The first Americans to line up to vote on Nov. 6, 2018, will be the East Coast’s earliest risers. As early as 5 a.m. EST, rubbing the sleep from their eyes and clutching travel thermoses of coffee, they will start the procession of perhaps 90 million Americans to vote that day. The last to cast ballots will be Hawaiians, who will do so until 11 p.m. East Coast time. When all is said and done, the federal election will unfold something like an 18-hour-long ballet of democracy: 50 states, dozens of different kinds of voting machines and an expectation that everything should be counted up in time for TV networks to broadcast the results before Americans head to bed. Election Day 2018 is expected to unfold no differently than it has in years past.
Except it might.
While Americans are well-acquainted with Russian online trolls’ 2016 disinformation campaign, there’s a more insidious threat of Russian interference in the coming midterms. The Russians could hack our very election infrastructure, disenfranchising Americans and even altering the vote outcome in key states or districts. Election security experts have warned of it, but state election officials have largely played it down for fear of spooking the public. We still might not know the extent to which state election infrastructure was compromised in 2016, nor how compromised it will be in 2018.
Most of us can’t really picture what it would look like to tamper with an election, but security experts can. Even as you read this, voting systems, so dry and complicated and completely taken for granted, could well be in the midst of fending off attacks from foreign adversaries. Things could get bad — really bad. Bad like this:
The following is a rendering of what a worst-case Election Day scenario could look like, based on FiveThirtyEight’s interviews with voting and cybersecurity experts and state election officials, along with news reports and documents in the public record.
DATE Nov. 6, 2018 TIME 6 a.m. EST LOCATION Moscow
It’s midafternoon in Moscow when voting starts. Igor Valentinovich Korobov,1 head of Russia’s military intelligence directorate, GRU, is settling in for a long day. From GRU headquarters — a steely gray, sleekly foreboding building — he’s monitoring his hacking units. Western cybersecurity firms call them “advanced persistent threat” (APT) groups, a nod to their sustained, targeted efforts in wreaking mayhem. You may have heard the name of one of them: Fancy Bear.2 Ever since the summer, when President Vladimir Putin handed down the general directive to pursue further cyberattacks on the U.S. elections, Korobov and his team have been in brisk competition with the spooks over at the FSB3 — Cozy Bear, etc. — to see who can sow the most mischief.4
Ivan and Alexei5 are two hackers with Korobov’s APT groups, or “science squadrons,” which the Russian military6 started building out in recent years. Ivan, moon-faced with a mop of blonde hair, was a talented computer programmer in university and came to the unit after a professor suggested he talk to the government about a job. Alexei was recruited as well, but from one of the big crime syndicates. A lanky quiet guy, he spends his breaks outside, smoking. The only time Ivan has heard Alexei talk much was at a bar, a few drinks deep, when he went on about the part he played in the big Target hack a few years back. Alexei was friendlier when he was drunk, giving Ivan advice like, “Don’t go on vacation with your girl to any country with a U.S. extradition treaty.” A couple of buddies learned that lesson the hard way. And Prague just isn’t worth the trouble.
At 8 a.m. EST on the big day, Ivan is locked into his chair, ready to watch his work from the past few months unfold: If all goes according to plan, he’s about to wreak havoc7 on a few hundred polling places around the country. Most U.S. states have online voter registration systems, and they’re decently vulnerable — the science squadrons broke into the Illinois system8 back in 2016. Since then, the American government has gotten more alarmed about security. In January 2017, one of the last acts of Jeh Johnson, President Obama’s head of the Department of Homeland Security, was to designate election infrastructure as “critical,”9 making way for swifter cyber help from DHS for states in need.
But in February 2018, Adm. Mike Rogers, the head of the National Security Agency and Cyber Command, told the Senate Armed Services Committee that he had not been instructed by President Trump or Defense Secretary James Mattis to go after Russian hackers at their point of origin. “Everything, both as the director of the NSA and what I see on the Cyber Command side, leads me to believe that if we don’t change the dynamic here, this is going to continue, and 2016 won’t be viewed as something isolated,” Rogers said.
A few months ago, once Ivan got inside a few of the state systems, he was able to change information10 on certain voter files, so when the American voters show up in person today, their information won’t match their IDs. He mostly focused on screwing with the records of places with a lot of Democratic voters,11 places dominated by black and Latino people. (He Googled a lot about Florida while hacking its system and decided that if he ever visits the U.S., he’ll definitely be hitting Miami first.) Putin isn’t keen on Democrats taking back control of Congress. In fact, the whole military intelligence crew has focused on certain races12 where they think they can swing the balance toward Republican candidates. Back in 2016, the hacking groups probed 21 states’ election systems, poking around with phishing scams directed at local officials13 and attacks like the successful breach in Illinois. The 2016 work had given the team the grist it needed for its 2018 work.
Ivan is eyeing Ohio, North Dakota, Arizona and Florida, where Senate elections are predicted to be relatively close — plus they’ve all been targeted already by the science squadrons. Then there are the 24 House seats deemed toss-ups, 17 in states whose election systems have already been targeted. One Republican who’s in a California toss-up race was even seen as a potential recruit at one point in time. The intelligence guys down the hall are getting better at following American politics chatter on Twitter, keeping tabs on the candidate ups and downs. (They think the new 280-character capacity makes for duller scrolling.) Ivan just takes their directives about where to target, plugging and chugging, dreaming of a post-November trip to somewhere warm and extradition treaty-free.
DATE Nov. 6, 2018 TIME 10 a.m. EST LOCATION Broward County, Florida
Eight time zones away, Brooke Mitchell14 is sipping a midmorning skinny vanilla latte, her winter drink — though it’s Florida, so the whole Nov. 1 switch from iced macchiatos is purely symbolic. It’s been her first quiet moment of the day; Broward County election workers are used to Election Day mania ever since the 2000 nightmare.15 And then there was all that Russian nonsense in 2016.
The shrill of the phone breaks Brooke’s caffeine reverie. It’s one of her poll workers in Fort Lauderdale. They’re getting an awful lot of mismatched voter records — could something be wrong? Another call, five minutes later, from Judy what’s-her-face (terrible lip injections) in Miami-Dade County. Is Broward having any hiccups with registration checks? There are apparently tons of people in Miami who are positive they’re registered to vote but whose names don’t show up in the system or whose information looks very different from their IDs.
Brooke hangs up, absentmindedly smoothing the Palm Beach print of her Lilly Pulitzer as she slides into her chair: Could this be the beginning of a very long, terrible day? Has the curse of Katherine Harris come to haunt her?16
DATE Nov. 6, 2018 TIME 11 a.m. EST LOCATION Moscow
While Ivan keeps tabs on his voter rolls, Alexei is walking the highest wire on the squadron. He’s been tasked with the hack his superiors have eyed with the most glee: infiltrating voting machine software.17 It’s been a long-term project — one of those career make-or-breakers — and he’s a little sick of having Korobov on his ass all the time. But if everything works out today, the guff he’s been getting from the general will be worth it.
He checks his watch, a nice one, a remnant of his days in the private sector. Patek Philippe, vintage. It’ll be midmorning now in Wisconsin, Pennsylvania, West Virginia and Indiana.18 A few weeks back, he successfully laid some foundational work with a little phishing scheme targeting state election officials, a project that could turn into something big. Electronic voting machine ballots are drawn up on a computer, typically either by county officials or outside vendors paid by a county. The machine on which a ballot is drawn up isn’t supposed to be connected to the internet,19 and things like memory sticks that need to be inserted into the ballot-making machine should never have been used on a computer touching the internet. But if malware does get on a ballot-making computer — perhaps because an election official clicks on a phishing link — that could spell trouble. There’s a chance the malware could be transferred to the voting machine when the ballot is uploaded.
This means there’s the potential for Alexei to change actual votes. A couple of the officials fell for the phishing scheme trap. Now, it’s only a matter of waiting to see if things have shaken out for him. Alexei clicks over to another tab and checks his Ethereum price.
DATE Nov. 6, 2018 TIME 1 p.m. EST LOCATION Washington, D.C.
John Bresnehan20 finally sets down the dumbbells and takes a break on the bench. The kids at the office gym all wear so much gear and spandex, he thinks, glancing down at the old rugby socks that have drooped down around his ankles. Twenty-five years in counterintelligence have taught him that nothing quells the nerves like a lunchtime run and lift, but today feels different. The pit in his stomach is still there. Ever since the 2016 Russian attacks on state systems, he’s been dreading when the next shoe would drop. The public doesn’t fully grasp the extent of the potential compromise. Today could be the day they do. John was one of the federal officials who met with all those worried bureaucrats, answered their questions about the hacks, assured them that the system flaws were fixed. But what if there’s something they weren’t seeing?
What happened in Illinois had him anxious. It was like the hackers wanted someone to notice they were in the system21 — they had practically alerted IT themselves with the amount of noise they were making, bombarding the servers. Why? And why hadn’t John’s cyberforensics guys found any back door to the attack? Were the Russians still there, lying quietly hidden until the right moment? Were they going to launch a zero-day malware attack22 on Election Day?
John fiddles with the bulbous class ring on his finger. If the shit rolls downhill with an attack today, it’ll hit his house like a California mudslide. What he wouldn’t give for the Russian cyber talent, John thinks. All the millennial yuppie programmers here just go to Google and run marathons. “Fucking spandex,” he mutters as he heads for the showers.
DATE Nov. 6, 2018 TIME 2 p.m. EST LOCATION somewhere in Wisconsin
Bonnie Wainwright23 was the first sucker who clicked on Alexei’s phishing link. Sucker is a bit unkind, but Bonnie still isn’t all that savvy with email stuff. She’s been a Wisconsin county clerk for years, and she’s good at it: a great typist, good with people, all that stuff that used to matter. But she doesn’t eat, sleep and breathe the internet the way her grandkids do. Who has time for memes and all that?
She went to the internet security training in Madison, but Jesus, it was boring. Plus, the speaker was condescending, the kind of guy who used too much technical jargon and peered over his glasses, asking if the room, filled with gray hairs, was keeping up. Bonnie had spun an elaborately hateful narrative of his life while he talked: He stole from older relatives and only saw the sun between his car door and the door of the McDonald’s. (It would explain why his skin was a mess.) Still, she smiled at him on her way out after the two hours were up. Midwestern nice runs deep. But not a whole lot stuck from the training.
Which is why Bonnie hadn’t worried much about opening the Word document24 from the unfamiliar email address. It looked pretty similar to the ones she got from the voting machine and software guys — they were in touch a lot during election years. But the document hadn’t made sense to her, and she’d closed it and forgotten about it. She never notified an IT guy that something might be amiss.
Of course, the tech ignorance of Bonnie and other clerks is exactly the reason Alexei and the intel guys decided to target Wisconsin. The state’s system is, even by American standards, incredibly decentralized. The more election administrators in little towns and villages, the better; it meant more targets25 for phishing scams. Shooting phish in a barrel.
John Bresnehan knows all too well that there are hundreds of Bonnies around the country, running elections. And intelligence officials like John know that the Russians aren’t just targeting local officials but voting service providers as well — the vendors who make voting machines and software and who sometimes help municipalities or counties draw up their ballots. One attack on a such a provider was already public — on VR Systems, which provides services like online voter registration platforms and electronic poll books26 to eight states — but there were more that they hadn’t revealed yet to the public, at least two.27
These days, John was perpetually pissed at the Founding Fathers for giving so much power to the states. They just didn’t have the resources to make their systems secure and state-of-the-art. The U.S. Election Assistance Commission, the federal agency that was supposed to help with election security standards, had little power,28 and what’s worse, the EAC had itself been hacked after the 2016 election.29 Not exactly a ringing endorsement.
DATE Nov. 6, 2018 TIME 3 p.m. EST LOCATION Moscow
Alexei targeted Bonnie and a few other clerks whose towns use touch-screen voting machines.30 The Sequoia AVC Edge model is pretty common in the state and ripe for exploitation by a hacker,31 as is the AccuVote TSX, also still used in Wisconsin and 16 other states despite being judged a security risk in 2007 during a massive election security review in California. Alexei had seen a couple of machines in person. American voting machines are easy to buy on eBay, and agents on the ground in the U.S. could always steal a couple for the science squadrons back home if need be.
When Bonnie started drawing up the Nov. 6 ballot on her computer, Alexei knew he’d hit the jackpot. While a voting machine itself will never be connected to the internet, the touch-screen voting machines, as well as optical scan machines,32 all require programming that is done on other computers. Once inside Bonnie’s computer, Alexei could slip malware into the software that would eventually be transferred to the voting machine itself. It was pretty simple and something U.S. elections security experts had been warning about.33 American election board officials comforted the public that there were paper trails attached to most voting machines, a backup measure, in case something went wrong. But the truth was that lots of states never really counted the paper.34
Alexei reeled in a few other fish, too. The bosses wanted to hit Indiana, West Virginia and Nevada, all states with close Senate races. They wouldn’t need too heavy a hand in these places — just a couple of tweaks here and there. He snagged some machine access in Pennsylvania, too. Korobov and the intel officers wanted access there for the same reason they wanted it in Wisconsin: The science squadrons needed to get ready for 2020 to ensure that these swing states went Republican again. Pennsylvania was a particular coup. Not only is it a swing state, but many of its counties use digital machines that don’t produce paper records — the vote tally is stored only in the machine. Since there’d be no paper record to compare to the digital one, the Americans would never even know Alexei had been in their systems.
DATE Nov. 6, 2018 TIME 4 p.m. EST LOCATION Florida
Brooke is positive that something is wrong. The lines are out the door in the heavily black and Latino districts all around Florida.35 The exchange network for state election officials is buzzing off the charts. It’s the same thing in Cuyahoga County, Ohio, where Democrats are hoping for a large turnout to buoy their Senate and gubernatorial candidates: People are being told they’re not properly registered.
The media has started to report on the chaos. The basic gist of the story is the widespread disenfranchisement of minority communities. Brooke’s daughter texts to tell her the news is trending on Twitter — voters are posting videos of the long lines. She turns on the TV and there’s heavy coverage there, too — apparently California and Arizona are seeing the same thing? Reporters are shoving microphones in front of local election officials who are skittish in front of the cameras. No answers right now as to what might be happening, please stay calm. It’s far from comforting.
The too-big-to-be-a-coincidence-ness of it all seems to be striking everyone over the head at the same time. It’s fury at first, at least on Brooke’s end of things. Then the sick feeling sets in — did the Russians just take us for a ride?
Brooke riffles through her bottom desk drawer. Emergency cigarette retrieved, she takes a drag, then picks up the phone receiver. “John Bresnehan, please.”
DATE Nov. 6, 2018 TIME 6 p.m. EST LOCATION Washington, D.C.
Brooke isn’t the first state official John has talked to. His specialists are all being dispatched to check out the problems, but the initial analyses by state IT teams seem to confirm his worst fears: The Russians got into many of the voter registration systems undetected. This is the zero-day attack he had feared. The White House says it is monitoring the situation, but Trump has yet to make a statement.
John never hears from Bonnie or the Wisconsin authorities — as far as they know, their Election Day was mercifully spared. There wasn’t a post-election audit of the paper ballots that suggested anything might have gone awry. Bonnie goes out for a tres cher dinner the next night with her husband to celebrate a job well done.
In Moscow, Ivan is tired but happy with the results, and his day is winding down with a couple of hours to go before the polls close. Not only were his hacks of online voter registrations a success, but the ensuing chaos — America is burning hot with indignation and accusations of disenfranchisement — has provided Alexei with the perfect cover for his work on the voting machines.
Putin’s preferred Senate candidates are all headed for wins in Nevada, West Virginia and Indiana thanks to the tweaks Alexei made to the voting machine software. Those results are far from the realm of the unexpected, which means they won’t arouse much suspicion. Plus, most of the public and governmental focus will be on the voter registration fiasco. Alexei makes plans to dial down his presence in Bonnie’s machine and those of all the other election clerks. He’s back to quiet mode, but he can’t wait to see what he can do in 2020.
A 2018 Election Day scenario like the one outlined above is intentionally catastrophic.
But the scenario is within the realm of the possible, according to election security experts. J. Alex Halderman, a professor of computer science at the University of Michigan and an expert in cybersecurity and voting systems, has cautioned that hacker probes into online voter registration systems in 2016 looked in many ways like the preparatory stages of another attack.
“The first thing any advanced or persistent attacker will do is basically case the joint — you figure out what computer systems are exposed online, what data do they contain, what kind of beachhead do they give me for committing a more serious attack later,” Halderman said.
Matt Eble, a former CIA cyberthreat analyst, agreed. He pointed out that states could very well be missing current incursions into their systems, even with the awareness raised after attempts in 2016. “You have well-resourced Fortune 500 companies, and they’re still being breached regularly,” he said. “That’s the case for organizations that are disciplined and well-resourced and have dedicated staff.” That description often does not apply to state electoral commissions.
The Department of Homeland Security can provide states with security scans of their election systems free of charge — a DHS official told FiveThirtyEight that 32 states are receiving ongoing cyber hygiene scans. More comprehensive onsite assessments of states’ risks are also available from DHS, something that 15 states have requested. (Eight have already had the assessment, and seven more will have been completed by “mid-April,” according to the official.) But some states are wary of DHS help. In December 2016, Georgia’s secretary of state said DHS had tried to hack the state’s system, and Indiana and Idaho secretaries of state said the same in 2017.
Marian Schneider, Pennsylvania’s former deputy secretary for elections and the current president of Verified Voting, a nonprofit dedicated to safeguarding election integrity, acknowledged that there can be tension when it comes to protecting local control over elections. “I do know some secretaries of states don’t want the federal government involved in elections in their state, period — regardless of whether it’s helpful or not,” she said. And because elections are administered by states, preparedness standards can vary. Some states test and certify voting machines according to their own standards, while others rely on standards set by the Election Assistance Commission. But the EAC, and by proxy the federal government, has no power to tell states what standards their voting machines or voting software must live up to, security-wise.
“We run a conformity assessment program,” said Brian Hancock, head of the EAC’s testing and certification. “The machines either meet the standards or they don’t. We don’t make any value judgments on whether one type of technology is better than another.”
Some states are making moves to improve their voting infrastructure in the post-2016 landscape. Virginia decertified its direct-recording electronic machines in the lead-up to its gubernatorial election in 2017, and Pennsylvania Gov. Tom Wolf recently ordered that new machines purchased by counties provide a vote paper trail.
Security experts also advocate for the implementation of something called a risk-limiting audit in the aftermath of an election. Its purpose? To prevent the most catastrophic election tampering scenario of them all: that a person who wasn’t actually elected be placed into office. This audit is a statistical sample of paper ballots after an election and is used to mitigate the risk that votes have been changed on the electronic tally. Along with voting solely on paper ballots, experts agree that these audits are the best, most efficient way to double-check the veracity of an election. Colorado has begun auditing races in this manner, and Rhode Island has passed legislation saying such audits must be initiated this year.
These efforts aren’t just a way to stop vote hacking; they’re also intended to shore up Americans’ faith in their voting system. Regardless of whether a hack is successful at changing vote counts, the Russians are engaging in the cheapest sort of warfare: the psychological variety. Plant a seed of doubt, and it grows like a weed.
Matt Dietrich of the Illinois Board of Elections is all too aware of the consequences a hack can have, given Illinois’s 2016 experience. “You’re always vigilant, but this idea of creating doubt, creating chaos, that to me is a much more real scenario (than voting machine hacks) because we’ve already seen it on the ground level,” he said. “The worst-case scenario to us would be that regular voters fear or doubt the integrity of the system so much that they just totally opt out, they become disengaged.”
But for security experts like Halderman, the notion of trust is more complicated. He believes that the public’s awareness of potential problems is actually crucial to fixing the system. “Our primary goal isn’t for people to blindly trust the election system. Our goal is for them to have a basis to trust the election system, to have a rational level of trust,” he said. “If anything, people having unfounded confidence in the election system just assures that problems will not be fixed.”
And that, Halderman said, could be disastrous. “If we do nothing, it’s only a matter of time until a major election is stolen in a cyberattack.”
CORRECTION (April 9, 2018, 10:44 a.m.): An earlier version of this article misspelled the name of Pennsylvania’s governor, Tom Wolf. It has since been corrected.