(CNN) So Russia hacked us. What's next?
Russian hackers targeted voting systems in 39 states in the summer and fall of 2016, according to Bloomberg. This comes on the heels of a leaked National Security Agency document revealing details of a Russian hacking operation against US election systems -- news which was quickly eclipsed by the highly anticipated testimony of fired FBI Director James Comey and the UK election. But the Russian activity should have served as a loud wake-up call to anyone concerned about US election security. With the 2018 elections just around the corner, we can't afford for these urgent lessons to be lost in the din of this news cycle.
Remember, elections in the US are quirky and decentralized. With more than 9,000 voting jurisdictions and a patchwork of authority and procedures, the people who end up having the most control over election security are state and local officials.
It looks like the Russian government figured that out, too.
Here's about all of what we know for sure: According to the leaked NSA report, Russian hackers specifically targeted local election officials in the days leading up to the 2016 election. How? By compromising one of the many vendors local elections officials rely on to help with the massive task of running elections. It appears that Russian agents sent spear-phishing emails to employees of the Florida-based e-voting equipment vendor, VR Systems. They tricked employees into giving up their login credentials. From there, Russian hackers were able to steal materials they could use to help send convincing fake emails to local election officials that are used to receiving communication from VR. As the Intercept reports, the NSA document shows that in the days leading up to the election, Russian hackers "sent spear-phishing emails to 122 email addresses 'associated with named local government organizations,' probably to officials 'involved in the management of voter registration systems.'" These emails contained Microsoft Word attachments that, if clicked on, would likely install malware onto the user's computer.
How bad is this? On the one hand, it could be worse. VR Systems, the compromised vendor, runs voter registration and voter roll verification systems, not actual voting machines. On the other hand, compromising a trusted third-party vendor could allow a malicious actor to more easily compromise elections officials who do actually program voting machines and tabulators. And, even compromising voter rolls or registration can do a lot of damage, considering one could strategically remove certain voters from logs.
To complicate matters, state officials are left in an awkward position. An important part of their job is to keep public faith in election results to preserve political stability. But, in order to motivate their state legislatures into action (for appropriating funds for new machines and other reforms) they need to be able to convey the seriousness and specificity of the threat. It's a fine line to walk.
Right after the NSA leak, Senate intelligence committee ranking member Sen. Mark Warner said of Russian penetration that "the extent of the attacks is much broader than has been reported so far" and that several states had been targeted.
Our voting systems clearly face serious threat. With the 2018 election rapidly approaching, there's no time to waste.
Here are four things we should do right now:
Thankfully, the vast majority of votes cast in the 2016 election left some kind of a paper trail. But according to data from Verified Voting, a nonprofit that promotes election accuracy and transparency, five states -- New Jersey, Delaware, Louisiana, South Carolina, and Georgia -- still use electronic voting machines with no paper trail statewide. In Georgia, this resulted in unverifiable election results, most recently in an April 2017 special election, which was preceded by breaches at a center responsible for election integrity and security, and the physical theft of sensitive voting equipment. By 2018, we must ensure that every vote cast has a paper trail.
It's not enough to have a paper trail. You have to use it. If someone did manage to alter the electronic vote record by hacking a voting machine, our best first chance to discover that would be a post-election audit that compares the electronic vote tally to the paper tally. You do not have to count every paper ballot in order to do this. The audit methods have gotten very sophisticated over the past decade, and we know how to compare a statistically significant percentage of paper ballots with electronic votes in order to achieve a very high degree of certainty that the electronic vote was not tampered with. Unfortunately, though many states do compare electronic and paper tallies, not all states conduct these audits, and some conduct audits of subpar quality. Post-election audits should conform to the highest statistical standards, and should be mandatory.
As a 2015 Brennan Center report details, 42 states used machines in the 2016 election that were at least 10 years old, nearing the end of their expected lifespans. Old machines are dangerous for many reasons; they simply malfunction more often, and they sometimes depend on hardware that is so old that replacements are no longer being manufactured. Also, the longer machines have been in the field, the more time someone may have had to figure out how to compromise them. As security practices improve over time, out-of-date machines are increasingly vulnerable.
A major challenge with replacing old voting machines, as the Brennan Center report concludes, is that no level of government assumes it is their responsibility to pay for new voting machines. The last round of funding for new machines came in 2002 from the federal government with the Help America Vote Act (HAVA). But most experts agree there is likely no new federal money in the pipeline, so state legislatures need to bite the bullet and find the money to avoid voting machine crisis, and their citizens need to demand that they do.
State and local officials need support for the important responsibilities they have, from appropriating and certifying new machines to protecting voter registration databases. There are groups well-positioned to provide that support. The Election Assistance Commission (EAC), for example, was created in 2002, but has only been functioning with full force since 2014. The EAC publishes voluntary guidelines that are thorough and technical, and that many state and local officials find invaluable. It does not have regulatory power, but that doesn't stop it from being effective. Unfortunately, the EAC is under repeated threat of defunding from House Republicans who claim it has "outlived its usefulness and purpose." Just because the EAC can't regulate, doesn't mean it can't do enormous good. We need to protect its function and funding.
There's more work to be done beyond these four steps to address our election security long term. We need to devote serious attention to the next generation of voting technology, as well as the separate but urgent issue of disinformation campaigns. But if we start now with these steps, we could be ready for 2018. And if we don't, well, we can't say we weren't warned.