Report: Outdated Voter Registration Systems Could Be Vulnerable to Attack Cyber experts told the Department of Homeland Security in July that voter registration systems in California and Florida could be vulnerable to a hack, a closely-held report obtained by NPR reveals.
NPR logo

Voter Websites In California And Florida Could Be Vulnerable To Hacks, Report Finds

  • Download
  • <iframe src="https://www.npr.org/player/embed/925388871/927384441" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Voter Websites In California And Florida Could Be Vulnerable To Hacks, Report Finds

Voter Websites In California And Florida Could Be Vulnerable To Hacks, Report Finds

  • Download
  • <iframe src="https://www.npr.org/player/embed/925388871/927384441" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

SCOTT SIMON, HOST:

As the election fast approaches, a new concern about securing the vote. NPR has learned that back in July, two cybersecurity firms sent the Department of Homeland Security a report that warned about flaws in voter registration websites around the country. The fear is that a defect that existed back in 2016 that might have allowed hackers to download voter information or change voter registration files could be used again. NPR's Dina Temple-Raston, who obtained the report, explains.

DINA TEMPLE-RASTON, BYLINE: To understand why a report about the possible vulnerabilities in the voter registration websites is so important, we need to go back to the summer of 2016. That's when questions first started to surface about darker forces hacking into online voter rolls. And to this day, one of the most mysterious of these cases comes out of Riverside County, Calif.

MICHAEL HESTRIN: Each of the cases we investigated, people had their voter registration changed unbeknownst to them. They got no notice. They didn't go in and change it.

TEMPLE-RASTON: That's Riverside County District Attorney Michael Hestrin. And during the June 2016 primary, people were showing up to vote only to find that they were suddenly listed in the voter rolls as members of the Green or independent party.

HESTRIN: Now, the voter is telling us, I didn't change my registration 10 days before an election. I've been a Republican for, you know, 25 years. Why would I do that?

TEMPLE-RASTON: And it wasn't just one or two complaints.

HESTRIN: Once the number got to be over, you know, 15 or 20 or so, I was very concerned. I sent out several investigators.

TEMPLE-RASTON: Riverside County may live in infamy as an election cold case because back in 2016, the state of California didn't capture the one thing that helps investigators track down a hacker, an IP address.

Not every California government official agrees, but Hestrin is convinced that the voter registration website in Riverside County was hacked four years ago. Then, a month later in Illinois...

(SOUNDBITE OF MONTAGE)

STEPHANIE SY: The FBI says foreign hackers have penetrated state election systems.

UNIDENTIFIED NEWSCASTER #1: Data from as many as 200,000 voter records was stolen in Illinois.

UNIDENTIFIED NEWSCASTER #2: Specifically, the internal database of voter information.

TEMPLE-RASTON: Officials only discovered the breach because whoever was inside goofed and crashed the server. Intelligence officials later confirmed publicly that they had traced the hack back to Russia.

(SOUNDBITE OF MONTAGE)

UNIDENTIFIED NEWSCASTER #3: Special counsel Robert Mueller out with his most sweeping indictment yet.

UNIDENTIFIED NEWSCASTER #4: ...Announcing this morning the indictment of 12 Russian military operatives on hacking charges related...

TEMPLE-RASTON: These kinds of incidents and news this week of new Russian intrusions into county electoral systems puts a troubling report that was sent to DHS a few months ago in a different light.

Written by cybersecurity experts at RiskIQ and Northrop Grumman and obtained by NPR, it warned that flaws that might have allowed hackers to change voter registration files four years ago could still exist in California and Florida and could be used again. The report, which went to the agency in July, was hypothetical and it didn't point to any specific hacks but concluded that the vulnerabilities were probably still there.

A DHS spokesperson downplayed it, telling NPR that it was unverified and questionable. Just hours later, though, the director of National Intelligence, John Ratcliffe, announced this.

(SOUNDBITE OF ARCHIVED RECORDING)

JOHN RATCLIFFE: We have confirmed that some voter registration information has been obtained by Iran and separately by Russia.

TEMPLE-RASTON: Then on Thursday, the FBI and DHS announced that Russian hackers targeted dozens of state and local government networks and voting-related systems. Among the fresh concerns, that the websites that are used to identify voters at the polls could be changed.

NEIL JENKINS: Voter registration databases tend to be online. And because of that, they tend to have many of the same vulnerabilities that other websites have.

TEMPLE-RASTON: That's Neil Jenkins. He was the election security coordinator for the Department of Homeland Security in 2016. He says if a website is on the Internet, it's at risk.

JENKINS: They need to be monitored. They need to be patched and mitigated.

TEMPLE-RASTON: But he says even if there's a vulnerability, even if the report is correct and there are flaws in the voter registration websites, local election boards are unlikely to do anything about it because we're too close to the election.

JENKINS: Amazon probably doesn't make a lot of changes to its infrastructure just before Prime Day. Target doesn't patch a lot of vulnerabilities the day before Black Friday because they know operationally, the website has to be up and running.

TEMPLE-RASTON: And the last thing election officials would want to do just weeks before their big day, Jenkins said, is to insert a patch and accidentally crash their own websites.

Dina Temple-Raston, NPR News.

(SOUNDBITE OF MUSIC)

Copyright © 2020 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.