Security experts have warned for years that there are surprisingly few measures in place to prevent a hack like one that hit the Democratic National Committee last week, releasing 20,000 emails on WikiLeaks that contained embarrassing and politically damaging correspondence about the Democratic Party’s inner workings. New reports indicate that Hillary Clinton's campaign and a fundraising arm of the party were breached as well.
The hack joins an ever-growing list of serious US data breaches that have been tied to foreign actors, from the China-linked Office of Personnel Management hack announced in 2015 in which intruders stole sensitive information connected to more than 20 million US government employees and applicants, to the North Korea–linked Sony hack in 2014 when attackers leaked troves of data and crippled 70% of the studio’s servers. It seems the DNC hack is only the beginning: Even before it happened, Director of National Intelligence James Clapper predicted that presidential campaigns may become targets of foreign hackers.
Despite these warnings, however, and a history of nation-states attempting to hack American campaigns stemming back to at least the 2008 election, no overarching standards apply to the cybersecurity practices of campaigns, political parties, or voting systems — leaving the US electoral process vulnerable to manipulation.
Though the FBI hasn’t yet identified the DNC attackers, Obama administration officials and DNC staffers have accused Russian intelligence operatives of orchestrating the breach, possibly in an effort to influence the presidential election. (Some cybersecurity experts believe the initial DNC email leak was just the the first round, and that more emails will appear when they’d have the most negative impact on the campaign.)
And beyond political groups' communications, an even more critical aspect of the election system is vulnerable to hacks: voter registration databases and voting machines. “It’s not a matter of do people have the capability of hacking the voting technology we are using today. It’s a question of whether anyone will and whether they will be detected when they do,” J. Alex Halderman, a professor of computer science and engineering at the University of Michigan, told BuzzFeed News.
America’s Election Infrastructure Is Aging and Vulnerable
In 2006, Halderman was part of a three-person research team at Princeton University that published an influential study revealing the startling vulnerabilities of the Diebold AccuVote-TS voting machine, which was, at the time, the most widely used voting machine in America.
“What we found was horrifying,” Halderman said. “We could really easily hack into it and change the vote to whatever we wanted.” Halderman and his colleagues also designed malicious code that could spread from machine to machine, a virus outfitted with the power to manipulate the election results of a whole county or an entire state. Several states still use the Diebold AccuVote-TS voting machine in certain counties and jurisdictions.
“That’s a very realistic threat, that attackers might try to target electronic voting machines in order to influence politics,” Halderman said. “Ten years ago it might have sounded like science fiction, but it’s just the world we live in today — [with] things like the DNC hack, the North Korea hack on Sony, or all of the espionage related to China. It’s quite realistic.”
Perhaps more distressing than the vulnerabilities the Princeton team discovered is that many voting precincts have yet to address the security concerns first revealed a decade ago. “The guidelines under which almost all machines in use today were purchased had no effective security standards in place,” Halderman said. “It boggles the mind.”
Lawrence Norden, the deputy director of the democracy program for the Brennan Center for Justice, co-authored a study last year titled “America’s Voting Machines at Risk” that catalogued the extent of the US’s voting technology problem — which boils down to disturbingly antiquated machines and woefully underfunded election offices.
Norden told BuzzFeed News that, like other aspects of federal elections, the systems used for voting and their security standards are determined at the state and local level. Across the country, about 8,000 jurisdictions form a decentralized hodgepodge of voting policies, without any definitive or binding federal rules on cybersecurity.
“To ensure secure voting systems, we need to have reliable voting systems, and we just don’t invest enough in our elections,” Norden said.
Five states — Delaware, Georgia, Louisiana, New Jersey, and South Carolina — conduct their voting exclusively using machines that produce no paper record, Norden said, despite security researchers identifying paperless systems as the single biggest security risk associated with computerized voting. Other states, including some of the country’s most populous — Virginia, Texas, Florida, and Pennsylvania — use paperless machines in many of their counties.
Ariel Feldman, a computer science professor at the University of Chicago, who was also a member of the Princeton research team, told BuzzFeed News that security researchers have indeed imagined state-sponsored attacks on voting systems, and that the DNC hack should provide renewed enthusiasm for improving their security. A key concern is the nation’s reliance on voting machines that do not produce a paper audit trail.
“The security of the paperless voting machine is just terrible — doesn’t matter what model it is or manufacturer,” Feldman said. “We don’t know how to build computers that are sufficiently protected against malicious software. So we shouldn’t rely solely on a computer's memory to store votes.”
Norden said many states have moved in recent years to using machines that produce a voter-verified paper record. But the improvements have not been uniform.
What Can the US Do to Protect the Integrity of Its Elections From Hacks?
Episodes like the DNC hack may lead US officials to better define what kinds of cyberattacks constitute acts of aggression, and what the US response to those acts might be. A spokesperson for the president’s National Security Council, citing the ongoing investigation, declined to comment on how the cyberattack should be categorized.
Dave Aitel, the CEO of Immunity Inc. and a former NSA security scientist, has argued that the US government should have a stronger response to attacks that attempt to manipulate the electoral process. He thinks the US should treat the information systems around electoral politics as “critical infrastructure,” akin to dams and power grids, which warrant — and receive — additional protection against cyberattacks.
“Do we need to explain not only to Russia but to anyone else who is watching that ... we are not going to let people get away with this?” asked Susan Hennessey, a Brookings Institution fellow and former NSA lawyer. “Just like in other areas of military engagement or diplomatic engagement, there is this notion that you need to set a series of lines. And that when a country crosses a line, you need to send a very clear message that this is unacceptable,” she told BuzzFeed News.
The DNC hack could pressure US officials to consider the security of voter registration databases and voting machines as part of the country’s critical infrastructure, Hennessey said. And while the emails of political parties are further removed from the core aspects of the democratic process, attacks on the communication networks of campaigns and parties could also be considered significant incidents, with far-reaching implications. “With the North Korean Sony attack, we see now that you can actually do quite a bit of harm in unexpected places,” she said.
There is a federal agency, the Election Assistance Commission (EAC), that provides voting system guidelines to the states, but a presidential commission set up in 2013 to evaluate the American voting experience described the EAC as a bureaucracy marred by dysfunction and ineffective, outdated policies. “Without a fully functioning EAC to adopt the new standards, many new technologies that might better serve local election administrators are not being brought to the marketplace,” the presidential commission found. The EAC did not respond to a request for comment.
Political parties, campaigns, and election offices don’t have a comprehensive body that oversees their cybersecurity. The Federal Election Commission, which enforces campaign finance laws, doesn’t set cybersecurity standards. In a statement, an FEC spokesperson told BuzzFeed News, “The Commission does not have the regulatory authority to investigate matters related to the unauthorized access of a political committee's emails, servers and databases.”
So while the federal government’s role in overseeing the cybersecurity practices of political organizations and voting systems remains uncertain, the vulnerability of the US election system to hacking is very real.
“One thing we all need to accept is there’s a greater assumption that you will get hacked,” Dimitri Sirota, CEO of BigID, a cybersecurity firm, told BuzzFeed News. “It’s no longer a question of if; it’s a question of when and how.”
Political organizations are not utterly helpless, however. They can implement basic safeguards to protect themselves. The most straightforward security defense is using two-factor authentication, Dwayne Melancon, CTO and vice president of research and development for Tripwire, a cybersecurity firm, told BuzzFeed News. Compromised credentials are what gave both the Sony and OPM hackers a way inside.
Securing messages using encryption and archiving older correspondence off of servers connected to the internet are crucial actions organizations should be taking, Melancon said. “Another would be what a lawyer would tell you: If you don’t want people to see this, and it will embarrass you, don’t put it in email.”
When asked about the RNC’s own cybersecurity practices, a spokesperson referred BuzzFeed News to recent remarks made by Trump’s campaign chair Paul Manafort. “As Mr. Trump would say, we're not going to tell you that, but we have taken precautions to protect our server,” he said during a press conference in Philadelphia. Earlier this week, Donald Trump seemed to ask the Russian government to hack Hillary Clinton. “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” Trump said, referring to emails from Clinton’s private server. The next day, Trump said he was speaking in jest. “Of course I was being sarcastic,” he told Fox News.
In an interview this week with CNN, the DNC’s interim chair, Donna Brazile, said of the hack, "I talked to the general counsel of the DNC today, and he assures me that every step along the way, when we were notified of these issues, that we changed systems, changed procedures."
The DNC and the Clinton campaign did not respond to a request for comment.
“National governments have to realize that cyber intrusions are not like natural disasters that just happen every so often,” Christopher Porter, a manager of strategic intelligence at Fireeye, an IT security firm, told BuzzFeed News. “There’s someone on the other side of the keyboard who’s clever and devious, who’s going to look for a way to get into your system.”
But other experts have a more pessimistic take that the DNC breach is just the latest example of people in power ignoring just how dire cyberthreats have become. When asked what campaign managers and government officials should take away from the DNC hack, Bruce Schneier, a security expert, told BuzzFeed News, “We're basically screwed.”
Hamza Shaban is a technology policy reporter for BuzzFeed News and is based in Washington, DC.
Contact Hamza Shaban at Hamza.Shaban@buzzfeed.com.
Got a confidential tip? Submit it here.