Credit: justgrimes/Flickr.com

U.S. security experts now believe Russia was behind a recent hack of the Democratic National Committee’s email servers. The cache, first published by WikiLeaks, shed light on the committee’s attempts to sabotage Sen. Bernie Sanders’ campaign – and ultimately led to the resignation of committee Chairwoman Debbie Wasserman Schultz.

Donald Trump then upped the ante by suggesting that Russia go a step further. “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” he said Tuesday, referring to the investigation into Hillary Clinton’s emails. He also took the battle to Twitter:

https://twitter.com/realDonaldTrump/status/758335147183788032

The hack didn’t just create chaos for both parties. It also shows what another country can do if it wants to mess with our elections. If a foreign power could gain access to one party’s email servers, how easily might it influence the voting process itself?

The answer, according to cybersecurity experts, is very easily.

A key vulnerability is internet voting, which has gained popularity in recent years with promises to increase convenience and turnout. Despite a steady stream of warnings, more and more states are allowing citizens to cast their ballots online. Alaska, Arizona, North Dakota, Missouri and Alabama employ internet portals, and 20 others allow email or fax, according to Verified Voting, a nonprofit that promotes election transparency. But experts say it’s essentially impossible to safeguard votes cast over email because there are so many different points of vulnerability along the way.

To make matters worse, election officials might not recognize fraud, even if it’s sitting right in front of them.

“The systems that support voting are very low-budget and in general run by people who are not that technically sophisticated,” said Bruce McConnell, the Department of Homeland Security’s former deputy under secretary for cybersecurity. “They’re much more vulnerable by nature than systems run by banks or big retailers.”

In March, Utah’s Republican Party launched the U.S.’s first-ever internet primary, despite warnings from a state-appointed advisory committee that the “benefits are not yet proven and are susceptible to risk.” The Washington Post reported that many voters encountered technical problems – and that nearly a quarter of those who applied to vote online were rejected. Meanwhile, some privacy experts maintain that there’s no way to know for sure whether the votes that made it through were compromised.

Internet voting in the U.S. is relatively new, but other countries have been at it for years. No nation is more reliant on internet voting than Estonia, which has far more security procedures (including government-issued ID cards) than the U.S. Yet a recent security analysis conducted by a team from the University of Michigan found “serious architectural limitations and procedural gaps that could potentially jeopardize the integrity of elections” in the country.

When the team recommended, in 2014, that Estonia discontinue its use of internet voting, the country’s president replied aggressively, hinting that the researchers had been bought off by a rival political party. Some politicians in the country have also called for an end to the system.

Estonia could serve as a warning to the U.S. In April 2007, it suffered a massive, multi-pronged digital attack on its government, media and banks – an offensive Wired nicknamed “Web War one.” Estonian officials accused Russia of launching the attack as retaliation for the removal of a Soviet-era statue in the nation’s capital. The Kremlin, for its part, denied the charge.    

“There’s a lot of interest and a lot more to be gained – particularly by state actors in disrupting elections,” McConnell said. The attack on the Democratic National Committee’s email servers – and, more recently, on its voicemail inboxes – could have been a warning shot of sorts.

The real cannon blasts could come in November.

“​While the DNC hack was not a hack of a voting system,” McConnell said via email, “the attack reminds us that almost all systems connected to the internet are vulnerable to a skillful attacker. Voting systems are too important, and too poorly protected, to connect them directly to the internet at this time.”

Byard Duncan can be reached at bduncan@cironline.org. Follow him on Twitter: @ByardDuncan.

Byard Duncan is a reporter and producer for  engagement and collaborations for Reveal. He manages Reveal’s Reporting Networks, which provide more than 1,000 local journalists across the U.S. with resources and training to continue Reveal investigations in their communities. He also helps lead audience engagement initiatives around Reveal’s stories and assists local reporters in elevating their work to a national platform. In addition to Reveal, Duncan’s work has appeared in GQ, Esquire, The California Sunday Magazine and Columbia Journalism Review, among other outlets. He was part of Reveal’s Behind the Smiles project team, which was named a Pulitzer Prize finalist in 2019. He is the recipient of two Edward R. Murrow Awards, a National Headliner Award, an Al Neuharth Innovation in Investigative Journalism Award, and two first-place awards for feature storytelling from the Society of Professional Journalists and Best of the West. Duncan is based in Reveal's Emeryville, California, office.