Yesterday, DHS informed the states that had their registration databases targeted by Russian hackers last year. There has been an outright panic about the news since states started revealing they got notice, so I thought it worthwhile to describe what we should take away from the notice and subsequent reporting:
- “Most” of the 21 targeted states were not successfully hacked
- Some targeted states were successfully hacked
- Not all swing states were targeted, not all targeted states are swing states
- These hacks generally do not involve vote tallying
- These hacks do not involve hacking voting machines
- These hacks do not involve other voter suppression methods — whether by GOP or Russians
- Notice needs to improve
The AP has done good work tracking down which states got notice they were targeted, identifying the 21 targeted states. Those targeted states were:
- Alabama
- Alaska
- Arizona
- California
- Colorado
- Connecticut
- Delaware
- Florida
- Illinois
- Iowa
- Maryland
- Minnesota
- North Dakota
- Ohio
- Oklahoma
- Oregon
- Pennsylvania
- Texas
- Virginia
- Washington
- Wisconsin
“Most” of the 21 targeted states were not successfully hacked
This list of 21 states does not mean that Russians successfully hacked 21 states. All it means is Russians probed 21 states. And the AP says “most” were not successful. WI, WA, and MN have said the attacks on them were not successful.
Thus, for “most” of these states, the impact is the same as the reports that Russians were attempting, unsuccessfully, to phish engineers in the energy industry: it is cause for concern, but unless new intelligence becomes available, it means that for those “most” states these probes could not affect the election.
Some targeted states were successfully probed
Of course, by saying that “most” attacks were not successful, you’re admitting that “some” were. We only know IL and AZ to have successfully been breached.
This means this story may not be done yet: reporters, especially state based ones, are going to have to get their voting officials to provide details about the attacks and it may take some FOIA work.
Mind you, a successful hack still doesn’t mean that the election was affected (as I believe to be the understanding with respect to AZ, though there is more dispute about IL). It might be that the hackers just succeeded in getting into the database. It may be that they succeeded only in downloading the voter registration database — which in many states, is readily available, and which is nowhere near the most interesting available data for targeting in any case.
In my opinion, the most effective way to affect the outcome of the election via voter registration databases is not to download and use it for targeting, but instead, to alter the database, selectively eliminating or voiding the registration of voters in targeted precincts (which of course means the hackers would need to come in with some notion of targets). Even changing addresses would have the effect of creating lines at the polls.
Altering the database would have the same effect as an existing GOP tactic does. In many states, GOP secretaries of state very aggressively purge infrequent voters. Particularly for transient voters (especially students, but poorer voters are also more likely to move from year to year), a voter may not get notice they’ve been purged. This has the effect of ensuring that the purged voter cannot vote, and also has the effect of slowing the voting process for voters who are registered. In other words, that’s the big risk here — that hackers will do things to make it impossible for some voters to vote, and harder for others to do so.
Not all swing states were targeted, not all targeted states are swing states
The list of targeted states is very curious. Some targeted states are obvious swing states — WI, PA, FL, and VA were four of the five states where the election was decided. But MI is not on there, and NC, another close state, is not either.
In addition, a lot of these states are solidly red, like AL and OK. A lot of them are equally solidly blue, like CA and CT. So if the Russians had a grand scheme here, it was not (just) to flip swing states.
These hacks generally do not involve vote tallying
DHS has said that these hacks do not involve vote tallying. That means these disclosed probes, even assuming they were successful, are not going to explain what may seem to be abnormalities in particular states’ tallies.
These hacks do not involve hacking voting machines
Nor do these hacks involve hacking voting machines (which is covered, in any case, by the denial that it involves vote tallying).
Yes, voting machines are incredibly vulnerable. Yes, it would be child’s play for a hacker — Russian or American — to hack individual voting machines. With limited exceptions, there been no real assessment of whether individual machines got hacked (though it’d generally be easier to affect a local race that way than the presidential).
These hacks do not involve other voter suppression methods — whether by GOP or Russians
This list of 21 targeted states does not represent the known universe of Russian voting-related hacking.
It does not, for example, include the targeting of voting infrastructure contractors, such as VR Systems (which Reality Winner faces prison for disclosing). There’s good reason to at least suspect that the VR Systems hack may have affected NC’s outcome by causing the most Democratic counties to shift to paper voting books, resulting in confusion and delays in those counties that didn’t exist in more Republican ones.
And they don’t include any Russian social media-related support or suppression, which we’re getting closer to having proof of right now.
Importantly, don’t forget that we know Republicans were engaging in all these techniques as well, with far better funding. Russians didn’t need to hack WI and NC given how much organized suppression of voters of color took place. Republican secretaries of state had the power to purge voters on trumped up excuses without engaging in any hacking.
Do not let the focus on Russian tampering distract from the far more effective Republican suppression.
Notice needs to be improved
Finally, the other big story about this is that some states only got notice they were targeted yesterday, some even after having partnered with DHS to assess their voting infrastructure.
DHS has used classification, in part, to justify this silence, which is an issue the Intelligence Committees are trying to address in next year’s authorization. But that’s particularly hard to justify that many of these same states have run elections since.
Mind you, we’re likely to see this debate move to the next level — to demanding that state officials disclose full details about their state’s infrastructure to citizens.
In any case, if we’re to be able to use democratic pressure to ensure the infrastructure of democracy gets better protected, we’re going to need more notice.