Back in July, two cybersecurity firms sent the Department of Homeland Security a troubling report that described a possible vulnerability in the online voter registration systems in dozens of counties in California and Florida.
The report, obtained by NPR, warned that flaws that might have allowed hackers to change a handful of voter registration files four years ago are still likely to exist in some places, and could be used again.
A spokesperson for DHS' Cybersecurity and Infrastructure Security Agency, or CISA, called the report "questionable" and "unverified," and said the department "takes vulnerability reporting and remediation seriously."
The report comes, however, as Director of National Intelligence John Ratcliffe announced Wednesday that Russian and Iranian hackers had used some voter registration information in a bid to send misinformation to voters and sow discord ahead of the election. It is unclear if the voter registration websites the report identified as vulnerable were part of the hack Ratcliffe revealed.
The election threat report that flagged the vulnerability was written by cybersecurity experts at the cybersecurity firm RiskIQ and by Northrop Grumman, and compared voter registration websites around the country with those that appeared to have been hacked in 2016.
The report makes clear that the threat today is hypothetical, and had no evidence of a current attack on American elections. U.S. intelligence officials contacted by NPR before last night's announcement, who read the contents of the report, agreed however that voter registration websites are a favored target of foreign hackers for a simple reason: They can be an easy target.
Administration officials have confirmed publicly that they believe that several counties in Florida, the State of Illinois Board of Elections, and possibly several counties in California had been victims of a hacking campaign four years ago.
Trouble in Riverside
One of the cases that remained mysterious, though, happened in Southern California. During the 2016 primary elections, District Attorney in Riverside County, Michael Hestrin, began fielding calls from angry voters who said they weren't allowed to cast their ballots — their voter information, they said, had been changed.
"Once the number got to be over 15 or 20, I was very concerned," Hestrin recently told NPR. "I asked my chief investigator to send out several investigators to some of the larger polling places in our county... and meet some of these voters who had called me."
Among other things, the voters said their party affiliations had been changed from Republican and Democrat to Green Party or Independent, which also changed which ballot they'd be given for the primary. Hestrin said he believed the pattern was too precise to be accidental. He's convinced the voter registration website was hacked.
"This was beyond just voter confusion. Oftentimes it's a voter error. This was beyond that," he said. "Each of the cases we investigated, people had their voter registration changed unbeknownst to them. They got no notice. They didn't go in and change it. They just found out when they went to vote."
While Hestrin's investigators couldn't trace the possible culprit's IP addresses because the state didn't capture them at the time, they were able to determine when the registrations were changed. This allowed investigators to go back to voters to try to refresh their memories. But voters they spoke to were convinced they hadn't done it themselves.
"The voter is telling us, I didn't change my registration ten days before an election, I've been a Republican for, you know, twenty five years. Why would I do that?" Hestrin said. "So it didn't seem likely that this was voter confusion."
California Secretary of State Alex Padilla says the D.A. is mistaken and the voter registration problems in Riverside County were a result of human error. In response to questions from NPR about the incident, Padilla said there is no convincing evidence that Russia, or anyone else, changed voter information in Riverside County.
Since then, he added, the state has done a lot to protect online voter registrations. For example, California started capturing IP addresses in February 2017, about six months after the Riverside event, and the state has since put in place network safeguards, firewalls, and system monitoring.
The RiskIQ-Northrop Grumman report also found that dozens of counties in Florida had voter registration websites that had lots of similarities to those in Riverside County in 2016. Those websites have since migrated to a new operating system that isn't vulnerable to the same attack, but the report concluded that in order to make sure they weren't hacked before the migration, their websites need to be checked for vulnerabilities that might have slipped in before they moved. (The report names 69 counties in both Florida and California that might be vulnerable to attack, but NPR is not naming them.)
The report also raises the concern that these Florida counties could potentially be even more vulnerable than Riverside County was four years ago because they all share the same website management system. So if a hacker is inside one website he or she could have access to all the others too.
This past May, the FBI briefed Florida lawmakers on which of their 67 counties were successfully breached back in 2016. The officials were not allowed to divulge what they had learned, but they stressed that there was no evidence that cyberattacks changed any votes. They confirmed that Russian hackers would have been able to change voter registration data if they had wanted to. There was no evidence, they said, that the hackers did so.
"I think [Riverside] is one of the most unheralded incidents of 2016," said Ryan Munsch, a solutions architect at RiskIQ who tracks election systems and possible vulnerabilities. He decided not to speak about the substance of the report but agreed to talk about Riverside County, which is public. "There is what we call proof of concept in which you wouldn't gain a whole lot of attention, which was the case in Riverside, and you conduct an exercise that proves you can do something that, if necessary, can be done at a larger and broader scale."
Just a month after the Riverside incident, the Illinois State Board of Elections found intruders inside its voter-registration website. Someone had been probing their voter rolls and was downloading voter information. Officials only discovered the breach after the intruder was inside and accidentally crashed a server. Intelligence officials later confirmed publicly that they had traced the breach to Russian hackers.
"The actors got loud and essentially shut down the voter registration database, and that called attention to the problem," said Neil Jenkins, who served as DHS' election security coordinator in 2016 and is now chief analytic officer at the Cyber Threat Alliance. "And there's been a bit of a conversation about why those actors, who we now know were Russian hackers, why were they so loud? Were they loud because they made a mistake, or were they loud because they were trying to draw attention to their presence there?"
DHS has been worried enough about voter registration websites that it hired the RAND Corporation to assess vulnerabilities. RAND found, among other things, that state and local registration websites could be locked by hackers looking for money or manipulated by bad actors wanting to rattle the election. Jenkins said DHS officials continue to be concerned that suspicious incidents they saw back in 2016 were a dry run for something more sophisticated in 2020.
Too close to the election
The RiskIQ/Northrop Grumman report looked at the websites' vulnerability to a particular kind of hack, something called a Padding Oracle Exploit, or POE. It was popular with hackers over a decade ago and is used to decrypt encrypted information.
One of the concerns laid out in the report is that bad actors could use a POE to decrypt credentials to give themselves administrator access to the voter registration website. Armed with this type of access they could potentially plant malware, change code, and even insert errors into the data.
DHS, for its part, said it found the report "misleading" and pointed out that the report itself said that websites in Florida were probably protected from the hack because they had migrated to a newer operating system. The report also said, however, that the websites could have been compromised before the migration happened. The last voter website to migrate to a new operating system did so in 2019. The report suggests DHS do an audit of the Florida voter registration websites to make sure some vulnerability didn't accidentally slip in.
Jenkins said DHS officials might also be hesitant to address details of the report or contact local officials about its findings because they haven't seen any indication that this hack is imminent, and, as a general matter, local officials are unlikely to patch their systems against a possible vulnerability this close to the election.
"Amazon probably doesn't make a lot of changes to its infrastructure just before Prime Day because they've got something big coming up," Jenkins said. "Target doesn't patch a lot of vulnerabilities the day before Black Friday because they know operationally the website has to be up and running."
The last thing election officials would want to do just weeks before their big day, he said, is to patch a website against a vulnerability that might not be severe and then find themselves watching helplessly when the patch makes their website crash.
An earlier version of this story misspelled Director of National Intelligence John Ratcliffe's name as John Radcliffe.
SCOTT SIMON, HOST:
As the election fast approaches, a new concern about securing the vote. NPR has learned that back in July, two cybersecurity firms sent the Department of Homeland Security a report that warned about flaws in voter registration websites around the country. The fear is that a defect that existed back in 2016 that might have allowed hackers to download voter information or change voter registration files could be used again. NPR's Dina Temple-Raston, who obtained the report, explains.
DINA TEMPLE-RASTON, BYLINE: To understand why a report about the possible vulnerabilities in the voter registration websites is so important, we need to go back to the summer of 2016. That's when questions first started to surface about darker forces hacking into online voter rolls. And to this day, one of the most mysterious of these cases comes out of Riverside County, Calif.
MICHAEL HESTRIN: Each of the cases we investigated, people had their voter registration changed unbeknownst to them. They got no notice. They didn't go in and change it.
TEMPLE-RASTON: That's Riverside County District Attorney Michael Hestrin. And during the June 2016 primary, people were showing up to vote only to find that they were suddenly listed in the voter rolls as members of the Green or independent party.
HESTRIN: Now, the voter is telling us, I didn't change my registration 10 days before an election. I've been a Republican for, you know, 25 years. Why would I do that?
TEMPLE-RASTON: And it wasn't just one or two complaints.
HESTRIN: Once the number got to be over, you know, 15 or 20 or so, I was very concerned. I sent out several investigators.
TEMPLE-RASTON: Riverside County may live in infamy as an election cold case because back in 2016, the state of California didn't capture the one thing that helps investigators track down a hacker, an IP address.
Not every California government official agrees, but Hestrin is convinced that the voter registration website in Riverside County was hacked four years ago. Then, a month later in Illinois...
(SOUNDBITE OF MONTAGE)
STEPHANIE SY: The FBI says foreign hackers have penetrated state election systems.
UNIDENTIFIED NEWSCASTER #1: Data from as many as 200,000 voter records was stolen in Illinois.
UNIDENTIFIED NEWSCASTER #2: Specifically, the internal database of voter information.
TEMPLE-RASTON: Officials only discovered the breach because whoever was inside goofed and crashed the server. Intelligence officials later confirmed publicly that they had traced the hack back to Russia.
(SOUNDBITE OF MONTAGE)
UNIDENTIFIED NEWSCASTER #3: Special counsel Robert Mueller out with his most sweeping indictment yet.
UNIDENTIFIED NEWSCASTER #4: ...Announcing this morning the indictment of 12 Russian military operatives on hacking charges related...
TEMPLE-RASTON: These kinds of incidents and news this week of new Russian intrusions into county electoral systems puts a troubling report that was sent to DHS a few months ago in a different light.
Written by cybersecurity experts at RiskIQ and Northrop Grumman and obtained by NPR, it warned that flaws that might have allowed hackers to change voter registration files four years ago could still exist in California and Florida and could be used again. The report, which went to the agency in July, was hypothetical and it didn't point to any specific hacks but concluded that the vulnerabilities were probably still there.
A DHS spokesperson downplayed it, telling NPR that it was unverified and questionable. Just hours later, though, the director of National Intelligence, John Ratcliffe, announced this.
(SOUNDBITE OF ARCHIVED RECORDING)
JOHN RATCLIFFE: We have confirmed that some voter registration information has been obtained by Iran and separately by Russia.
TEMPLE-RASTON: Then on Thursday, the FBI and DHS announced that Russian hackers targeted dozens of state and local government networks and voting-related systems. Among the fresh concerns, that the websites that are used to identify voters at the polls could be changed.
NEIL JENKINS: Voter registration databases tend to be online. And because of that, they tend to have many of the same vulnerabilities that other websites have.
TEMPLE-RASTON: That's Neil Jenkins. He was the election security coordinator for the Department of Homeland Security in 2016. He says if a website is on the Internet, it's at risk.
JENKINS: They need to be monitored. They need to be patched and mitigated.
TEMPLE-RASTON: But he says even if there's a vulnerability, even if the report is correct and there are flaws in the voter registration websites, local election boards are unlikely to do anything about it because we're too close to the election.
JENKINS: Amazon probably doesn't make a lot of changes to its infrastructure just before Prime Day. Target doesn't patch a lot of vulnerabilities the day before Black Friday because they know operationally, the website has to be up and running.
TEMPLE-RASTON: And the last thing election officials would want to do just weeks before their big day, Jenkins said, is to insert a patch and accidentally crash their own websites.
Dina Temple-Raston, NPR News.
(SOUNDBITE OF MUSIC) Transcript provided by NPR, Copyright NPR.