States are working to shore up what might be the most public and vulnerable parts of their election systems: the websites that publish voting results.
NBC News spoke with the top cybersecurity officials at four state election offices, as well as the head of a company that runs such services for six states, about how they secure the sites. All agreed that while there was no real threat that hackers could change a final vote count, a successful cyberattack would be harmful for public confidence if hackers were able to breach the websites that show preliminary vote totals.
“Election night reporting sites are very, very ripe for a perception hack, because they’re so visible,” said Eddie Perez, a board member at the OSET Institute, a nonpartisan, nonprofit organization that advocates for election security and integrity.
The effort necessary is because it’s relatively easy to knock a website offline and deface it with simple cyberattacks. Vince Hoang, Hawaii’s chief information security officer, is well aware, having recently dealt with just such an attack. Last month, a hacker group called Killnet, which presents itself as a small group of pro-Russian hacktivists, announced plans to attack U.S. state government websites and air travel websites.
While there’s no evidence Killnet stole any data or altered any files, it was able to temporarily keep some states’ sites from loading for hours with a series of distributed denial of service, or DDoS, attacks, unsophisticated cyberattacks that flood websites with traffic. One of its victims last month was Hawaii.gov, which also hosts the state’s election night reporting. Even though Hawaii uses Cloudflare, one of the top DDoS protection services, Killnet was able to render Hawaii.gov inaccessible for several hours.
Hoang said it was a blessing in disguise.
“We’re better prepared now than had this event not happened,” he said. “Our team learned a lot.”
There’s practically no chance that foreign hackers could change election results next week, thanks in large part to how the U.S. voting system works. Most voting equipment isn’t connected to the internet, and every state conducts its own elections, meaning hackers would need to target thousands of individual election systems to wreak widespread havoc.
But with false claims of election fraud now common and public confidence in the voting system on the decline (a recent NBC News poll found about a third of American voters don’t accept the legitimacy of the 2020 presidential election), election officials have become particularly sensitive to the psychological side of elections.
That means avoiding even the perception of hackers’ changing votes, which makes election results websites all the more crucial.
“If anything were to appear amiss, it could definitely start, at best, a time-consuming series of events,” Perez said. “In this environment, that’s a big vacuum that absolutely invites all kinds of viral and baseless speculation that could really impact people’s confidence.”
There’s no formal accounting of which states use which kinds of cybersecurity protection programs. Major tech firms like Cloudflare, Microsoft and the Google subsidiary Jigsaw offer versions of their products free to protect election websites from DDoSes and breaches and to protect campaigns from threats like hackers’ targeting their email networks. Cloudflare, which specializes in tactics like absorbing a large chunk of a client’s web traffic when it’s overrun, offers free DDoS protection services. They’re used in 31 states, a spokesperson said.
States have options for help in mitigating DDoS attacks. The EI-ISAC, a Department of Homeland Security-funded nonprofit organization that coordinates potential cyberthreat information among election workers, has more than 3,500 participating members, most of them state and local election offices, a spokesperson said.
EI-ISAC offers free copies of CrowdStrike cybersecurity software to members, said Trevor Timmons, the EI-ISAC executive committee chair.
Election results posted to websites aren’t official. They’re updated in real time as votes come in after polls close, and nothing is final until votes are certified by counties or districts, which usually takes at least several days. But they’re the closest thing states have to authoritative real-time results, and they’re instrumental for how the media and the public understand how races are going.
Historically, election results websites have been ripe targets for malicious hackers who want to sow chaos. In 2014, hackers later identified as working for Russian intelligence broke into Ukraine’s Central Election Commission a few days before the country’s presidential election.
While the hackers didn’t change any votes, they were able to keep election officials from updating results in the hours after polls closed and created a temporary fake page on the election commission’s website to make it appear that Dmytro Yarosh, a fringe pro-Russia candidate, was winning. He got less than 1% of the vote.
Some U.S. officials emphasized that even accurate results on websites should be taken for what they are — preliminary indications of election results.
“Anything is possible when it comes to those web results: a weird upload, a bad upload,” said Dave Tackett, the chief information officer for the West Virginia secretary of state. “The truth is at the courthouse, on paper, out of a disconnected machine.”