WATCH | Recent reports have revealed new details about Russian attempts to hack U.S. elections. Cyber security experts say they saw these hacks coming and are worried about upcoming elections.
According to leaked NSA documents published by The Intercept, Russian hackers impersonated voting software supplier, VR systems, and sent spear-fishing emails to more than 100 local election officials just before the 2016 election.
The emails included malware that could be used to break into VR systems electronic poll book data allowing a hacker to change information and keep people from being able to vote.
"If the voter’s address is changed, then they would be told that they’ve gone to the wrong polling place or the voter was marked as having voted absentee or having voted in early bidding," said Susan Greenhalgh, an elections specialist with Verified Voting, a non-partisan nonprofit which advocates for better voter verification practices.
Electronic poll books went down last year on election day in Durham County, North Carolina, causing long lines at the polls.
The Southern Coalition for Social Justice filed a lawsuit in hopes of forcing the Durham County Board of Elections to keep polls open an additional 90 minutes. The State Board of Election extended voting for one hour in 8 districts affected by the glitch.
North Carolina officials are investigating the reports of the Russian probe into VR systems poll books, which were used in Durham. It’s unclear whether the hacking caused the outages.
In a statement, VR systems said it had no indication that any elected officials opened the spear-phishing emails.
“It is also important to note that none of our products perform the function of ballot marking or tabulation of marked ballots," the statement said.
This week Bloomberg reported that Russia cyber-attacks on the U.S. electoral systems were far more widespread than previously known with incursions into voting databases and software systems in 39 states, twice as many states than previously reported.
According to that report, hackers tried to alter voter data and access software used by election workers.
Trouble for upcoming elections?
Experts say these reports show just how vulnerable U.S. elections systems are and could mean trouble for upcoming elections, including the run-off in Georgia's 6th Congressional District.
"Georgia is not prepared to protect against any type of serious cyber attack," Greenhalgh said. "Georgia does not have paper ballots, their system is entirely electronic. It is also very old."
In fact, all of the testing and programming for Georgia's voting machines is done at one location, Kennesaw State University’s Center for Election Systems.
In March, that system was breached and the FBI launched an investigation. Turns out the perpetrator was a white-hat hacker, but the discovery raised alarm bells.
"How many non-white-hat type hackers were able to discover that vulnerability and exploit it, before the good guys did?" Greenhalgh said.
After the breach, KSU officials said they were working with experts to ensure the systems were secured and met best practices.
Georgia’s office of secretary of state did not respond to a request for comment.
Experts say the best way to protect the integrity of elections is to go old school.
"The best way to provide resilience into our electoral system is to make sure that votes are recorded on a physical paper record, that's independent of the software," Greenhalgh said.
That doesn't mean counting every single paper ballot manually. Greenhalgh says states should take a statistical sample of paper ballots to make sure the results are accurate.
Experts warn that votes cast online are even more vulnerable to hacking. Online voting is most frequently used for citizens living overseas, or members of the military serving abroad.
France suspended all online voting before it's presidential election due to concerns over Russian hacking.
"These are going to be the most vulnerable ballots and the first point of attack, the low hanging fruit, that any attacker would aim for," Greenhalgh said.
The SAFE Act
House Democrats have introduced a bill to protect voting systems.
The SAFE Act, introduced by Reps. Mark Pocan (Wisconsin), Keith Ellison (Michigan), and Hank Johnson (Georgia), would permanently designate voting systems as critical infrastructure.
That would put voting machines and systems in the same category as the power grid, water supply, and banking system, protected by The Department of Homeland Security.