Election securityDefending the 2020 Election against Hacking: 5 Questions Answered

By Douglas W. Jones

Published 14 September 2020

Journalist Bob Woodward reports in his new book, Rage, that the NSA and CIA have classified evidence that the Russian intelligence services placed malware in the election registration systems of at least two Florida counties in 2016, and that the malware was sophisticated and could erase voters. This appears to confirm earlier reports. Meanwhile, Russian intelligence agents and other foreign players are already at work interfering in the 2020 presidential election. Douglas W. Jones, a computer science professor and author of Broken Ballots: Will Your Vote Count?, writes that the list of things keeping him awake at night about the November election is long – violence; refusal to accept results if the in-person and mail-in votes differ; machine malfunction; human error, and more – but when you “add in the possibility of hacked central tabulating software in key counties, and there’s plenty to lose sleep over.”

Editor’s note: Journalist Bob Woodward reports in his new book, Rage, that the NSA and CIA have classified evidence that the Russian intelligence services placed malware in the election registration systems of at least two Florida counties in 2016, and that the malware was sophisticated and could erase voters. This appears to confirm earlier reports. Meanwhile, Russian intelligence agents and other foreign players are already at work interfering in the 2020 presidential election. Douglas W. Jones, Associate Professor of Computer Science at the University of Iowa and coauthor of the book Broken Ballots: Will Your Vote Count?, describes the vulnerabilities of the U.S. election system in light of this news.

1. Though Woodward reports there was no evidence the election registration system malware had been activated, this sounds scary. Should people be worried?
Yes, we should be worried. Four years ago, Russia managed to penetrate systems in several states but there’s no evidence that they “pulled the trigger” to take advantage of their penetration. One possibility is that they simply saw no need, having successfully “hacked the electorate” by damaging Hillary Clinton’s candidacy through selective dumps of hacked documents on Wikileaks.

We know that VR Systems, a contractor that worked for several Florida counties, was hacked, and we know that there were serious problems in Durham County, North Carolina, during the 2016 election, including software glitches that caused poll workers to turn away voters during parts of Election Day. Durham county was also a VR Systems customer.

I know of no post-election investigation of the problems in Durham County that was conducted with sufficient depth to assure me that Russia was not involved. It remains possible that they did pull the trigger on that county, but it is also possible that the problems there were entirely the result of “normal incompetence.”

2. How does this change what we knew previously about Russian efforts to hack U.S. election systems?
The specific counties compromised in Florida were never officially revealed. Previous leaks indicated that Washington County was one of them. Now we know that St. Lucie was the other.