States are working to strengthen the most public and vulnerable parts of their electoral systems: the websites that publish voting results.
NBC News spoke with top cybersecurity officials at four state election offices, as well as the head of a company that operates such services for six states, about how they keep the sites secure. Everyone agreed that while there was no real threat that hackers could alter a final vote count, a successful cyberattack would damage public confidence if hackers were able to breach the websites showing preliminary vote totals.
“Election night reporting sites are very, very ripe for a perception hack because they are so visible,” said Eddie Perez, a board member of the OSET Institute, a nonpartisan, nonprofit organization that advocates for election security and integrity.
The effort required is because it is relatively easy to take a website offline and damage it with simple cyber attacks. Vince Hoang, Hawaii’s chief information security officer, knows that he recently faced such an attack. Last month, a hacker group called Killnet, which presents itself as a small group of pro-Russian hacktivists, announced plans to attack US state government websites and air travel websites.
While there’s no evidence that Killnet stole data or altered files, it was able to temporarily prevent some states’ sites from loading for hours with a series of distributed denial of service or DDoS attacks, straight-up cyber-attacks that flooded websites. with traffic. One of the victims last month was Hawaii.gov, which also hosts the state’s election night reporting. Although Hawaii uses Cloudflare, one of the best DDoS protection services, Killnet was able to make Hawaii.gov inaccessible for several hours.
Hoang said it was a blessing in disguise.
“We are now better prepared than if this event had not happened,” he said. “Our team has learned a lot.”
There is virtually no chance that foreign hackers will be able to change the election results next week, thanks in large part to the way the US voting system works. Most voting devices are not connected to the internet and each state holds its own elections, meaning hackers must target thousands of individual election systems to wreak widespread havoc.
But with false claims of voter fraud now commonplace and public confidence in the voting system dwindling (a recent NBC News poll found that about a third of U.S. voters don’t accept the legitimacy of the 2020 presidential election), election officials are particularly concerned. become. sensitive to the psychological side of elections.
That means avoiding even hackers’ perception of changing votes, which makes election results websites all the more important.
“If something were to go wrong, it could certainly start with a time-consuming series of events at best,” Perez said. “In this environment, that’s a big vacuum that definitely invites all kinds of viral and baseless speculation that can really affect people’s confidence.”
There is no formal accounting of which states use which types of cybersecurity programs. Major tech companies such as Cloudflare, Microsoft and Google subsidiary Jigsaw offer free versions of their products to protect election websites from DDoSes and breaches and to protect campaigns from threats such as hackers targeting their email networks. Cloudflare, which specializes in tactics such as absorbing a large portion of a customer’s web traffic when it is exceeded, offers free DDoS protection services. They are used in 31 states, a spokesman said.
States have options for assistance in mitigating DDoS attacks. The EI-ISAC, a Department of Homeland Security-funded nonprofit that coordinates potential cyber threat intelligence among election workers, has more than 3,500 participating members, most of them state and local election offices, a spokesman said.
EI-ISAC offers members free copies of CrowdStrike cybersecurity software, said Trevor Timmons, the chairman of the EI-ISAC executive committee.
Election results posted on websites are not official. They update in real time as the votes come in after the polls close, and nothing is final until the votes are certified by counties or districts, which usually takes at least a few days. But they’re the closest thing to authoritative real-time results, and they’re instrumental to how the media and the public understand how races go.
Historically, election results websites have been a ripe target for malicious hackers looking to cause chaos. In 2014, hackers later identified when working for Russian intelligence broke into Ukraine’s Central Election Commission a few days before the country’s presidential election.
While the hackers did not change votes, they were able to prevent election officials from updating the results in the hours after the polls closed and created a temporary fake page on the election commission’s website to make it appear that Dmytro Yarosh, a fringe pro-Russian candidate, was winning. He has less than 1% of the vote.
Some US officials stressed that even accurate results on websites should be considered for what they are: preliminary indications of election results.
“Anything is possible when it comes to those web results: a weird upload, a bad upload,” said Dave Tackett, the chief information officer of the West Virginia Secretary of State. “The truth is in the courthouse, on paper, from a disconnected machine.”