What We Know and Don't Know about Russian Hacking in 2016 Elections and What Is in Store for Georgia's House Race Next Week
The past 10 days saw dizzying details about possible election saboteurs. It started with the Intercept’s report of a May 2017 National Security Agency document confirming and detailing Russian intelligence efforts to hack local election offices as a stepping-stone to voting technology. In his Senate Intelligence Committee testimony last week, ex-FBI director James Comey said there could have been “more than 1,000” government and near-government targets.
A Bloomberg report this Monday said, “Russian hackers hit [election] systems in a total of 39 states.” On Wednesday, Politico detailed how a “29-year-old former cybersecurity researcher with the federal government’s Oak Ridge National Laboratory in Tennessee” breached the electronic systems that will run next week’s U.S. House runoff in Georgia between Democrat Jon Ossoff and Republican Karen Handel.
We need to break down what we know and don’t know about 2016's hacks, what Politico’s report means for Georgia’s runoff and what any of this has to do with the Democrats’ prospects for 2018. The bottom line is America’s voting infrastructure is often old, opaque and vulnerable—and that’s before Republicans piled on other anti-voting barriers like stricter ID requirements. But the recent hype over Russian interference is not producing a shred of evidence that Russians hacked the vote in 2016 for Trump.
What Russia did in 2016 was much like the latest disclosures about Georgia: It showed where our systems are vulnerable. That can have propagandistic value for candidates and undermine confidence in the overall process, but it does not really get to the bottom of things—namely, what is causing Democrats to lose. There is no single explanation there. But when the nation's leading progressive writes about what stops Democrats from winning, as Bernie Sanders did in a New York Times commentary Wednesday, he points to a losing agenda—“too many in our party cling to an overly cautious centrist agenda.”
Note What Sanders Says and Doesn’t Say
Sanders doesn’t blame Russians or hacking for why progressives are not in sufficient positions inside the party or in elected office. He blames a party culture that’s not changing with the times. Sanders’ op-ed says Democrats need a big wave in 2018, and he warns that the party is not positioning itself to get there.
What does this have to do with the voting systems, election laws, partisan barriers and the like? These dysfunctions are part of the uphill climb insurgents must surmount. They can be determinative in low-turnout elections, like federal midterm elections, which come next in 2018.
Sanders is saying a better message, better candidates and a better party matters most. A big turnout will be a wave washing away the partisan slights. He’s correct—winning starts with a motivated base, not a fractured one. But what about hacking the vote? Don't progressives have something to worry about in Georgia next week?
Theoretically, yes. But one could also argue that Kim Zetter’s Politico report could not be better-timed to throw the spotlight on how state officials manage its opaque and notoriously anti-democratic voting machinery.
Can Georgia’s Special Election Be Stolen?
Georgia uses some of the worst technology in the country: completely paperless voting machines that are incapable of recounts or verified votes. They are maintained and programmed by a state university computer center, under the theory that it's more capable than county clerks in rural counties.
Politico exposed that vanity as specious. Zetter reported an IT security expert was able to get into the university system, access the entire state voter registration database, and get passwords and software tools to program voting machines—such as for Tuesday’s special election. She also noted the security software on the system was old and full of known holes and hacking pathways.
Election transparency advocates sued earlier this month to try to force the U.S. House race to use paper ballots—which can't be hacked—but a state judge threw that out. Predictably, officials working for Georgia GOP Secretary of State Brian Kemp told Politico there was nothing to worry about, as did Kennesaw State University officials.
We’ll see what happens next week, but you can predict that no matter who wins, their opponent will cry foul and the vote counting infrastructure will remain largely unchanged, as it has for years in Georgia. No one can say the race won’t be stolen by GOP insiders for Handel, the former top election official in a highly partisan red-run state. But more eyes will be watching.
What Do We Know about Russian Hacking in 2016?
Georgia’s runoff provides a useful backdrop to parse what Russia did and didn’t do, most of which has been known for months.
Not all hacking is the same. What Russia did with the Democratic National Committee and Clinton campaign’s emails is entirely different from accessing election offices and their underlying infrastructure. Email servers aren’t the same as government office networks, state and federal databases containing driver’s licenses, Social Security numbers and prison system records—all of which are tapped for verifying voter registrations. Voter registration systems are different from those used to scan ballots and count votes.
Russia easily got into the DNC and Clinton emails and managed their release to great propagandistic effect. That’s no different than what our spooks do to political factions overseas, ex-CIA and NSA director Michael Hayden said last fall at the Heritage Foundation. “I have to admit my definition of what the Russians did [at the DNC] is, unfortunately, honorable state espionage,” he said. “A foreign intelligence service getting the internal emails of a major political party in a major foreign adversary? Game on. That’s what we do.”
The red line, which Hayden didn’t discuss, is crossing national boundaries, going inside the election machinery and tampering with the results. Call it a coup by the ballot box, not by the bullet. What’s been known since late last summer is that Russian intelligence agencies got inside the emails of a Florida-based private contractor whose business was maintaining state voter registration data and preparing e-poll books, or computer-based voter lists used by poll workers at precincts. The leaked May 2017 NSA document—the Intercept’s scoop—said Russia got into email servers used by the Florida firm, VR Systems, and then posed as an employee to send emails to local election officials to get inside their office systems. The NSA document said 122 “local government organizations” were targeted. Bloomberg.com followed up by quoting anonymous intelligence sources saying, “Russian hackers hit systems in a total of 39 states.” Those details are disturbing, but not entirely new and lack context.
It has been known since last fall that Russian hackers got into Illinois’ statewide voter file and downloaded files—just like the IT security expert in Zetter’s story did in Georgia. But there’s no evidence Russia messed with those files to scramble voter lists, which is what you could most readily do with access to that data system. That conclusion is supported by a lack of voter confusion, long lines and use of provisional ballots—which get filled out if someone isn’t in a poll book. Those snafus did not occur in outsized and unexpected proportions on Election Day last November.
There are key differences between a system being hit with a hacking attack, being infiltrated and being sabotaged. Last summer, Arizona’s voter file was also hit with a similar hack as Illinois, but its officials blocked it. An ex-state election director contacted by AlterNet on Tuesday said state databases are targeted on an almost daily basis by overseas hackers and that most attacks are blocked. He gave an example of one IT director of a state motor vehicle department responding by filtering out all emails from China.
They Got in, but What Did They Do?
But back to Russia’s hacks. We know that last fall President Obama pulled Russian President Vladimir Putin aside at a summit and warned him not to mess with the vote count. If voter registration is the starting line, counting the vote is the finish line.
That finish line hack is theoretically possible, according to the academic experts cited in many accounts, ranging from the Green Party’s legal filings in last fall’s presidential recounts in Michigan, Wisconsin and Pennsylvania, to the Intercept’s and Bloomberg’s reports. Once inside a government contractor’s system, it is possible to burrow into separate systems they are working on if the hackers know what they are doing. For example, when the U.S. hacked into the computers running Iran’s nuclear centrifuges to impede its refining of uranium, it got in via targeting its contractors. Their use of USB drives allowed malware from one system to jump to another. That’s the story of the Stuxnet virus.
The open questions are: Could that happen in American elections, and did that happen in 2016? It could, but there are many signs it did not last fall. No one who has seen the Russian virus that got into election office systems has said anything in public about its capacities. But just as the 29-year-old Georgia IT expert got into Georgia’s system via Kennesaw State University, it is critical to note that all he did was look around, download data and passwords. That’s what the Russians also appeared to do in the locales where they got in. There’s some proof to that—but let’s go back to the Stuxnet analogy to have more background here.
Under Stuxnet, contractors for one facility in Iran were repeatedly targeted, accessed and manipulated. As sophisticated an operation as that was, it’s more clear-cut than knowing where to go to swing a presidential election. You need to know the swing precincts, the swing counties and swing states in a country with 10,000 voting jurisdictions and 100,000 precincts. The pundits, polling firms, data analytic gurus and presidential campaigns all posed as know-it-alls before 2016’s election. But nobody accurately predicted the way voting broke for Trump and the GOP.
To believe the Russians were more capable of knowing where the election could be stolen is a stretch—not that infiltrating the election’s infrastructure isn’t disturbing. So far, there's no evidence Russia had that foresight, or a Stuxnet-like capacity to fractionally adjust vote totals—like the way we messed with Iran’s centrifuges.
As David Becker, founder of the Center for Election Innovation and Research, blogged after the Intercept article, “Much, if not all, of the activity documented in the NSA report took place after October 27, after voter registration had closed in many states, including Florida, Georgia, Michigan, Nevada, North Carolina, Ohio, Pennsylvania, Virginia, among many others. In other words, the books in those states were closed well before October 27, meaning that any voter registration activity [or tinkering with data] which took place after the voter registration deadline would have no effect on the voter lists for the presidential election.”
So Russia got in but didn’t create chaos via scrambled voter lists that would have caused long lines at polls, inordinate requests for provisional ballots, or increased requests for mail and absentee ballots from new voters (who are legally required to vote at polling places). None of that was seen in unexpectedly big numbers in battleground states.
No Signs of Hacking the Vote Count
What about hacking the vote count, fractionally adjusting totals to favor Trump and the GOP? New academic research based on presidential recounts in two battleground states that used paper ballots did not find serious discrepancies between hand counts and electronic counts. There was some variation, to be sure. But not enough to fundamentally show the election had been electronically stolen from Clinton, the University of Michigan’s Walter Mebane and Matthew Bernhard reported.
They looked at the data from the Green Party’s recount in Michigan and Wisconsin, assuming its paper ballots tallies were correct. “Presumably if there had been a hack to benefit or harm one candidate, the voting machines would have systematically under- or over-counted one candidate’s ballots more than the other. That didn’t happen,” they wrote. They did say Detroit’s officials and poll workers were so incompetent that their handling of the vote could have “potentially changed the outcome in the state.” But that’s not hacking.
Voting integrity activists will say 2016 exit poll discrepancies showed the results were hacked—but Mebane and Bernard also looked at one of the pillars of that argument: that Clinton did better where people voted on paper and not on electronic touchscreens.
“We also checked for a variety of possible hacks,” they said. “For example, was voting equipment from one vendor hacked, or only voting machines in one municipality? The election was so close that even a slight nudge might have changed the result… In brief, we find no evidence that the voting technology favored one candidate or the other.”
Becker wrote that 2016’s post-election audits also would have turned up discrepancies, but didn’t. “Nearly 75% of all ballots nationally are cast on paper, and most states audit the paper ballots to confirm that the voting machines have reported the correct results. Even if hackers from Russia or anywhere else had successfully hacked the voting machines in one of the many states that votes with paper and conducts audits, including Florida, North Carolina, Ohio, Wisconsin, and several others, the hack would have been highly likely to be discovered.”
A Toxic Mix: Poisonous Politics and Shoddy Infrastructure
The Politico report showing that a young IT expert was able to access Georgia’s voter registration and vote-counting infrastructure has prompted many people on the left to suspect they have found a pathway for GOP theft of next week’s runoff—one of the most expensive House races ever. It’s a stunning finding and not dissimilar to the evidence trail thus far about Russian interference in the presidential election.
In both instances, we’re seeing how our election infrastructure is not up to par with 21st-century technology, threats, safeguards and public expectations that vote count results be trusted. That’s all very serious. It may or may not impact who wins in Georgia next week or in 2018’s midterms. But it also may have nothing to do with who wins next week. We'll see if voters in the Atlanta-area House district are as liberal as Ossoff’s core supporters.
In the meantime, the still-unfinished Russia hacking story leave many open questions, such as what did Russia learn from poking around inside U.S. voting systems and what might it do in the future with that information. In the meantime, the country's porous and partisan election landscape underscores that progressives need to win by a lot, not by a little, to clear the systemic hurdles and barriers to get into elected office.