessions told the Senate he had not once been briefed on Russian election interference, even though his department oversees the FBI, which investigates Russia’s disinformation campaigns and hacks like the one in Illinois. When John Bolton took over as national security adviser in April, he promptly pushed out two top White House cybersecurity experts. In May, Homeland Security Secretary Kirstjen Nielsen, whose department also plays a leading role in election security, told reporters she wasn’t aware of US intelligence agencies having found that Russia aimed to help Trump; she made similar remarks at a July security conference. The White House has acknowledged just one Cabinet-level meeting on election security, and it didn’t come until May.
After the 9/11 attacks, a bipartisan commission launched an investigation into what had happened and outlined reforms to confront newly salient threats. Even though a similar probe into Russia’s 2016 attack would have put Obama’s national security team on the spot, neither Trump nor the GOP-led Congress showed interest in any investigation that might appear to delegitimize the election that gave their party undivided control of Washington. While the main election security fixes pushed by experts—paper ballots or printed backups that make it possible to reliably audit election results—are simple, Congress has passed no new laws to protect the country’s election systems during the 19 months since the intelligence community publicly concluded America was attacked by Russia.
If hackers target this November’s midterm elections, the consequences could be far more serious than the mostly quiet probing of 2016 and would fall on an electorate that has yet to receive a full reckoning of Russia’s attack. Hackers could try to create chaos by causing machines to malfunction, deleting properly registered voters, or even going so far as manipulating vote totals. Evidence of foreign-abetted fraud in just a handful of well-chosen counties could plunge the entire nation into crisis. Days after Trump prompted outrage by appearing alongside Russian President Vladimir Putin in Helsinki and backing his denial of involvement, the White House rushed a National Security Council meeting on election security as press secretary Sarah Huckabee Sanders defended her boss’ response to the assault, asserting he’s undertaking “bold action and reform to make sure it doesn’t happen again.” But an attack on this November’s midterm elections would undoubtedly be aided by what hackers learned two years ago—and by the president’s unwillingness to hold Russia accountable.
Intelligence services around the world—including America’s—have hacked parties and campaigns as part of standard intelligence gathering for many years. In 2008, China hacked both the Obama and John McCain teams, targeting staffers with simple phishing attacks. And in 2012, hackers—foreign and domestic—targeted the Obama and Mitt Romney campaigns. “We were fully expecting foreign intelligence services to heavily target the campaigns” in 2016, recalls Michael Daniel, who served as cyber czar on Obama’s National Security Council.
But as emails stolen from the Democratic National Committee and Hillary Clinton’s campaign were disseminated by WikiLeaks and Russian intelligence, Daniel and his colleagues were confronted with something new. These actors weren’t just snooping; they were weaponizing what they found, using a noxious brew of fake news, astroturfed social-media posts, and bots.
That part of the attack has been much discussed. Far less attention has been paid to Russia’s clandestine attacks on election systems, which were much more extensive than is generally understood. DHS officials believe every state’s voting system was cased by hackers. At least a handful, in places like Illinois, were breached, according to DHS. A classified National Security Agency report leaked to the Intercept by Reality Winner, the young intelligence contractor now serving 63 months in prison, says Russian military intelligence infiltrated an election software vendor’s systems, likely using data from the intrusion to target local election officials. Another attempt carried out by the team that targeted Illinois, according to special counsel Robert Mueller, involved emailing malware to Florida election officials that was disguised as a manual from an election software provider. There could have been other attacks that have yet to become public.
Where Your Vote Can’t Be Hacked
“It looks like the Russians were setting up several different lines of effort and testing out which ones they wanted to use,” says Neil Jenkins, who helped run DHS’s cybersecurity teams under Obama. They “picked and chose what was being the most successful as they went.”
At a September 2016 summit, Obama pulled Putin aside and told him to stop his interference, a meeting remembered for a photo of the men staring face-to-face. Using a never-before-deployed hotline meant to deter cyberwar—akin to the nation’s long-standing nuclear red phone—Daniel told his Kremlin counterpart to, in diplomatic terms, “knock it off.”
To the Obama security experts’ relief, Election Day seemed normal. “That there did not end up being disruption attempts beyond what they had already done I think was a result of the counterpressure that we applied,” Daniel says. “We got off easy.” But the lack of a dramatic meltdown also meant that Trump and his allies have been able to put off doing anything meaningful about election security.
Meanwhile, the Russians—and other attackers—haven’t gone away. In fact, what they did in 2016 likely gave them critical information about vulnerabilities in America’s election systems that could make another attack far more destructive. “They have been doing their planning and their homework,” says J. Alex Halderman, a University of Michigan computer scientist and a leading expert on voting security. State election officials have testified that their systems are scanned for vulnerabilities, whether to run-of-the-mill cybercriminals or hostile nation-states, thousands of times a day.
According to a recent Senate Intelligence Committee report, the Kremlin has been quietly building capacity to disrupt US elections since at least 2014 while engaging in brazen attacks elsewhere. That year, Russian hackers likely targeted Ukraine’s elections so initial vote totals would suggest the wrong winner. Officials caught the hack, but not before a Russian TV station reported the fake victor. Russia flooded British social-media feeds with anti-EU trolls in the lead-up to 2016’s Brexit referendum, and US intelligence concluded in 2017 that Russia had hacked emails associated with the party of Emmanuel Macron in France, releasing them two days before his presidential election victory.
There is a vast buffet of options for Russia or another hostile nation looking to disrupt US elections, from simple attacks on voter registration databases to more sophisticated exploits. A top concern for Halderman is the manipulation of voting software ahead of Election Day: “An attacker could spread malicious code to all the voting machines in an entire state,” he warns. Other experts worry about a Ukraine-like attack on a key state’s reporting system, prompting the Associated Press or TV networks to broadcast inaccurate information, plunging races into chaos.
Nothing, not even changing vote tallies, is off-limits. “We’re talking about state-level attackers,” says Halderman. “Quite possibly, the kinds of probing that we saw in 2016 were just part of that planning process to have the capability in place to strike in a broader and more damaging way at a time of their choosing.”
“Any disruptive or complex operation is almost always preceded by years of probing and learning,” says John Hultquist, an analyst at the private cyberintelligence firm FireEye. “Sometimes we wonder if places were merely targeted because they’re testing grounds. They are playing a long game here.”
In the late summer and fall of 2016, as Obama administration officials tried to mitigate the Russian operation, DHS Secretary Jeh Johnson was struggling to engage state officials. Johnson held a contentious August call with them, during which he proposed designating election systems as “critical infrastructure,” a step that would have freed up resources and prioritized election security assessments.
But in the face of what he later recalled as a “neutral to negative” reaction, he backed off. It was only on January 6, 2017—the same day the intelligence community released its bombshell report blaming Russia—that Johnson moved forward, angering state officials who felt the designation intruded on their turf. As the Trump administration took over, the Election Assistance Commission, a tiny agency set up after the 2000 Florida recount, tried to smooth ruffled feathers. Its Republican chairman, Matthew Masterson, was instrumental. When it comes to “the universe of people who are beloved by the state election community but are also willing and able to do nudging on security,” one former congressional aide mused, “you’re down to like one guy.” That guy was Masterson.
So it came as a surprise in February 2018 when House Speaker Paul Ryan declined to reappoint Masterson to the four-member commission. As an official who has worked with Masterson wryly noted, “Even the idiot commissioners have gotten second terms.” A spokeswoman for Ryan declined to comment to Mother Jones but in a February statement said the speaker was considering one of his “own folks.”
Masterson was quickly hired to work on election security at DHS. But he has still not been replaced on the commission, leaving the group short of a quorum and unable to issue new security guidelines. One remaining commissioner, Republican Christy McCormick, has suggested Russian meddling was a hoax.
Meanwhile, states requesting DHS assessments of their election systems under the critical infrastructure designation faced waits of up to nine months, according to a December Politico article. Under pressure from lawmakers, the department sped things up by delaying assessments of other vulnerable sectors, some of which—like nuclear plants—have also been attacked by Russia. “Demand exceeds our ability to meet all requests in a timely manner,” a department official told Mother Jones.
Rep. Jim Langevin, the Democratic co-chair of the House’s cybersecurity caucus and a former Rhode Island secretary of state, says the department’s balky response is due to a distinct lack of interest from the White House: “DHS is putting the personnel and the resources [to immigration] because the president has made it a priority. Likewise, the president isn’t making election security enough of a priority.”
In April, the White House removed two of its top cybersecurity specialists, homeland security adviser Tom Bossert and White House cybersecurity coordinator Rob Joyce, an elite hacker detailed from the NSA. Bolton, the pugnacious new national security adviser, eliminated Joyce’s position; Bossert was replaced by a Coast Guard rear admiral with far less cybersecurity expertise. Agencies and legislators looking to the White House for leadership were now on their own.
Michele Reagan, Arizona’s Republican secretary of state, was outside with her dogs on a June day in 2016 when her chief of staff called and suggested she sit down. The FBI had found a password to the state’s voter registration database for sale on the dark web. No records were stolen or altered, but to this day Reagan fields questions from Arizona voters who have heard about “election hacking” and are frightened their votes won’t count.
“We’re all talking about, ‘Did they get in? Did they get in?’ You know what? It doesn’t matter if they got in. They already won that round,” Reagan argues. “The intent of their whole campaign was to make us scared.”
Hultquist worries about the deeply negative and long-lasting impact on voter confidence of an attack tainting the outcome of a close, heavily watched race—with talk of fraud potentially amplified by Russian disinformation networks.
“The legitimacy problem is the nightmare,” he says. “If there was some suggestion that the outcome had been changed, how would our system even begin to deal with that? How would everyday citizens react?”
Only two states moved to paper ballots or printed backups in the wake of 2016—Virginia and Nevada. Edgardo Cortés, then Virginia’s chief elections administrator, says he decided to act after a July 2017 demonstration at DEF CON, the Las Vegas hacker convention, where organizers procured more than two dozen voting machines. Attendees with limited knowledge, tools, or resources were able to hack them all. Cortés remembers his reaction: “Oh my God, this is out there.” Virginia rushed the change just before its 2017 elections; control of the Statehouse ended up turning on recounts of a tiny number of votes in one district.
But as news of the Las Vegas demonstration traveled in election security circles, some state officials dismissed its significance. Testifying before a House technology subcommittee last November, Louisiana Secretary of State Tom Schedler claimed his constituents trust electronic machines over paper ballots. The DEF CON demonstration wasn’t realistic “by any stretch of the imagination,” he said, adding that “absent the hype about Russian hacking, we have received no complaints from voters at all about the performance or accuracy of our voting machines.”
But DEF CON was hardly the first time electronic voting machines have been revealed as frighteningly insecure. Videos of similar demonstrations have circulated for more than a decade. In 2007, researchers testing Ohio’s voting machines found they were vulnerable to “undetectable manipulation” and unable to “guarantee a trustworthy election.” That same year, California’s secretary of state found similar holes. “There are states that still have not patched those vulnerabilities, that are still running the same versions of the software on the same voting machines from more than 10 years ago,” says Halderman, who participated in the California assessment. In 2016, Wisconsin, a swing state, was one of them.
“If we were criminals and weren’t worried about going to jail, I think my undergraduate computer security class could have probably changed the 2016 result in Michigan,” says Halderman. In April, he demonstrated to the New York Times how to hack the AccuVote-TSX—a machine used without a paper trail in 10 states—so Michigan students would select rival Ohio State as their favorite school.
Election officials have for years decried such demonstrations, knocking researchers for frightening voters about vulnerabilities yet to be exploited. But Halderman says that line of thinking prevents voters from understanding how shoddy security can be while stymieing the political resolve needed to fix it.
“When you start taking things apart, when you start looking at the details, in so many parts of the country things just are not okay,” he says, adding that open conversation is “the only way that we are going to break the pattern of chronically underinvesting in the administration of elections.”
That’s why Halderman and other experts keep insisting that every vote should leave a paper trail and be subject to postelection audits. “We’d be able to come back and say, ‘Yes, we know that something went wrong here, but this is why we know that no votes were changed,’” he explains. “The best assertion we can make right now is, ‘We have so far seen no evidence that any vote was changed’—which is, if you parse it carefully, a much, much, much weaker statement.”
According to an analysis by the group Verified Voting, 15 states still use paperless ballots for some voters, five of them statewide. In a world where even sophisticated systems are routinely penetrated, 41 states use voter registration databases that are more than a decade old, and 43 states use equipment that is no longer manufactured. Only Colorado mandates the sort of postelection audit backed by most cybersecurity experts.
Election security “hasn’t changed in any material way” since 2016, Halderman says. “More resources are being thrown at the problem in a patchy way,” he adds, but “adversaries I’m sure have not been standing still. If Russia is planning to attack the 2018 election, they right now already have found their ways into the computer systems they’re going to use.”
On March 20, 2017, FBI Director Comey sat before the House Intelligence Committee and in a historic admission calmly confirmed the FBI was investigating not just Russian interference, but the possibility that Trump campaign officials had collaborated with the Kremlin. The hearing quickly devolved into a showcase for GOP attempts to downplay Russia’s assault on voting systems. Rep. Devin Nunes (R-Calif.), chairman of the committee, asked then-NSA Director Mike Rogers whether he had “any evidence that Russia cyber actors changed vote tallies.” Rogers replied he did not.
Republicans have chosen not to tackle the threat, congressional Democrats say, in part because the subject upsets the president and his base, a decision that looks ever more disastrous as Trump continues to downplay the attacks and refuses to confront Putin over them. Democrats have introduced a number of bills to strengthen election security—and found precious few Republicans willing to sign on. Rep. Mark Meadows (R-N.C.), chairman of the conservative Freedom Caucus, agreed to co-sponsor the PAPER Act alongside Langevin, to encourage the creation of nationwide cybersecurity recommendations while pushing paper ballot trails and postelection audits. But the bill, along with a similar Senate measure backed by Sen. Ron Wyden (D-Ore.), still awaits a hearing, and there’s no reason to expect either will move forward; while Langevin continues to push the measure, Meadows has been mum. In the Senate, a handful of Republicans joined Democrats to back legislation distributing security grants to local jurisdictions and closing a loophole allowing private election software and hardware vendors to keep attacks on their products secret. But the bill remains bottled up.
Left to go it alone, House Democrats put forth a bill in February allocating $1.7 billion to elections, including funding for paper ballots, audits, and new machines. That same month, Director of National Intelligence Dan Coats came to Capitol Hill to say the threat was ongoing and likely to get worse: “Frankly, the United States is under attack.” Russia and others, Coats warned, “are likely to pursue even more aggressive cyberattacks.” Weeks later, Rogers joined the chorus, telling a congressional committee that “Putin has clearly come to the conclusion there’s little price to pay here and that therefore ‘I can continue this activity…’ What we have done hasn’t been enough.” Despite such warnings from Trump’s own intelligence advisers, the overwhelming majority of Republicans have declined to engage.
“We have over 100 co-sponsors now,” Rep. Bennie Thompson (D-Miss.), the ranking member on the House Homeland Security Committee, says of the Democrats’ February bill. “To date, there’s not a single Republican.” Most Republicans won’t touch such legislation, Thompson says, because of their “absolute fear of being on the wrong side of Donald Trump.” In March, the Senate Intelligence Committee—which has been extensively briefed on Russia’s 2016 actions—encouraged states to use paper trails and urged funding to help implement postelection audits. That same month, Congress finally made $380 million available for election improvement, but lawmakers failed to require that the paltry sum actually be spent on security.
“Probably the decimal point was in the wrong spot,” Quigley, the Illinois Democrat, deadpanned during an interview with Mother Jones. “It should have been more like $3.8 billion.”
Some Republican senators, in line with the views of many secretaries of state, insist the federal government has no business getting involved in elections. Sen. Amy Klobuchar (D-Minn.) disagrees, arguing that foreign attacks make protecting our elections a matter of national defense: “You wouldn’t say to the state of Iowa or Minnesota, ‘Well, why don’t you fund an aircraft carrier just in case someone comes into Lake Superior?’” Republicans agreed to put the $380 million toward the problem, Klobuchar says, in part because some realized election hacking could affect them too. During a March 2017 Senate hearing, Sen. Marco Rubio (R-Fla.) revealed that his presidential campaign staffers had been targeted from suspected Russian IP addresses.
Quigley’s perch on the Intelligence Committee means he’s privy to classified information about election hacking, making him a bit of a Cassandra when he joins Appropriations Committee debates over money for the problem. Easing onto a couch in his office on a June afternoon, one leg draped over the other, Quigley prepared for an appropriations markup, during which he hoped to wrangle another $380 million in next year’s budget, a small but ongoing investment in upgrading election security.
Like most experts and legislators who have studied the issue, Quigley is less afraid of a Russian attack on vote tallies than of the chaos and lack of confidence that would come from unleashing suspicious activity in, say, a few key counties: “You don’t have to convince Americans about a conspiracy. America rests on a grassy knoll.”
“I don’t think the Republicans and their leadership fully understand the threat,” he says. “When history looks back at this, all they’re in effect doing is protecting the president.”
A few minutes later, he headed out the door to the Appropriations Committee. He lost on a party-line vote.