Democrats in Congress have issued what may be their most alarming report ever about the vulnerability of America's voting machinery to sophisticated adversaries and the limited abilities of government at every level to stop Election Day chaos.
The "Congressional Task Force on Election Security Report," from the party's foremost experts on cyber threats in the House, gives new details on Russian hacking of the 2016 election and how the response across many layers of government was often poorly coordinated and marginally ineffective.
For example, as the 2016 presidential election came to a close, the Department of Homeland Security wanted to help states and counties by probing their computer systems to identify hacking vulnerabilities. But it noted that states and localities that sought help had to wait for weeks in October -- a timeline out of sync with early November's Election Day. (The report said DHS is now trying to do better.)
Its authors are sponsoring legislation to spend hundreds of millions to patch a national system beset by hacking pathways and other vulnerabilities. Not a single Republican in Congress took part in the hearings that produced the report. Nor have Republicans shown interest in acknowledging the cyber threats to voting or the millions needed to fortify the machinery for more trustable elections.
"The president and House Republicans have done nothing," House Minority Leader Nancy Pelosi said at a press conference releasing the report and the legislation, where she recounted how every top intelligence official appointed by President Trump has recently said that Russia is already meddling in the upcoming 2018 election. "They have refused to take inventory of what our resources are and what they need to be. They have refused to assess what the danger is to our electoral system, while the intelligence community, clearly by consensus, has told them."
The report covers a lot of ground, starting with what Russia did in 2016 that was different from its past efforts to seed and spread political propaganda in the U.S.
It began by citing the outlines of what most people already know; that Russian agents posted "more than 1,000 YouTube videos, 130,000 tweets, and 80,000 Facebook posts. The latter were viewed by approximately 126 million people on Facebook platforms alone." But the report quickly narrowed its focus to cyber probing of voting systems, starting with state voter registration databases.
"The 2016 election has shown us that these systems are vulnerable to attack," the report said. "The Department of Homeland Security found that Russian hackers targeted these [registration] systems in 21 states. In Illinois, Russian hackers successfully breached the databases and attempted, but failed, to alter and delete voting records. In Arizona, hackers were able to successfully install malware on a county election official's computer. That gave the hackers access to the official's credentials which could have then been used to get into the county's voter registration database. In addition, hackers targeted at least one election vendor with the hope of ultimately obtaining access into voter registration databases."
The report described the kind of havoc that could have ensued had the Russians -- or anyone else -- scrambled voter data in those systems.
"The most significant threat posed by vulnerable voter registration databases is that an attacker could alter, delete, or add voter registration records which would then cause profound chaos on Election Day and potentially change the results of the election," it said. "There is no federal law that governs what steps election vendors must take to safeguard their systems from attack. Instead, any obligations that vendors are subject to stem from the terms of their contracts with states and localities."
"The [proposed] Election Security Act proactively strengthens our elections system by requiring election technology vendors to adopt specific cyber security standards that share threats with elections and security officials, intelligence officials, as well as running pre-election threat assessments to uncover vulnerabilities, with enough time to solve them," Demings said. "Nowhere is that more evident than in my home state of Florida, where a voter registration vendor [VR Systems] for 57 of 58 counties was targeted in August of 2016. By October, at least 12 county elections officials had received information about it, but it was not until November first that all counties were notified of the attempted hack. To my knowledge there were no successful breaches, but Russia and others will be back with a vengeance. We must be ready."