On a hot June day, Arizona Secretary of State Michele Reagan got a troubling phone call.
“Are you sitting down?” Lee Miller, her chief of staff, asked, prepping her for bad news. “We’ve been hacked.”
The FBI, Miller explained, had found log-in credentials to the state’s voter registration system for sale in a dark corner of the internet. The credentials could be used to create new voter profiles or delete existing ones, or to insert a computer virus into the database.
The Grand Canyon State was hardly alone. Illinois has been hacked. The state of Washington’s voter registration system has been probed. Anonymous government officials told multiple reporters that hackers have tried to get into the voter registration systems of almost half of US states.
Even the White House has gotten involved. On Friday, government officials formally accused Russia of hacking the Democratic National Committee and the Democratic Congressional Campaign Committee. This put the official imprimatur on an allegation that has been percolating since the first hack was revealed in June, just before the Democratic Party’s national convention.
The simple goal of the hacks: undermine confidence in one of the most contentious presidential elections in memory.
Altering the outcome of a US national election is almost impossible. For one thing, voter registration databases are not the same as voting machines. About a dozen electronic voting systems are used in the country, and none of them is connected to the internet. Sure, all touchscreen systems could theoretically be tampered with. But that would require a hacker with a USB stick full of malicious code (or on some older machines, a special computer chip and the right-size screwdriver) to spend a few minutes in-person on each machine he or she wanted to tamper with.
Plus, you’d have to target the right swing states and alter the right amount of votes.
“There would be a lot of guesswork in it and a lot of statistics,” said Malcolm Harkins, chief security and trust officer at cybersecurity company Cylance. Harkins has researched the security of electronic voting machines and says hacking the election is “impractical…and not likely to occur.”
Still, concerns about the integrity of the system and the election’s results weigh on voters’ minds. More than half of voters rate the possibility that voting machines could be hacked as “likely” or “very likely,” according to a survey conducted by Carbon Black, a cybersecurity company.
Andrew Appel, a Princeton computer science professor, has made a career of hacking electronic voting machines. He can list all the ways each vulnerable machine could be hacked, but he says the logistical hurdles for foreign hackers would be too high to surmount.
The only way to do it, he says, would be to hack each machine the way US and Israeli spies reportedly hacked computers at a secret Iranian nuclear enrichment facility. The spies reportedly tricked Iranians into plugging USB sticks with malicious code on them into the facilities’ computers, which weren’t connected to the internet.
The lack of uniformity in the US voting system will keep it safe, say cybersecurity experts.
“We don’t have a national election,” said Tod Beardsley, senior security research manager at cybersecurity firm Rapid7, who became an election judge in Texas so he could access and research voting machines. “We have 3,000 elections happening on the same day.”
But watch out on election day, Beardsley said. What voters might see instead of hacked voting machines are defaced websites when they try to look up a polling place. Or claims that voting machines were hacked. Either of those kinds of incidents might make voters doubt the election’s outcome.
If that were to happen, “I would hope that proof would be demanded,” Beardsley said.
In fact, Arizona’s Reagan said the state is prepared to deal with contested election results. Its voting machines record each vote on paper as well as electronically, allowing for a hand recount if necessary. The machines are also audited ahead of time to make sure they’re recording votes accurately.
Other states have different procedures for recounts — most notably, some of them don’t keep a paper record of the votes made on each machine, which experts say is bad for accountability.
Arizona’s problems started in June, when an employee of Gila County apparently fell for a phishing email, opening up an innocent-looking Microsoft Word document that was loaded with malicious software.
That breach of the employee’s computer was quickly discovered. Still, whatever the hackers put on the machine allowed them to figure out the employee’s username and password.
The FBI found the official’s login information for sale in an underground hacker market on the internet. The law-enforcement agency quickly notified Arizona, which began its own investigation.
Reagan’s office, which is responsible for administering and certifying elections, quickly pulled the state’s registration database offline. The FBI and the Arizona Department of Administration, which supports the operations of other departments in the state government, scoured it for evidence of tampering.
The investigation found no evidence that information had been taken from the system or that any data had been altered. Investigators also found nothing to suggest the hacker or hackers had inserted malicious software into the system. The system was safe.
Still, the damage was done.
As news of the hack spread, Reagan said, her constituents expressed concern. Voters called her office, vented their fears on social media and spoke out at public events, said her spokesman, Matt Roberts.
Confidence, of course, is the most fragile aspect of any election. If voters worry that ballot boxes will be stuffed, physically or digitally, they stop trusting the results. Some might even stay home rather than participate in a contest they worry might be rigged.
So Arizona’s Reagan has been on the trail trying to assuage fears.
Since getting that phone call, the Republican Reagan, who’s held public offices for 15 years and has been secretary of state since 2014, hit local and national TV and radio shows to tell voters what happened and what the state is doing to keep elections safe from hacker tampering.
The very idea that hackers could prompt voters to lose faith in the system frustrates Reagan to no end. And she doesn’t shy away from telling her state’s citizens — or anyone at all, for that matter — she’s angry.
“The last thing we want is outside forces, especially from outside the country, trying to make people think that there’s no integrity in their vote,” Reagan says. “That shakes the very foundation of what we’re trying to do.”