An election worker uses an electronic pollbook to check voters at a polling station in the Echo Park Recreation Complex in Los Angeles on March 3, 2020.
Caption
An election worker uses an electronic pollbook to check voters at a polling station in the Echo Park Recreation Complex in Los Angeles on March 3, 2020.

Back in July, two cybersecurity firms sent the Department of Homeland Security a troubling report that described a possible vulnerability in the online voter registration systems in dozens of counties in California and Florida.

The report, obtained by NPR, warned that flaws that might have allowed hackers to change a handful of voter registration files four years ago are still likely to exist in some places, and could be used again.

A spokesperson for DHS' Cybersecurity and Infrastructure Security Agency, or CISA, called the report "questionable" and "unverified," and said the department "takes vulnerability reporting and remediation seriously."

The report comes, however, as Director of National Intelligence John Ratcliffe announced Wednesday that Russian and Iranian hackers had used some voter registration information in a bid to send misinformation to voters and sow discord ahead of the election. It is unclear if the voter registration websites the report identified as vulnerable were part of the hack Ratcliffe revealed.

The election threat report that flagged the vulnerability was written by cybersecurity experts at the cybersecurity firm RiskIQ and by Northrop Grumman, and compared voter registration websites around the country with those that appeared to have been hacked in 2016.

The report makes clear that the threat today is hypothetical, and had no evidence of a current attack on American elections. U.S. intelligence officials contacted by NPR before last night's announcement, who read the contents of the report, agreed however that voter registration websites are a favored target of foreign hackers for a simple reason: They can be an easy target.

Administration officials have confirmed publicly that they believe that several counties in Florida, the State of Illinois Board of Elections, and possibly several counties in California had been victims of a hacking campaign four years ago.

Trouble in Riverside

One of the cases that remained mysterious, though, happened in Southern California. During the 2016 primary elections, District Attorney in Riverside County, Michael Hestrin, began fielding calls from angry voters who said they weren't allowed to cast their ballots — their voter information, they said, had been changed.

"Once the number got to be over 15 or 20, I was very concerned," Hestrin recently told NPR. "I asked my chief investigator to send out several investigators to some of the larger polling places in our county... and meet some of these voters who had called me."

Riverside County District Attorney Mike Hestrin speaks at a press conference on Jan. 18, 2018, in Riverside, Calif.
Caption
Riverside County District Attorney Mike Hestrin speaks at a press conference on Jan. 18, 2018, in Riverside, Calif.

Among other things, the voters said their party affiliations had been changed from Republican and Democrat to Green Party or Independent, which also changed which ballot they'd be given for the primary. Hestrin said he believed the pattern was too precise to be accidental. He's convinced the voter registration website was hacked.

"This was beyond just voter confusion. Oftentimes it's a voter error. This was beyond that," he said. "Each of the cases we investigated, people had their voter registration changed unbeknownst to them. They got no notice. They didn't go in and change it. They just found out when they went to vote."

While Hestrin's investigators couldn't trace the possible culprit's IP addresses because the state didn't capture them at the time, they were able to determine when the registrations were changed. This allowed investigators to go back to voters to try to refresh their memories. But voters they spoke to were convinced they hadn't done it themselves.

"The voter is telling us, I didn't change my registration ten days before an election, I've been a Republican for, you know, twenty five years. Why would I do that?" Hestrin said. "So it didn't seem likely that this was voter confusion."

California Secretary of State Alex Padilla says the D.A. is mistaken and the voter registration problems in Riverside County were a result of human error. In response to questions from NPR about the incident, Padilla said there is no convincing evidence that Russia, or anyone else, changed voter information in Riverside County.

Since then, he added, the state has done a lot to protect online voter registrations. For example, California started capturing IP addresses in February 2017, about six months after the Riverside event, and the state has since put in place network safeguards, firewalls, and system monitoring.

The RiskIQ-Northrop Grumman report also found that dozens of counties in Florida had voter registration websites that had lots of similarities to those in Riverside County in 2016. Those websites have since migrated to a new operating system that isn't vulnerable to the same attack, but the report concluded that in order to make sure they weren't hacked before the migration, their websites need to be checked for vulnerabilities that might have slipped in before they moved. (The report names 69 counties in both Florida and California that might be vulnerable to attack, but NPR is not naming them.)

The report also raises the concern that these Florida counties could potentially be even more vulnerable than Riverside County was four years ago because they all share the same website management system. So if a hacker is inside one website he or she could have access to all the others too.

This past May, the FBI briefed Florida lawmakers on which of their 67 counties were successfully breached back in 2016. The officials were not allowed to divulge what they had learned, but they stressed that there was no evidence that cyberattacks changed any votes. They confirmed that Russian hackers would have been able to change voter registration data if they had wanted to. There was no evidence, they said, that the hackers did so.

Getting loud

"I think [Riverside] is one of the most unheralded incidents of 2016," said Ryan Munsch, a solutions architect at RiskIQ who tracks election systems and possible vulnerabilities. He decided not to speak about the substance of the report but agreed to talk about Riverside County, which is public. "There is what we call proof of concept in which you wouldn't gain a whole lot of attention, which was the case in Riverside, and you conduct an exercise that proves you can do something that, if necessary, can be done at a larger and broader scale."

Just a month after the Riverside incident, the Illinois State Board of Elections found intruders inside its voter-registration website. Someone had been probing their voter rolls and was downloading voter information. Officials only discovered the breach after the intruder was inside and accidentally crashed a server. Intelligence officials later confirmed publicly that they had traced the breach to Russian hackers.

"The actors got loud and essentially shut down the voter registration database, and that called attention to the problem," said Neil Jenkins, who served as DHS' election security coordinator in 2016 and is now chief analytic officer at the Cyber Threat Alliance. "And there's been a bit of a conversation about why those actors, who we now know were Russian hackers, why were they so loud? Were they loud because they made a mistake, or were they loud because they were trying to draw attention to their presence there?"

DHS has been worried enough about voter registration websites that it hired the RAND Corporation to assess vulnerabilities. RAND found, among other things, that state and local registration websites could be locked by hackers looking for money or manipulated by bad actors wanting to rattle the election. Jenkins said DHS officials continue to be concerned that suspicious incidents they saw back in 2016 were a dry run for something more sophisticated in 2020.

Too close to the election

The RiskIQ/Northrop Grumman report looked at the websites' vulnerability to a particular kind of hack, something called a Padding Oracle Exploit, or POE. It was popular with hackers over a decade ago and is used to decrypt encrypted information.

One of the concerns laid out in the report is that bad actors could use a POE to decrypt credentials to give themselves administrator access to the voter registration website. Armed with this type of access they could potentially plant malware, change code, and even insert errors into the data.

DHS, for its part, said it found the report "misleading" and pointed out that the report itself said that websites in Florida were probably protected from the hack because they had migrated to a newer operating system. The report also said, however, that the websites could have been compromised before the migration happened. The last voter website to migrate to a new operating system did so in 2019. The report suggests DHS do an audit of the Florida voter registration websites to make sure some vulnerability didn't accidentally slip in.

Jenkins said DHS officials might also be hesitant to address details of the report or contact local officials about its findings because they haven't seen any indication that this hack is imminent, and, as a general matter, local officials are unlikely to patch their systems against a possible vulnerability this close to the election.

"Amazon probably doesn't make a lot of changes to its infrastructure just before Prime Day because they've got something big coming up," Jenkins said. "Target doesn't patch a lot of vulnerabilities the day before Black Friday because they know operationally the website has to be up and running."

The last thing election officials would want to do just weeks before their big day, he said, is to patch a website against a vulnerability that might not be severe and then find themselves watching helplessly when the patch makes their website crash.

Copyright 2020 NPR. To see more, visit https://www.npr.org.

<div>Correction</div>

An earlier version of this story misspelled Director of National Intelligence John Ratcliffe's name as John Radcliffe.