Let’s start with a caveat from one of the authors of The Intercept’s story, just so we’re clear on what *isn’t* being alleged.
very very important: there’s nothing in the NSA report indicating the actual voting machines or vote tabulations were compromised
— Sam Biddle (@samfbiddle) June 5, 2017
Was that the goal, though? The piece is long and difficult to excerpt so I’ll try to summarize. According to the NSA (CBS has confirmed that this is indeed a real NSA report), last August Russia’s military intelligence unit — the GRU — hacked into a software company, likely VR Systems in Florida, that tracks voter registration for eight U.S. states. They used a spear-phishing attack, the same M.O. used to hack the DNC in 2015, to gain access to the login credentials for VR Systems employees. Then, on October 27th, just 12 days before the election, they used information they gleaned from those accounts to launch a second spear-phishing attack, this time aimed at email addresses for more than 100 local government officials “involved in the management of voter registration systems.” The spear-phishing email was made to look like it was coming from VR Systems, knowing that the officials would be more likely to trust it and to open it. It also contained a fake Microsoft Word document which, if opened by the unsuspecting target, would then infect their computer with virtually any malware the hackers wanted to deploy. “It is unknown whether the aforementioned spear-phishing deployment successfully compromised the intended victims,” according to the NSA.
Why did Russian military intelligence want to access local government officials’ computers? Good question. VR Systems doesn’t sell vote-counting software. They sell voter-registration software, to “verify and catalogue who’s permitted to vote when they show up on Election Day or for early voting.” In theory the hackers could have wreaked havoc with the voting process by mass-deleting voters from the registration database, introducing glitches to slow down the voting process, and so on. As best anyone can tell, they didn’t do that — certainly not on a scale large enough that people would have noticed. (There was a malfunction in the voter-registration system — operated by VR Systems — at some polling locations in Durham, North Carolina, on Election Day but officials there insist there’s no evidence of tampering.) So what did they do, or what could they have done if in fact this was just an experiment by Russia to probe what sort of chaos is technologically possible the next time the U.S. has an election? The Intercept speculates:
[A] more worrying prospect, according to Graff, is that hackers would target a company like VR Systems to get closer to the actual tabulation of the vote. An attempt to directly break into or alter the actual voting machines would be more conspicuous and considerably riskier than compromising an adjacent, less visible part of the voting system, like voter registration databases, in the hope that one is networked to the other. Sure enough, VR Systems advertises the fact that its EViD computer polling station equipment line is connected to the internet, and that on Election Day “a voter’s voting history is transmitted immediately to the county database” on a continuous basis. A computer attack can thus spread quickly and invisibly through networked components of a system like germs through a handshake.
According to Alex Halderman, director of the University of Michigan Center for Computer Security and Society and an electronic voting expert, one of the main concerns in the scenario described by the NSA document is the likelihood that the officials setting up the electronic poll books are the same people doing the pre-programming of the voting machines. The actual voting machines aren’t going to be networked to something like VR Systems’ EViD, but they do receive manual updates and configuration from people at the local or state level who could be responsible for both. If those were the people targeted by the GRU malware, the implications are troubling.
Use information from VR Systems to get into the local officials’ computers, then use information from the local officials’ computers to get into the all-important voting-machine software. There’s no hard evidence that Russia actually did that, and it’s hard to see why they would have waited until as late as October 27th to try to screw with vote tabulation if that was the big plan, but you can understand why the NSA is concerned about an enemy power being that close to potentially fiddling with vote totals. (“The NSA analysis does not draw conclusions about whether the interference had any effect on the election’s outcome and concedes that much remains unknown about the extent of the hackers’ accomplishments.”) Incidentally, of the eight states that use VR Systems software, two are Florida and North Carolina — both crucial swing states last year won narrowly by Trump (FL by 1.2 points, NC by 3.6). If they had gone the other way, Clinton would have won the election narrowly. So, yeah: Democrats who were already high on the theory that Russia “hacked the election” by changing vote totals, despite various officials like Barack Obama assuring them that didn’t happen, will be even higher after today.
The Intercept, by the way, is the same site that employs Snowden buddy Glenn Greenwald, who’s castigated Russia critics in the past for their “increasingly unhinged” rhetoric about Moscow’s role in the campaign. Makes me wonder if this report was leaked to the site not just because they have some degree of expertise in analyzing natsec documents but because the leaker knew that the allegations against Russia would seem that much more damning being leveled by Greenwald’s own outlet. One other thing that occurs to me: If Russia’s ultimate goal in messing with the U.S. election campaign, even above and beyond aiding Trump, was to sow distrust in western institutions, why didn’t they take steps themselves to leak the fact that they made this mischief with VR Systems and local election officials before the election? Or did they take steps somehow to be found out? That is, was the VR Systems hacking designed to actually damage U.S. election infrastructure or was it designed to show U.S. intelligence what Russia was capable of, knowing/hoping that it would leak — as it has — and further undermine the American public’s faith in democracy?
Update: Interesting coincidence. Within about an hour of The Intercept report being published, the DOJ is out with an announcement that it’s arrested and charged a federal government contractor with the unlikely name of Reality Winner with removing classified material from a government facility. “On or about May 9, Winner printed and improperly removed classified intelligence reporting, which contained classified national defense information from an intelligence community agency, and unlawfully retained it. Approximately a few days later, Winner unlawfully transmitted by mail the intelligence reporting to an online news outlet.” The Intercept is, of course, an online news outlet. The NSA report was dated May 5, just four days before Winner’s arrest. It’s a top secret document; Winner held a top secret security clearance. Hmmmmmmm.