Russian hackers

Why the latest NSA leak didn’t make a dent

Russia hacking U.S. election infrastructure seems like it would be a big deal.

Russian hackers

A leaked NSA document says Russia hacked U.S. voter systems

Why didn’t anyone care?
Russian hackers

Why the latest NSA leak didn’t make a dent

Russia hacking U.S. election infrastructure seems like it would be a big deal.

On Monday, The Intercept published what at first appeared to be a pretty big scoop: An analysis by the National Security Agency obtained by the site said that hackers working for Russian military intelligence attacked at least one voting software vendor and targeted more than 100 election officials just days before the U.S. election.

This document is the “most detailed U.S. government account of Russian interference in the election that has yet come to light,” The Intercept wrote. It’s also the first evidence that Russia targeted American voting infrastructure in addition to going after candidates and their campaigns. So why did the revelation fail to make a splash?

The first and obvious answer is that the story of Russian hacking was immediately overshadowed by news that the leaker, a 25-year-old contractor named Reality Winner who worked for Pluribus International, had been arrested. If Edward Snowden’s identity had been revealed on the same day as his revelations about domestic surveillance, rather than four days later, that story might have been overshadowed too.

The second answer is that the scoop didn’t really amount to much. The vulnerabilities that the hackers exploited were already known; computer security researchers described a similar scenario in a talk at the Chaos Communication Congress (CCC) conference in December.

The report also says that Russians targeted voter data, but did not compromise any voting machines. That means any manipulation would have to be indirect. “Hackers could produce confusion, making it difficult for voter names to be verified,” Leonid Bershidsky wrote for Bloomberg View. “They could even enable ineligible people to vote — but for such a ploy to work, there would need to be large numbers of such ineligible people available for a massive fraud operation on voting day.”

“Far be it from me to try to understand why Russia does what it does.”

Based on audits of voting results in Michigan and Wisconsin, two of the three states that would have swung the election, the result was not affected by any Russian hacking, said Matt Bernhard, a computer science PhD candidate at the University of Michigan and one of the security researchers who presented the attack scenario at CCC.

“GRU could have just been bored, they could have been piloting hacks for future efforts, it may have been an effort to destroy confidence in the elections,” he said. “Far be it from me to try to understand why Russia does what it does.”

There is also skepticism that the NSA was able to successfully attribute the attack to the Russian government rather than independent Russian hackers. “If those names were actual people or known GRU units, then this report could have been explosive,” cybersecurity consultant Jeffrey Carr wrote on Facebook. “If, on the other hand, those names are the same ones that we are already familiar with, such as APT28, Fancy Bear, Strontium, Sofacy, etc., then this report is just a classified rehash of private sector guesswork.”

The report does affirm what we already knew: The U.S. election system is highly vulnerable to cyberattack, both on a technical level and through targeting of election workers. We are essentially protected by the chaos caused by the patchwork of different voting machines, software, and methods used in different precincts. The Electoral College system also complicates things, because attackers would need to know exactly which precincts in which state to target.

That does not mean it’s impossible to change voting results. “I managed to purchase enough material from Election Source to essentially drop off a bunch of fake ballots on election day and swing a precinct,” Bernhard told me. Election Source is a private company that provides voting machines and other products and election services to precincts in Michigan and other states.

There is some movement toward more secure systems. Travis County, Texas, worked with academics to design a new $10 million system with auditability, encryption, and voter authentication in mind.

But for now, the threat is too hypothetical, and the responsible parties too distributed, to spur much action.

“I think this report [from The Intercept] is really interesting, but I find it in no way surprising,” Bernhard said. “It's another excellent case study of how inadequate our election system security is, and a stark reminder that we have to do better if we want to preserve democracy.”

Unfortunately, the U.S. may need a more drastic reminder before the public starts paying attention.

Kremlin hackers

It would be very, very hard for Russia to hack the U.S. vote

Our chaotic system makes this kind of hack next to impossible — but we should still #AuditTheVote.
Read More