In a world where nothing can be 100% secure, U.S. elections are remarkably close. CISA has issued numerous statements assuring voters of the measures in place and warning against claims of hacking intended to "manipulate public opinion and undermine confidence in U.S. democratic institutions." Reviewing the last eight years of threats to voting records and voter data, we see that there of course real threats, but none that would undermine the legitimacy of U.S. election results.
Yes, America’s voting machines are secure
America’s voting machines have proven resilient against attacks, and there has never been any evidence to challenge the integrity of the results they produce. Voting machine makers Dominion and Smartmatic have collected hundreds of millions of dollars from defamation suits and they will likely get even more.
Disinformation threatens democracy
America’s electoral system, on the other hand, has been damaged by years of attacks. An election ends with an acknowledgment that the party who received more votes has won. Disinformation campaigns have aimed to give Americans the permission to reject the reality of that result, and even to embrace physical violence to assert their own. Amongst the real threats to the electoral process, according to the FBI and CISA, are “attempts to undermine public confidence in the security of U.S. election infrastructure through the spread of disinformation falsely claiming that cyberattacks compromised U.S. voter registration databases.”
Hacks, leaks, and other attacks
While the U.S.’s election infrastructure remains secure, there have been real information security incidents related to the electoral process. On one hand, there are cases where the confidentiality of voter personal information has been compromised. In many of these cases, the UpGuard Research team was able to proactively detect the leaks before threat actors.
The real threats to the integrity of voting data come in the form of physical attacks on voting hardware and ballots. The timeline below illustrates some of these major events, which include hacks, leaks disinformation, and even physical threats.
2016
How the Russians hacked the DNC and passed its emails to WikiLeaks
July
Hack — Russian hacking groups gained access to the
Democratic National Committee's systems during the 2016 campaign, releasing emails and other internal documents
publicly through WikiLeaks.
How the Russians penetrated Illinois election computers
July
Hack — Russian hackers gained access to the names,
addresses, dates of birth, driver's license numbers and partial Social Security numbers of about 500,000 Illinois
voters via SQL injection attack on the Illinois State Board of Election.
2017
The RNC Files: Inside the Largest US Voter Data Leak
June
Leak — The UpGuard Research team discovered a publicly
exposed copy of the RNC's voter database, containing detailed information on 198 million Americans.
The Chicago Way: An Electronic Voting Firm Exposes 1.8M Chicagoans
August
Leak — The UpGuard Research team discovered a publicly
exposed copy of a Chicago voter database with 1.8M records.
2018
The Aggregate IQ Files
March
Leak — The UpGuard Research team discovered an exposed code
repository for AggregateIQ, the company making electioneering software used in the 2016 U.S. election, the Brexit
vote, and Canadian races.
Overboard: How Tea Party Campaign Assets Were Exposed Online
September
Leak — The UpGuard Research team discovered a storage
bucket containing internal documents from the Tea Party Patriots Citizens Fund.
Donald Daters, a dating app for Trump supporters, leaked its users' data
October
Leak — A French security researcher discovered an exposed
database for an app connecting Donald Trump supporters.
2019
Political History: How A Democratic Organization Leaked Six Million Email Addresses
September
Leak — The UpGuard Research team discovered a storage
bucket for the Democratic Senatorial Campaign Committee containing 6.2M records.
2020
Campaign Gaffe: How a Voter Contact App Exposed Credentials and Code
March
Leak — The UpGuard Research team discovered a publicly
exposed code repository for Campaign Sidekick, a GOP get out the vote app.
The Russian Election Hack That Wasn't (This Time)
September
Disinformation — A Russian newspaper claimed that personal
details from Michigan voters had been released by hackers; however, that information was already intentionally
public.
Dumb mistake' exposed Iranian hand behind fake Proud Boys U.S. election emails, sources say
October
Disinformation — Threats originating from an email address
apparently tied to the far right group "Proud Boys" were in fact sent by Iranian threat actors.
Florida County Database Mistake: Election Officials' Logins Among Exposed Data
October
Leak — The UpGuard Research team discovered publicly
exposed documents from a Florida county, including credentials for county election officials.
2021
Trump allies breach U.S. voting systems in search of 2020 fraud 'evidence'
Physical threat — In eight separate incidents across five
states, Trump supporters attempted to breach voting systems to demonstrate the machines's results were rigged.
Campaign of Fear: The Trump world's assault on U.S. election workers
Jun–Dec
Physical threat — A series of reports from Reuters on Trump
supporters terrorizing election workers.
2022
A software CEO was arrested on suspicion of storing poll worker data in China
October
Leak — Conservative vote monitoring organization "True the
Vote" discovered a publicly exposed database with U.S. election worker data hosted in China.
Judge restricts far-right group from carrying weapons, taking video at Arizona ballot drop
boxes
November
Physical threat — Far right groups wearing body armor and
carrying weapons took video and photographs of people using ballot drop boxes.
2023
Fox, Dominion reach $787M settlement over election claims
April
Disinformation — After Fox News aired claims that Dominion
Voting Systems changed votes in the 2020 election from Trump to Biden, Dominion sued Fox. Ultimately they settled,
with Fox paying $785.5M and admitting that their claims were false.
DC Board of Elections Says Full Voter Roll Compromised in Data Breach
October
Hack — Ransomware group RansomedVC claimed credit for
breaching the voter data of the D.C. Board of Elections, including partial social security numbers, driver's
license numbers, dates of birth, and contact information such as phone numbers and email addresses. The data was
managed by DCBOE's vendor DataNet Systems.
2024
Rudy Giuliani loses bid to dismiss $148 million defamation judgment in Georgia election
workers case
April
Disinformation — Rudy Giuliani accused two Georgia election
workers of committing election fraud. They sued him for defamation and won, including $148M.
Iran Behind Trump Campaign Hack, US Government Confirms
August
Hack — Iranian threat actors compromised accounts belonging
to members of the 2024 Trump campaign, stealing confidential information.
Right-wing influencers were duped to work for covert Russian operation, US says
September
Disinformation — A media company funding right wing
influencers including Tim Pool, Dave Rubin and Benny Johnson was discovered to be funded by a Russian influence
operation.
Police are searching for the person who set ballot boxes on fire in Washington and Oregon.
October
Physical threat — A fire set in a ballot box in Vancouver,
Washington destroyed about 475 ballots. Another fire was set at a ballot box in Portland, Oregon, but only damaged
a few due to fire suppressant technology in the box.
Colorado governor works to remedy leak of voting system passwords
October
Leak — The Colorado Secretary of State announced that a
spreadsheet of passwords for voting systems were accidentally exposed online. However, the systems had other
compensating controls preventing them from being accessed and has now remediated the exposure.
Disinformation and distrust
The rejection of reality, and of the results of the democratic process, delegitimizes the resulting goverment and makes America weaker at home and around the world. Every one of America’s adversaries understands this, which is why China, Iran, and Russia engage in campaigns to distribute deceptive content that amplifies divisions within the U.S. electorate.
The FBI and CISA recently issued a PSA about the election, but it’s not a warning about cyber attacks. Rather, it is a warning to be skeptical of such claims, as that disinformation is how foreign adversaries are best able to interfere in the election process.
“There has been incredible effort across local, state and federal governments to ensure the security and integrity of our nation’s election infrastructure. Americans should be confident that their votes will be counted as cast. They should also know that our foreign adversaries will try to make them believe otherwise. We encourage everyone to remain vigilant, verify the information they consume, and rely on trusted sources like their state and local election officials.”
- Cait Conley (CISA Senior Advisor)
Voter information privacy
A separate but intertwined concern in election security is the privacy of voters’ personal information. Voter rolls and political campaigns both require large collections of information about the voting public. Those data sets may be distributed, enriched, and managed by third parties, all of which increase the attack surface and likelihood of compromise.
Unlike conspiracy theories about voting machines, concerns about data privacy for voter information do have a basis in reality. Threat actors have gained unauthorized access to voter databases. Entities processing voter information have left it exposed on the internet many times, as the UpGuard Research team and others have demonstrated many times.
Voter privacy and election integrity
Voter privacy and election integrity are intertwined in another way, too: the demonstrated risks to voter privacy have become fuel for disinformation campaigns. In 2020, a Russian media outlet claimed to have American voter PII from a hacked database, stirring anxieties about Russian hacking. People more familiar with US voter systems soon pointed out that the data– like much voter data– was publicly available.
The Podesta email hack, the event that really marked the beginning of the current threat environment for election integrity, established a pattern that has been repeating ever since. There was a cyber threat– Russian hackers really did breach the DNC– but the impact was not to drive discussion of how to better defend against Russian intrusion.
The leaked emails were weaponized to fuel conspiracy theories. There are real cyber threats in an election, but it is the fantastic shadows they cast that are used to disrupt election integrity.
The real threat to U.S. election integrity
When we look at the possible threats to the integrity of U.S. elections, we see real threats, but not from hacking. Former president Trump and his allies have done more to “sow distrust of U.S elections,” as the FBI and CISA put it, than foreign adversaries ever could.
We know what could lead to votes not being counted at polling places: physical threats to the people who administer elections and destruction of the ballots themselves.
And while personal privacy will always be a valid concern, there are more likely ways for one’s private information to be compromised.
Ready to save time and streamline your trust management process?