With the general election less than 150 days away, there are rising concerns that the push for remote voting prompted by the pandemic could open new opportunities to hack the vote — for President Vladimir V. Putin of Russia, but also others hoping to disrupt, influence or profit from the election.
President Trump has repeatedly said that mail-in ballots invite voter fraud and would benefit Democrats. It is a baseless claim: Mail-in voting has resulted in little fraud in the five states that have used it for years, and a recent study at Stanford University found that voting by mail did not advantage either party and might increase voter turnout for both parties.
But there are different worries. The rush to accommodate remote voting is leading a small number of states to experiment with or expand online voting, an approach the Department of Homeland Security deemed “high risk” in a report last month. It has also put renewed focus on the assortment of online state voter registration systems, which were among the chief targets of Russian hackers in 2016. Their security is central to ensuring that, come November, voters actually receive their mail-in ballots or can gain access to online voting.
While Russian hackers stopped short of manipulating voter data in 2016, American officials determined the effort was likely a dry run for future interference. To head off that threat, last summer the Department of Homeland Security hired the RAND Corporation to re-evaluate the nation’s election vulnerabilities, from poll booths to the voter registration systems. RAND’s findings only heightened the longstanding fears of government officials: State and local registration databases could be locked by hackers demanding ransomware or manipulated by outside actors.
Homeland Security officials have been focusing “intensely on hardening registration systems,” said Christopher C. Krebs, who leads the department’s Cybersecurity and Infrastructure Security Agency. He said his teams had been working to make sure that towns, counties and states patch software vulnerabilities, back up their systems and also have paper printouts of poll books — the registration lists used on Election Day — should criminals or adversary nations render the digital versions inaccessible.
Now the problem has grown more complex as states around the country race to accommodate mail-in voting even for those who are not away from home. And courts are intervening with contradictory rulings, many of which are being appealed, adding to the sense of chaos and uncertainty about what procedures will be used on Nov. 3.
Mr. Krebs’s agency is also concerned about vulnerabilities surrounding internet voting that Delaware, West Virginia and other states are using. In May, it issued a confidential report to voting vendors and election officials in all 50 states opposing online voting, warning that ballots “could be manipulated at scale,” meaning hackers could change large volumes of votes undetected.
Separately, researchers at the University of Michigan and M.I.T. released a study on Sunday concluding that one platform already facilitating internet and remote voting could, in certain cases, be manipulated to alter votes — without being detected by the voter, election officials or the company that owns it.
The platform, called OmniBallot, was used for internet voting in Delaware’s primary last week and will be used to a smaller extent in West Virginia’s this week. Both states also plan to use it in some form come November, as does Colorado. (New Jersey quietly used it experimentally last month in local elections.)
Various jurisdictions in Colorado, Florida, Oregon, Ohio and Washington also use the platform as a way for voters to mark ballots remotely and submit them by email, fax or mail.
The researchers discovered that both uses of the system presented opportunities for hackers or nation states to compromise an election.
“Online voting raises such severe risks that, even in a time of unrest and pandemic, these jurisdictions are taking a major risk of undermining the legitimacy of their election results,” said one of the researchers, J. Alex Halderman, a computer science professor at Michigan.
Bryan Finney, chief executive of Democracy Live, which offers OmniBallot, defended the platform, saying that before the pandemic it primarily served voters with disabilities and American service members overseas. “No technology is bulletproof,” he said. “But we need to be able to enfranchise the disenfranchised.”
Mail-in ballots, like the one President Trump used to vote in Florida’s primary in March, also depend on the safety and security of state and federal registration systems. Before the pandemic, officials were mainly focused on securing voting machines and databases, and putting new audit controls in place.
But now the virus has forced states to overhaul their plans to accommodate an expected deluge of the ballots, and nearly every state not blocked by a legal or legislative challenge is racing to expand vote-by-mail for November.
In Texas, the state Supreme Court blocked the expansion of mail-in ballots last month. On Thursday, Ohio lawmakers approved a Republican bill that makes voting by mail more difficult, removing prepaid postage and cutting in half the time to request an absentee ballot. And in Tennessee, the Republican secretary of state pledged to fight a court ruling Thursday that would allow voting by mail across the state.
Many election officials are now struggling to ensure ballots are mailed and returned securely. In 31 states, voter signatures must be verified. In the past, this task was performed by trained specialists, but larger counties are increasingly relying on signature-verification software that security experts fear could be exploited to disenfranchise voters.
The threat of foreign interference remains real. American officials have repeatedly warned that Russia is once again meddling in the presidential election. Last month, the National Security Agency warned that Russian state hackers had targeted an email program used by dozens of congressional candidates to steal emails, as Russian hackers also did four years ago.
On Thursday, Google said Chinese hackers were targeting the personal email accounts of campaign staff members working for former Vice President Joseph R. Biden Jr. It also confirmed reports that Iran had targeted Mr. Trump’s campaign.
But the White House, where Mr. Trump continues to dismiss the hacking accusations against Russia in the last election, has directed little attention to the problems beyond the president’s unfounded claims that mail-in ballots favor Democrats and “will lead to massive fraud and abuse.” (In fact, mail-in ballots create a paper trail that helps prevent abuse.)
Even the perception of vulnerabilities could have a profound impact on the actual vote, security specialists warn. It could raise doubts about the election’s integrity, at a moment when Mr. Trump’s critics allege he is already preparing the ground to challenge the result if he loses.
In a reference last month to a California congressional election, the president warned without offering any evidence that “it’s all rigged out there,” an assertion he also made when campaigning in 2016.
Mr. Biden, who advocates remote voting because of the virus’s health risks, has suggested Mr. Trump is sowing uncertainty because he may try to delay the election. And other Democrats have raised the possibility that Mr. Trump would not accept the results if he were to lose in November.
Robert O’Brien, the president’s national security adviser, dismissed those concerns last week on CBS’s “Face the Nation.” “Elections are going to take place on Election Day, there is no question,” he said, insisting that “we have a very strong infrastructure” at the White House on election security, including “the ballots, the voting machines, the secretary of state websites,” where registration data is held.
Harri Hursti, an election security expert who consults with states and counties across the country, said, “Elections are not really about the winners.” He added, “They are about conducting elections in such a way that the losers accept that the result is fair.”
An Open Door to Hackers
It was four years ago this month when officials in Arizona discovered that election officials’ passwords had been stolen, one of the first indications that the 2016 election was under cyberattack.
Studies led by the Department of Homeland Security and the F.B.I. later said that Russia had most likely conducted research and reconnaissance against election networks in all 50 states.
The integrity of the November election hinges on the same registration systems, which are “public-facing” — connected to the internet and accessible to a wide variety of state and county officials and often the companies they hire to run their election systems. But that access also leaves them open to potential attack.
A well-known threat comes from ransomware, when an invasion of a computer system locks up records, making them inaccessible. Atlanta and Baltimore have been hit by devastating attacks that made it impossible to pay parking tickets or record deeds, and towns from Florida to Texas have also been paralyzed with ransomware.
For elections, there is a separate concern that hackers, short of shutting down a system, could undermine the integrity of voter information.
If hackers slip into voter registration lists and modify addresses, or falsely indicate that voters moved out of state, the result could be digital disenfranchisement. Even just getting into the lists — without manipulating them — hackers could seed doubts of tampering. That may explain why Russian hackers made a show of stealing Illinois voter data in 2016, according to D.H.S. officials, even though they didn’t tamper with it.
“As we looked out across the country and saw ransomware running wild across state and local government agencies, it was reasonable to conclude that voter registration databases, highly networked and highly centralized, could be next,” said Mr. Krebs, the Homeland Security cyber chief. States have “stepped up” over the past year, he added.
Indeed, security is now better across the country, but voter registration data is still vulnerable and accessible to the outside world.
Some states and counties manage their registration systems internally, but many rely on a maze of private contractors that can be ripe targets. The firms retrieve the data over the internet and keep it in the cloud, often with limited security. In 2016, one contractor, VR Systems, was targeted by Russian hackers, according to aclassified assessment by the National Security Agency. The company, which has long maintained that any attacks were unsuccessful, had access to registration data in swing states like North Carolina, Florida and Virginia.
“Most people don’t realize how many times registration systems are accessed by vendors and parties with little security,” said Mr. Hursti, the security consultant. “The justification for this is that it is public data, so nobody can steal it, but that ignores how dangerous it would be if someone modifies it.”
The problem was illustrated in two states in recent weeks.
Two thousand voters in Pennsylvania received the wrong ballots for the state’s June 2 primary because of an error at a company that mails ballots for Montgomery County. And in New Jersey, a software malfunction delayed ballots to military and overseas voters for that state’s primary in July.
Election officials and vendors in both states caught the glitches, but security experts warn that malicious hackers could exploit such lapses in November.
The transparency of the information helps authorities catch bad actors, but “the vulnerabilities are real,” said Eric Rosenbach, who runs Harvard’s Defending Digital Democracy project, which is working with election officials to secure voting.
An $89,000 Digital Ballot
Before the coronavirus outbreak, the advantages of online voting were obvious for Americans with disabilities, those living abroad, military personnel posted to remote locations — even Alaskans living in the wilderness.
But the risks were made vivid a decade ago in Washington. An online voting experiment was called off after researchers hacked the system to elect HAL 9000 — the computer from the movie “2001: A Space Odyssey” — and played the University of Michigan fight song every time a ballot was cast.
The experimenting is back, but once again it is not going well. New Jersey is a case in point.
In April, with the virus sweeping the state, officials moved quickly to expand mail-in voting. But they also decided to explore online voting by hiring Democracy Live, whose OmniBallot system was identified by Michigan and M.I.T. researchers as vulnerable to undetected hacking.
New Jersey officials made the online voting available to county clerks for municipal and school board elections last month, but did not publicize it widely for fear of inviting trouble.
“We didn’t want to put out an explanation for potential bad guys to decide that this was something they wanted to exploit,” said Alicia D’Alessandro, spokeswoman for New Jersey’s secretary of state.
The result: Just one voter used the online system. The cost to the state: $89,000, and still no real test of whether it works or not.
New Jersey will not repeat the experiment for its July primary, and has not yet decided what it will do in November, officials said. A lawsuit is attempting to block further online voting in the state, claiming it is susceptible to hackers.
Delaware, also citing the pandemic, recently announced it would make online voting available to voters who were sick or in quarantine. And West Virginia said it would allow online voting by some residents with disabilities, military personnel and overseas residents, as it has since 2018. And in emergency cases, Colorado will allow some voters to submit ballots electronically, it announced last week.
Like New Jersey, Delaware, West Virginia and Colorado have contracted with Democracy Live.
Mr. Halderman of Michigan and Michael A. Specter, a researcher at M.I.T., determined that Democracy Live’s online voting and ballot-marking systems could not withstand concerted hacking attempts, and also presented privacy concerns.
The researchers reported that ballots could be manipulated to change votes and that, in some cases, the company’s servers received voters’ identifying information.
“Democracy Live is getting a database of how every single voter voted,” Mr. Specter said. “What if that ends up in bad hands?”
The report concluded that while OmniBallot’s mail-in option was reasonably secure, the online options represented “a high risk to election integrity and could allow attackers to alter election results without detection.”
Mr. Finney, the Democracy Live executive, said the company never shares or sells voter data. He also said voters concerned with online security always have the option to print and mail their ballots, something Mr. Halderman recommended as prudent.
Mr. Finney said Democracy Live’s security had been previously vetted in two reviews he could not share publicly and noted that OmniBallot had been used in over 1,000 elections over the past decade, without security issues.
Earlier this year, a team of researchers from M.I.T., including Mr. Specter, found similar problems with Voatz, another app-based voting platform. Voatz insists its system is secure.
Warnings about turning to online voting too quickly have also come from countries that use it successfully. Kersti Kaljulaid, Estonia’s president, noted last month that her country had moved to electronic ballots only after an ambitious project — known as E-Estonia — to secure 1.3 million Estonians’ digital identities.
“You need to make sure you have perfect understanding of everyone’s identity first,” she said.
No such system exists in any American state. So election officials, faced with the pandemic and an immutable general election date, are trying to make do.
In New Jersey, before the pandemic, “we ran drills on all different kinds of scenarios that could disrupt our election,” said Ms. D’Alessandro.
“We even had a scenario that dealt with a public health crisis,” she continued. “But I can tell you that simulating a measles outbreak in two towns does not prepare you for a global pandemic.”