Skip to main content
ABC News
The Moscow Midterms

The first Americans to line up to vote on Nov. 6, 2018, will be the East Coast’s earliest risers. As early as 5 a.m. EST, rubbing the sleep from their eyes and clutching travel thermoses of coffee, they will start the procession of perhaps 90 million Americans to vote that day. The last to cast ballots will be Hawaiians, who will do so until 11 p.m. East Coast time. When all is said and done, the federal election will unfold something like an 18-hour-long ballet of democracy: 50 states, dozens of different kinds of voting machines and an expectation that everything should be counted up in time for TV networks to broadcast the results before Americans head to bed. Election Day 2018 is expected to unfold no differently than it has in years past.

Except it might.

While Americans are well-acquainted with Russian online trolls’ 2016 disinformation campaign, there’s a more insidious threat of Russian interference in the coming midterms. The Russians could hack our very election infrastructure, disenfranchising Americans and even altering the vote outcome in key states or districts. Election security experts have warned of it, but state election officials have largely played it down for fear of spooking the public. We still might not know the extent to which state election infrastructure was compromised in 2016, nor how compromised it will be in 2018.

Most of us can’t really picture what it would look like to tamper with an election, but security experts can. Even as you read this, voting systems, so dry and complicated and completely taken for granted, could well be in the midst of fending off attacks from foreign adversaries. Things could get bad — really bad. Bad like this:

The following is a rendering of what a worst-case Election Day scenario could look like, based on FiveThirtyEight’s interviews with voting and cybersecurity experts and state election officials, along with news reports and documents in the public record.

DATE Nov. 6, 2018 TIME 6 a.m. EST LOCATION Moscow

It’s midafternoon in Moscow when voting starts. Igor Valentinovich Korobov,1 head of Russia’s military intelligence directorate, GRU, is settling in for a long day. From GRU headquarters — a steely gray, sleekly foreboding building — he’s monitoring his hacking units. Western cybersecurity firms call them “advanced persistent threat” (APT) groups, a nod to their sustained, targeted efforts in wreaking mayhem. You may have heard the name of one of them: Fancy Bear.2 Ever since the summer, when President Vladimir Putin handed down the general directive to pursue further cyberattacks on the U.S. elections, Korobov and his team have been in brisk competition with the spooks over at the FSB3 — Cozy Bear, etc. — to see who can sow the most mischief.4

Ivan and Alexei5 are two hackers with Korobov’s APT groups, or “science squadrons,” which the Russian military6 started building out in recent years. Ivan, moon-faced with a mop of blonde hair, was a talented computer programmer in university and came to the unit after a professor suggested he talk to the government about a job. Alexei was recruited as well, but from one of the big crime syndicates. A lanky quiet guy, he spends his breaks outside, smoking. The only time Ivan has heard Alexei talk much was at a bar, a few drinks deep, when he went on about the part he played in the big Target hack a few years back. Alexei was friendlier when he was drunk, giving Ivan advice like, “Don’t go on vacation with your girl to any country with a U.S. extradition treaty.” A couple of buddies learned that lesson the hard way. And Prague just isn’t worth the trouble.

At 8 a.m. EST on the big day, Ivan is locked into his chair, ready to watch his work from the past few months unfold: If all goes according to plan, he’s about to wreak havoc7 on a few hundred polling places around the country. Most U.S. states have online voter registration systems, and they’re decently vulnerable — the science squadrons broke into the Illinois system8 back in 2016. Since then, the American government has gotten more alarmed about security. In January 2017, one of the last acts of Jeh Johnson, President Obama’s head of the Department of Homeland Security, was to designate election infrastructure as “critical,”9 making way for swifter cyber help from DHS for states in need.

But in February 2018, Adm. Mike Rogers, the head of the National Security Agency and Cyber Command, told the Senate Armed Services Committee that he had not been instructed by President Trump or Defense Secretary James Mattis to go after Russian hackers at their point of origin. “Everything, both as the director of the NSA and what I see on the Cyber Command side, leads me to believe that if we don’t change the dynamic here, this is going to continue, and 2016 won’t be viewed as something isolated,” Rogers said.

A few months ago, once Ivan got inside a few of the state systems, he was able to change information10 on certain voter files, so when the American voters show up in person today, their information won’t match their IDs. He mostly focused on screwing with the records of places with a lot of Democratic voters,11 places dominated by black and Latino people. (He Googled a lot about Florida while hacking its system and decided that if he ever visits the U.S., he’ll definitely be hitting Miami first.) Putin isn’t keen on Democrats taking back control of Congress. In fact, the whole military intelligence crew has focused on certain races12 where they think they can swing the balance toward Republican candidates. Back in 2016, the hacking groups probed 21 states’ election systems, poking around with phishing scams directed at local officials13 and attacks like the successful breach in Illinois. The 2016 work had given the team the grist it needed for its 2018 work.

Ivan is eyeing Ohio, North Dakota, Arizona and Florida, where Senate elections are predicted to be relatively close — plus they’ve all been targeted already by the science squadrons. Then there are the 24 House seats deemed toss-ups, 17 in states whose election systems have already been targeted. One Republican who’s in a California toss-up race was even seen as a potential recruit at one point in time. The intelligence guys down the hall are getting better at following American politics chatter on Twitter, keeping tabs on the candidate ups and downs. (They think the new 280-character capacity makes for duller scrolling.) Ivan just takes their directives about where to target, plugging and chugging, dreaming of a post-November trip to somewhere warm and extradition treaty-free.

DATE Nov. 6, 2018 TIME 10 a.m. EST LOCATION Broward County, Florida

Eight time zones away, Brooke Mitchell14 is sipping a midmorning skinny vanilla latte, her winter drink — though it’s Florida, so the whole Nov. 1 switch from iced macchiatos is purely symbolic. It’s been her first quiet moment of the day; Broward County election workers are used to Election Day mania ever since the 2000 nightmare.15 And then there was all that Russian nonsense in 2016.

The shrill of the phone breaks Brooke’s caffeine reverie. It’s one of her poll workers in Fort Lauderdale. They’re getting an awful lot of mismatched voter records — could something be wrong? Another call, five minutes later, from Judy what’s-her-face (terrible lip injections) in Miami-Dade County. Is Broward having any hiccups with registration checks? There are apparently tons of people in Miami who are positive they’re registered to vote but whose names don’t show up in the system or whose information looks very different from their IDs.

Brooke hangs up, absentmindedly smoothing the Palm Beach print of her Lilly Pulitzer as she slides into her chair: Could this be the beginning of a very long, terrible day? Has the curse of Katherine Harris come to haunt her?16

DATE Nov. 6, 2018 TIME 11 a.m. EST LOCATION Moscow

While Ivan keeps tabs on his voter rolls, Alexei is walking the highest wire on the squadron. He’s been tasked with the hack his superiors have eyed with the most glee: infiltrating voting machine software.17 It’s been a long-term project — one of those career make-or-breakers — and he’s a little sick of having Korobov on his ass all the time. But if everything works out today, the guff he’s been getting from the general will be worth it.

He checks his watch, a nice one, a remnant of his days in the private sector. Patek Philippe, vintage. It’ll be midmorning now in Wisconsin, Pennsylvania, West Virginia and Indiana.18 A few weeks back, he successfully laid some foundational work with a little phishing scheme targeting state election officials, a project that could turn into something big. Electronic voting machine ballots are drawn up on a computer, typically either by county officials or outside vendors paid by a county. The machine on which a ballot is drawn up isn’t supposed to be connected to the internet,19 and things like memory sticks that need to be inserted into the ballot-making machine should never have been used on a computer touching the internet. But if malware does get on a ballot-making computer — perhaps because an election official clicks on a phishing link — that could spell trouble. There’s a chance the malware could be transferred to the voting machine when the ballot is uploaded.

This means there’s the potential for Alexei to change actual votes. A couple of the officials fell for the phishing scheme trap. Now, it’s only a matter of waiting to see if things have shaken out for him. Alexei clicks over to another tab and checks his Ethereum price.

DATE Nov. 6, 2018 TIME 1 p.m. EST LOCATION Washington, D.C.

John Bresnehan20 finally sets down the dumbbells and takes a break on the bench. The kids at the office gym all wear so much gear and spandex, he thinks, glancing down at the old rugby socks that have drooped down around his ankles. Twenty-five years in counterintelligence have taught him that nothing quells the nerves like a lunchtime run and lift, but today feels different. The pit in his stomach is still there. Ever since the 2016 Russian attacks on state systems, he’s been dreading when the next shoe would drop. The public doesn’t fully grasp the extent of the potential compromise. Today could be the day they do. John was one of the federal officials who met with all those worried bureaucrats, answered their questions about the hacks, assured them that the system flaws were fixed. But what if there’s something they weren’t seeing?

What happened in Illinois had him anxious. It was like the hackers wanted someone to notice they were in the system21 — they had practically alerted IT themselves with the amount of noise they were making, bombarding the servers. Why? And why hadn’t John’s cyberforensics guys found any back door to the attack? Were the Russians still there, lying quietly hidden until the right moment? Were they going to launch a zero-day malware attack22 on Election Day?

John fiddles with the bulbous class ring on his finger. If the shit rolls downhill with an attack today, it’ll hit his house like a California mudslide. What he wouldn’t give for the Russian cyber talent, John thinks. All the millennial yuppie programmers here just go to Google and run marathons. “Fucking spandex,” he mutters as he heads for the showers.

DATE Nov. 6, 2018 TIME 2 p.m. EST LOCATION somewhere in Wisconsin

Bonnie Wainwright23 was the first sucker who clicked on Alexei’s phishing link. Sucker is a bit unkind, but Bonnie still isn’t all that savvy with email stuff. She’s been a Wisconsin county clerk for years, and she’s good at it: a great typist, good with people, all that stuff that used to matter. But she doesn’t eat, sleep and breathe the internet the way her grandkids do. Who has time for memes and all that?

She went to the internet security training in Madison, but Jesus, it was boring. Plus, the speaker was condescending, the kind of guy who used too much technical jargon and peered over his glasses, asking if the room, filled with gray hairs, was keeping up. Bonnie had spun an elaborately hateful narrative of his life while he talked: He stole from older relatives and only saw the sun between his car door and the door of the McDonald’s. (It would explain why his skin was a mess.) Still, she smiled at him on her way out after the two hours were up. Midwestern nice runs deep. But not a whole lot stuck from the training.

Which is why Bonnie hadn’t worried much about opening the Word document24 from the unfamiliar email address. It looked pretty similar to the ones she got from the voting machine and software guys — they were in touch a lot during election years. But the document hadn’t made sense to her, and she’d closed it and forgotten about it. She never notified an IT guy that something might be amiss.

Of course, the tech ignorance of Bonnie and other clerks is exactly the reason Alexei and the intel guys decided to target Wisconsin. The state’s system is, even by American standards, incredibly decentralized. The more election administrators in little towns and villages, the better; it meant more targets25 for phishing scams. Shooting phish in a barrel.

John Bresnehan knows all too well that there are hundreds of Bonnies around the country, running elections. And intelligence officials like John know that the Russians aren’t just targeting local officials but voting service providers as well — the vendors who make voting machines and software and who sometimes help municipalities or counties draw up their ballots. One attack on a such a provider was already public — on VR Systems, which provides services like online voter registration platforms and electronic poll books26 to eight states — but there were more that they hadn’t revealed yet to the public, at least two.27

These days, John was perpetually pissed at the Founding Fathers for giving so much power to the states. They just didn’t have the resources to make their systems secure and state-of-the-art. The U.S. Election Assistance Commission, the federal agency that was supposed to help with election security standards, had little power,28 and what’s worse, the EAC had itself been hacked after the 2016 election.29 Not exactly a ringing endorsement.

DATE Nov. 6, 2018 TIME 3 p.m. EST LOCATION Moscow

Alexei targeted Bonnie and a few other clerks whose towns use touch-screen voting machines.30 The Sequoia AVC Edge model is pretty common in the state and ripe for exploitation by a hacker,31 as is the AccuVote TSX, also still used in Wisconsin and 16 other states despite being judged a security risk in 2007 during a massive election security review in California. Alexei had seen a couple of machines in person. American voting machines are easy to buy on eBay, and agents on the ground in the U.S. could always steal a couple for the science squadrons back home if need be.

When Bonnie started drawing up the Nov. 6 ballot on her computer, Alexei knew he’d hit the jackpot. While a voting machine itself will never be connected to the internet, the touch-screen voting machines, as well as optical scan machines,32 all require programming that is done on other computers. Once inside Bonnie’s computer, Alexei could slip malware into the software that would eventually be transferred to the voting machine itself. It was pretty simple and something U.S. elections security experts had been warning about.33 American election board officials comforted the public that there were paper trails attached to most voting machines, a backup measure, in case something went wrong. But the truth was that lots of states never really counted the paper.34

Alexei reeled in a few other fish, too. The bosses wanted to hit Indiana, West Virginia and Nevada, all states with close Senate races. They wouldn’t need too heavy a hand in these places — just a couple of tweaks here and there. He snagged some machine access in Pennsylvania, too. Korobov and the intel officers wanted access there for the same reason they wanted it in Wisconsin: The science squadrons needed to get ready for 2020 to ensure that these swing states went Republican again. Pennsylvania was a particular coup. Not only is it a swing state, but many of its counties use digital machines that don’t produce paper records — the vote tally is stored only in the machine. Since there’d be no paper record to compare to the digital one, the Americans would never even know Alexei had been in their systems.

DATE Nov. 6, 2018 TIME 4 p.m. EST LOCATION Florida

Brooke is positive that something is wrong. The lines are out the door in the heavily black and Latino districts all around Florida.35 The exchange network for state election officials is buzzing off the charts. It’s the same thing in Cuyahoga County, Ohio, where Democrats are hoping for a large turnout to buoy their Senate and gubernatorial candidates: People are being told they’re not properly registered.

The media has started to report on the chaos. The basic gist of the story is the widespread disenfranchisement of minority communities. Brooke’s daughter texts to tell her the news is trending on Twitter — voters are posting videos of the long lines. She turns on the TV and there’s heavy coverage there, too — apparently California and Arizona are seeing the same thing? Reporters are shoving microphones in front of local election officials who are skittish in front of the cameras. No answers right now as to what might be happening, please stay calm. It’s far from comforting.

The too-big-to-be-a-coincidence-ness of it all seems to be striking everyone over the head at the same time. It’s fury at first, at least on Brooke’s end of things. Then the sick feeling sets in — did the Russians just take us for a ride?

Brooke riffles through her bottom desk drawer. Emergency cigarette retrieved, she takes a drag, then picks up the phone receiver. “John Bresnehan, please.”

DATE Nov. 6, 2018 TIME 6 p.m. EST LOCATION Washington, D.C.

Brooke isn’t the first state official John has talked to. His specialists are all being dispatched to check out the problems, but the initial analyses by state IT teams seem to confirm his worst fears: The Russians got into many of the voter registration systems undetected. This is the zero-day attack he had feared. The White House says it is monitoring the situation, but Trump has yet to make a statement.

John never hears from Bonnie or the Wisconsin authorities — as far as they know, their Election Day was mercifully spared. There wasn’t a post-election audit of the paper ballots that suggested anything might have gone awry. Bonnie goes out for a tres cher dinner the next night with her husband to celebrate a job well done.

In Moscow, Ivan is tired but happy with the results, and his day is winding down with a couple of hours to go before the polls close. Not only were his hacks of online voter registrations a success, but the ensuing chaos — America is burning hot with indignation and accusations of disenfranchisement — has provided Alexei with the perfect cover for his work on the voting machines.

Putin’s preferred Senate candidates are all headed for wins in Nevada, West Virginia and Indiana thanks to the tweaks Alexei made to the voting machine software. Those results are far from the realm of the unexpected, which means they won’t arouse much suspicion. Plus, most of the public and governmental focus will be on the voter registration fiasco. Alexei makes plans to dial down his presence in Bonnie’s machine and those of all the other election clerks. He’s back to quiet mode, but he can’t wait to see what he can do in 2020.

A 2018 Election Day scenario like the one outlined above is intentionally catastrophic.

But the scenario is within the realm of the possible, according to election security experts. J. Alex Halderman, a professor of computer science at the University of Michigan and an expert in cybersecurity and voting systems, has cautioned that hacker probes into online voter registration systems in 2016 looked in many ways like the preparatory stages of another attack.

“The first thing any advanced or persistent attacker will do is basically case the joint — you figure out what computer systems are exposed online, what data do they contain, what kind of beachhead do they give me for committing a more serious attack later,” Halderman said.

Matt Eble, a former CIA cyberthreat analyst, agreed. He pointed out that states could very well be missing current incursions into their systems, even with the awareness raised after attempts in 2016. “You have well-resourced Fortune 500 companies, and they’re still being breached regularly,” he said. “That’s the case for organizations that are disciplined and well-resourced and have dedicated staff.” That description often does not apply to state electoral commissions.

The Department of Homeland Security can provide states with security scans of their election systems free of charge — a DHS official told FiveThirtyEight that 32 states are receiving ongoing cyber hygiene scans. More comprehensive onsite assessments of states’ risks are also available from DHS, something that 15 states have requested. (Eight have already had the assessment, and seven more will have been completed by “mid-April,” according to the official.) But some states are wary of DHS help. In December 2016, Georgia’s secretary of state said DHS had tried to hack the state’s system, and Indiana and Idaho secretaries of state said the same in 2017.

Marian Schneider, Pennsylvania’s former deputy secretary for elections and the current president of Verified Voting, a nonprofit dedicated to safeguarding election integrity, acknowledged that there can be tension when it comes to protecting local control over elections. “I do know some secretaries of states don’t want the federal government involved in elections in their state, period — regardless of whether it’s helpful or not,” she said. And because elections are administered by states, preparedness standards can vary. Some states test and certify voting machines according to their own standards, while others rely on standards set by the Election Assistance Commission. But the EAC, and by proxy the federal government, has no power to tell states what standards their voting machines or voting software must live up to, security-wise.

“We run a conformity assessment program,” said Brian Hancock, head of the EAC’s testing and certification. “The machines either meet the standards or they don’t. We don’t make any value judgments on whether one type of technology is better than another.”

Some states are making moves to improve their voting infrastructure in the post-2016 landscape. Virginia decertified its direct-recording electronic machines in the lead-up to its gubernatorial election in 2017, and Pennsylvania Gov. Tom Wolf recently ordered that new machines purchased by counties provide a vote paper trail.

Security experts also advocate for the implementation of something called a risk-limiting audit in the aftermath of an election. Its purpose? To prevent the most catastrophic election tampering scenario of them all: that a person who wasn’t actually elected be placed into office. This audit is a statistical sample of paper ballots after an election and is used to mitigate the risk that votes have been changed on the electronic tally. Along with voting solely on paper ballots, experts agree that these audits are the best, most efficient way to double-check the veracity of an election. Colorado has begun auditing races in this manner, and Rhode Island has passed legislation saying such audits must be initiated this year.

These efforts aren’t just a way to stop vote hacking; they’re also intended to shore up Americans’ faith in their voting system. Regardless of whether a hack is successful at changing vote counts, the Russians are engaging in the cheapest sort of warfare: the psychological variety. Plant a seed of doubt, and it grows like a weed.

Matt Dietrich of the Illinois Board of Elections is all too aware of the consequences a hack can have, given Illinois’s 2016 experience. “You’re always vigilant, but this idea of creating doubt, creating chaos, that to me is a much more real scenario (than voting machine hacks) because we’ve already seen it on the ground level,” he said. “The worst-case scenario to us would be that regular voters fear or doubt the integrity of the system so much that they just totally opt out, they become disengaged.”

But for security experts like Halderman, the notion of trust is more complicated. He believes that the public’s awareness of potential problems is actually crucial to fixing the system. “Our primary goal isn’t for people to blindly trust the election system. Our goal is for them to have a basis to trust the election system, to have a rational level of trust,” he said. “If anything, people having unfounded confidence in the election system just assures that problems will not be fixed.”

And that, Halderman said, could be disastrous. “If we do nothing, it’s only a matter of time until a major election is stolen in a cyberattack.”

CORRECTION (April 9, 2018, 10:44 a.m.): An earlier version of this article misspelled the name of Pennsylvania’s governor, Tom Wolf. It has since been corrected.


  1. Korobov is a real person. Not everyone you meet in this story will be.

  2. Fancy Bear, an APT group associated with the GRU, hacked the Democratic National Committee in the lead-up to the 2016 election.

  3. The FSB is the successor to the KGB. The GRU and the FSB are internal rivals in Putin’s intelligence community.

  4. Cozy Bear, an APT group associated with the FSB, also hacked the Democratic National Committee in the lead-up to the 2016 election.

    The rivals — Fancy Bear and Cozy Bear — have infiltrated any number of European ministries of defense, the Georgian military and unclassified websites of the White House, the State Department and the Joint Chiefs of Staff. The DNC hacking episode got Korobov sanctioned by the U.S. in the last days of the Obama administration, though he visited Washington in January 2018.

  5. These guys are fictional.

  6. In December 2016, the FBI and the Department of Homeland Security released a joint analysis report providing details on how different Russian hacking groups — 48 were identified — went on a systemic hacking campaign aimed at “government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations.”

  7. So what’s Putin’s actual motivation to tamper in U.S. elections? Former CIA cyberanalyst Matt Eble said that interference has more to do with Putin wanting to convince Russians that the U.S. isn’t so much better than their own country. “There’s a strong part of the internal propaganda which is, ‘This is how Western liberal democracies, which might look better on TV, they’re really no better than this, they’re maintaining a lie to their people. But they are corrupt, they’re not representative, they’re just run by companies, it’s all the same, it’s just that their people are buying into this fantasy.’”

  8. In June 2016, the hackers scanned the Illinois site using Acunetix, a program that searches websites for vulnerabilities. Beginning June 23, hackers hit the application status page of the voter registration site — they had found a weakness that allowed them to enter malicious database queries exposing 200,000 voter records. The hackers stuck around until July 12, when they spiked the system with attacks. Someone noticed, and the state’s system was taken offline. ThreatConnect, a digital security firm, found that some of the IP addresses associated with the attack were also associated with the Fancy Bear group.

  9. DHS-designated critical infrastructure in the U.S. includes nuclear reactors and water facilities; the Trump administration recently announced a discovery that Russians have been targeting nuclear power, water and electric systems with cyberattacks. In February 2018, Johnson said he was worried that many states had done little “to actually harden their cybersecurity.”

  10. While officials said that none of the targeted voter records in Illinois had been changed, there’s good reason to think that given another opportunity, a hacker might pursue a more aggressive tack.

  11. As recently as 2012, Republicans were wary of Russia’s geopolitical posturing — Mitt Romney called Russia “our No. 1 geopolitical foe.” But when Trump became the Republican nominee, his campaign changed the Republican Party platform on Russia policy, making it more friendly to Putin’s interests. Recently, though, Trump expelled 60 Russian diplomats in the wake of the poisoning of a former Russian spy in Britain. Republican voters have also expressed more positive views toward Russia in the past couple of years.

  12. This sort of politically aware targeting is not new. Hackers spread leaked information to discredit Democratic candidates in a couple of close House races in 2016, and the Russian intelligence crew has been familiarizing itself with the U.S. electoral process and voting technologies since 2014.

  13. In June 2016, part of the Arizona secretary of state’s website went offline for a week after credentials from a Gila County election worker were compromised when the worker opened a malware-infected email attachment, then logged on to the statewide system.

  14. Brooke is a fictional character.

  15. The 2000 presidential election between George W. Bush and Al Gore saw a recount of the vote in several Florida counties, including Broward.

  16. The specter of the 2000 election in Florida, over which Harris presided as secretary of state, led to the Help America Vote Act of 2002 that provided states with money to replace old voting systems.

  17. Election security experts say this scenario is less likely to occur, though still plausible.

  18. We contacted the states to ask about their electronic-ballot security measures. Wisconsin election officials said they’re working with DHS and are creating new cybersecurity standards for electronic ballot-making. Pennsylvania said that “election management software resides on a server/computer isolated from the county network.” West Virginia’s electronic ballots are created by outside vendors; a state official said a cybersecurity expert monitors the online election infrastructure. In Indiana, security protocol is left up to individual counties. Nevada, mentioned elsewhere in the story, did not respond.

  19. Neil Jenkins, who worked for DHS on election infrastructure cybersecurity, said he had conversations with state election officials to emphasize what exactly it meant to protect these computers from the internet.

    “You believe your ballot creation system is air-gapped from the internet. Are you sure? Every time you plug a USB in to take off the ballot and put it into a machine, is that a new USB? Or is that the same USB device you’ve used the last 20 years? And is it the same USB device that you plugged in to your home computer?”

  20. John and his droopy socks are fictional.

  21. Matt Dietrich of the Illinois Board of Elections described the events of the hack this way: “They had been in there a long time, then suddenly they just turned up the volume, and that’s when we caught it. The real concern was that not only did they get in, but that while they were in there, they created a back door that they could get in once they thought we had it all fixed.” He said Illinois has since fixed the breach and that the hackers “hadn’t created a back door that we know of.”

  22. A zero-day malware attack is when an attack uses a technique that had previously been unknown. Chris Porter, a cybersecurity analyst with FireEye, told Wired UK that “APT28 (Fancy Bear) seems to have a pretty endless armoury of zero-days.” But you might not even need a zero-day attack to get into a state system — the NSA’s top hacker said in 2016, “There’s so many more vectors that are easier, less risky and quite often more productive than going down that route.”

  23. Bonnie is fictional.

  24. A leaked NSA memo obtained last year by The Intercept describes Russian efforts to pose as voting vendors over email, including using infected Word attachments. If those documents were then opened, the recipient’s computer would become an unwitting host of malware.

  25. Meagan Wolfe, the interim head of the Wisconsin Election Commission, told FiveThirtyEight that the state’s decentralized system has its strengths. “If some major change happens to the voter records in a small township, that clerk is going to recognize that.”

  26. Some people suspect that VR’s electronic poll books were compromised in precincts in Durham, North Carolina, and as a result should no longer be used. But a North Carolina judge denied appeals that the VR software be barred from use in 2017 municipal elections.

  27. In September 2017, The New York Times reported that current and former intelligence officials said two other providers of elections services had been breached by hackers. The officials did not name the companies in the report.

  28. The voting machine and election system management industry is small, insular, protective and weakly regulated by a largely powerless federal agency, the Election Assistance Commission. Because of the U.S.’s decentralized system, states don’t have to adhere to the EAC guidelines and standards — they can create their own standards. Election security experts worry the EAC’s security standards are far from top-notch anyway: It has yet to decertify a machine.

  29. On Dec. 1, 2016, the security firm Recorded Future became aware of a Russian-speaking hacker who had obtained the credentials of 100 EAC employees and was looking to sell them — purportedly to a Middle Eastern government. The EAC told FiveThirtyEight that the incident involved a type of attack “that we’ve been told affected many federal and local governments in that same time frame,” and that EAC took the affected server offline within four hours of being notified. “We worked with DHS and the FBI, and are certain the incident was isolated and did not impact any other EAC systems.”

  30. The 2000 recount in Florida was made all the more complicated by “hanging chads,” or the fragments left on paper ballots that hadn’t been punched all the way through. In the wake of that episode, electronic voting machines became more popular. They were seen as a way to mitigate the uncertainty that partially punched paper ballots might cause. Cyber experts now say that paper ballots that are electronically scanned are the best way to vote.

  31. Voters using direct-recording electronic machines either enter their vote on a touch screen or by pushing buttons as opposed to filling out a bubble on a paper ballot with a pen or pencil. In 2007, California’s secretary of state initiated a top-to-bottom review of the state’s election infrastructure, bringing in election security experts, and decertified a number of voting machines for broad use because of tampering concerns. Many of the decertified machines are still used in other states.

  32. In order to ensure a fast tabulation of paper ballots, voting machines use something called an optical scan, meaning that a computer scans the physical ballot, then tabulates the vote electronically. These are also open to tampering.

  33. J. Alex Halderman, a computer scientist at the University of Michigan, testified to Congress in 2017 about the number of weaknesses he had found in commonly used U.S. voting machines:

    “Both optical scanners and DRE voting machines are computers. Under the hood, they’re not so different from your laptop or smartphone, although they tend to use much older technology — sometimes decades out of date. Fundamentally, they suffer from security weaknesses similar to those of other computer devices.”

  34. States are getting better at post-election audits — some now require hand recounts in randomly selected precincts — but many still have recount procedures judged inadequate by voting security advocates.

  35. A spokesperson for the Florida Department of State told FiveThirtyEight that the department had upgraded hardware and firewalls to protect voter information. “Since 2015, 55 of Florida’s 67 counties have completed a voting equipment modernization by either updating their voting system software and/or hardware, or purchasing new voting equipment,” the spokesperson said. “The majority of the remaining counties are in the process of completing a modernization or an upgrade.”

Clare Malone is a former senior political writer for FiveThirtyEight.