As new reports emerge about Russian-backed attempts to hack state and local election systems, U.S. officials are increasingly worried about how vulnerable American elections really are. While the officials say they see no evidence that any votes were tampered with, no one knows for sure.
Voters were assured repeatedly last year that foreign hackers couldn't manipulate votes because, with few exceptions, voting machines are not connected to the Internet. "So how do you hack something in cyberspace, when it's not in cyberspace?" Louisiana Secretary of State Tom Schedler said shortly before the 2016 election.
But even if most voting machines aren't connected to the Internet, says cybersecurity expert Jeremy Epstein, "they are connected to something that's connected to something that's connected to the Internet."
A recently leaked National Security Agency report on Russian hacking attempts has heightened concerns. According to the report, Russian intelligence services broke into an election software vendor's computer system and used the information it gained to send 122 election officials fake emails infected with malicious software. Bloomberg News reported Tuesday that Russia might have attempted to hack into election systems in up to 39 states.
While it's unclear if any of the recipients took the bait in the email attack, University of Michigan computer scientist Alex Halderman says it's just the kind of phishing campaign someone would launch if they wanted to manipulate votes.
"That's because before every election, the voting machines have to be programmed with the design of the ballots — what are the races, who are the candidates," says Halderman.
He notes that the programming is usually done on a computer in a central election office or by an outside vendor. The ballot program is then installed on individual voting machines with a removable memory card.