Imagine it’s Nov. 3, 2020. The polls have been closed for a couple of hours. As election results roll in, the national media waits anxiously for returns from a handful of key swing districts in Michigan.
Then, around 11 p.m., county election officials begin to post their results on official websites and social-media accounts. Within minutes, the Associated Press has called the state for one presidential candidate, and minutes later the major cable news networks have projected the winner.
Now imagine those county election officials had been hacked, and the results broadcast on their websites and social-media accounts were wrong — part of a foreign active-measures campaign to sow chaos and raise doubts about the validity of the election.
This is the nightmare scenario laid out in a new report by a civil grand jury in San Mateo County, California, on Wednesday. While much national attention has focused on the security of voting machines and voter registration databases, the grand jury chose to look at the security of San Mateo County’s infrastructure for election announcements, like notices about where to vote or official election results.
The report found large gaps in the county’s online security, including official websites and social media accounts that did not use two-factor authentication and passwords that county employees shared among themselves.
“These vulnerabilities expose the public to potential disinformation by hackers who could hijack… online communication platform to mislead voters before an election or sow confusion afterward,” the report said. “Public confidence is at stake, even if the vote itself is secure.”
The report looks at two possible scenarios. In one, hackers compromise county accounts before an election to feed voters incorrect information about where and how to vote, potentially affecting the election’s outcome.
In the other, hackers take over county accounts after an election to send out incorrect results that then get rebroadcast by the media, sowing confusion and doubt about the election’s outcome. In this scenario, the vote is secure but public perception is damaged.
The San Mateo County report, which was first reported by Krebs on Security, recommended tighter security for the county’s websites, social media accounts, and email systems. That included moving to two-factor authentication that relies on a physical hardware key rather than a code sent over text message, which are more vulnerable to hackers.
The report also recommended that county officials take advantage of voluntary cybersecurity assistance programs offered by the federal Department of Homeland Security.
The grand jury released its report the same day former special counsel Robert Mueller testified Wednesday that Russia and other foreign adversaries are planning to disrupt future U.S. elections.
“It wasn’t a single attempt,” Mueller said Wednesday of Russia’s 2016 election interference. “They’re doing it as we sit here. And they expect to do it during the next campaign.”
The threat isn’t theoretical. In 2014, Russian hackers targeted Ukraine’s election results website with a distributed denial of service, or DDoS, attack, temporarily knocking it offline. Hackers did the same thing to a Knox County, Tennessee, election results website last year.
In a similar attack, the Syrian Electronic Army gained access to the Associated Press’ Twitter account on April 23, 2013. “Breaking: Two Explosions in the White House and Barack Obama is injured,” the hackers tweeted. The news was fake, but the impact was real: For a few minutes, the Dow Jones Industrial Average lost 150 points.
A bipartisan report by the Senate Intelligence Committee released Thursday confirmed that Russian hackers scanned local election systems in all 50 states ahead of the 2016 presidential election and made a series of recommendations to improve the security of the nation’s election infrastructure.
Senate Majority Leader Mitch McConnell (R-KY) blocked a vote Thursday on legislation by Sen. Ron Wyden (D-OR) that would place mandatory security requirements on local election website, among other reforms. Sen. Cindy Hyde-Smith (R-MS) blocked three other election security measures from coming to the floor for a vote on Wednesday.
Earlier this year, Wyden told ThinkProgress that McConnell has “a long history of opposing election reform.”
“And he’s got people in his caucus who’ll do a lot of the heavy lifting for him,” Wyden added.