Five possible hacks to worry about before Election Day

WASHINGTON –President Vladimir Putin of Russia dismisses the idea that he has the power to interfere with Tuesday's election. "Does anyone seriously think that Russia can affect the choice of the American people?" he asked during a foreign policy conference last week in the resort city of Sochi. "What, is America a banana republic? America's a great power. Correct me if I'm wrong."

America's top intelligence officials say he is highly unlikely to be able to alter the results. But they expect Russian hackers, or others, to try to disrupt the process — perhaps to help Donald Trump, but more likely to simply undercut what Putin views as America's holier-than-thou attitudes about its democratic procedures.

The Obama administration has concluded that much of the e-mail hacking that has roiled the campaign was almost certainly approved by the Russian leadership. More recent activity — including the probing of registration rolls in several states — might be the work of independent Russian hackers, it says. While no one knows what to expect before the polls close, a tight race is more susceptible to mischief.

So government agencies and commercial enterprises, including some hired by state election boards facing a determined cyberthreat for the first time, are on high alert. But they are not exactly sure what to look for. Russian hackers? Other attackers? Malware that harnesses devices to strike election infrastructure? More e-mail revelations?

Dmitri Alperovitch of CrowdStrike, the cybersecurity firm that found the intrusions into the Democratic National Committee's computer servers, said at a Harvard discussion that while the odds that the results could be manipulated were "minuscule," he thought hackers' ultimate goal was "to discredit the results of the election." That is the sort of activity that Russia has long carried out in Ukraine and other former Soviet states.

Federal and state officials are focusing on five possible ways to hack the election. Here is a look at their biggest concerns:

(Possible, but hard to make an impact)

So far, the steady drip of documents from WikiLeaks and other sites posting stolen e-mails and even the National Security Agency's tools for breaking into foreign computer networks has not changed the contours of the election. E-mails that seemed to show efforts in the Democratic National Committee to tip the scales in favor of Clinton in the primaries led to the resignation of Rep. Debbie Wasserman Schultz as the committee's chairwoman, but they had little long-lasting effect. A disclosure from the hacking of the e-mail account of John D. Podesta, the Clinton campaign chairman, bolstered the notion that Bill Clinton had been enriched by some of the same people who contributed to the Clinton Global Initiative. But that was not exactly a surprise.

Still, no one knows what else hackers might have stolen, or may be saving for the last frenetic days of the campaign.

(Lots to worry about)

In the spring, the FBI warned Arizona, and then Illinois, that someone was "probing" their central voter registration databases, the ever-changing lists of people who are legally registered to vote and where they live. Once, those rolls were kept in big books and dragged to polling places, but today they are held in databases, often connected to websites that make it easier to register online or when getting a driver's license.

The vulnerabilities in big central systems are hard to find, as the federal government learned with the Chinese theft of nearly 22 million security clearance records from the Office of Personnel Management. Chinese hackers were inside the systems for more than a year before the government noticed.

Yet many states have underinvested in their systems, and that is why there is so much concern. Few states even sample their systems to see if the data is correct, so they might not be able to detect a problem. Starting this summer, the Department of Homeland Security has raced to perform tests in states that asked for help — all but a few have — but the process was rushed, and the government will not say what it found.

The fear is that intruders could make minor changes in addresses or other identifying information, leading to long lines and accusations of "rigging" the polls. Voters could cast provisional ballots, but it could take months to sort out.

(A significant risk, but detectable)

Consider this possibility: It is Tuesday evening, and the networks and other news organizations are clamoring for "unofficial" results so they can call the races in swing states. The precincts report returns to regional centers, and that data flows to the Associated Press, the clearinghouse for unverified returns. If hackers could flip such "data in motion," they could alter the first call, even if it is an unofficial one. If the numbers then swing back in the official tally, cries of foul play — that the numbers got manipulated before the final calculation — would surely follow.

Sound far-fetched? It happened recently in Ukraine, in an attack organized by Russia, experts believe. As Ben Buchanan and Michael Sulmeyer note in a Harvard Cyber Security Project report, investigations revealed that "offenders were trying by means of previously installed software to fake election results." The effort was discovered 40 minutes before the results were scheduled for announcement. The Harvard report notes that "curiously, pro-Russian TV nonetheless reported the fake results exactly."

When internet connections across the East Coast slowed to a crawl on Oct. 21, after a sophisticated attack on a company that serves as a "switchboard" of the web, it illustrated a new fear for Election Day: an attack that comes just as voters are looking at their phones to find their polling place, or trying, for instance, to figure out if the bus will get them there.

That hack was a new twist on an old, crude technique: a "distributed denial of service" attack that overwhelms websites or the internet's traffic systems with a barrage of data. In the Oct. 21 attack, which is not believed to have been conducted by a foreign power, internet-connected devices like security cameras were infiltrated and programmed en masse to attack Dyn DNS, a firm that helps connect web searches to the right internet sites.

Such an attack could be directed, for example, at computer systems used by a campaign's "get out the vote" efforts. "People think of denial-of-service attacks as very broad," said Andy Ellis, the chief security officer at Akamai, a firm that helps companies maintain web connectivity. "But they can be very targeted, very specific, and hard to defend against."

The Department of Homeland Security is setting up a war room for Tuesday to look for trouble, connected to the FBI and the Justice Department. But they look primarily at the federal government system. And the National Security Agency, presumably, is turning on the "implants" it has placed in foreign systems to detect any attacks. Those implants are all highly classified, so the NSA is silent about what it can see — or what it could do if it saw the prelude to an attack.

(Unlikely, but possible)

"The voting machines themselves are offline, and we think the system is so diversified it is secure," said Suzanne E. Spaulding, the undersecretary of Homeland Security who oversees cybersecurity efforts.

Outside election experts fear, however, that this nothing-to-see-here confidence fails to take into account known vulnerabilities. While most voting machines are not connected to the internet while voting is underway, they are often connected before Election Day, to update their ballots and software.

Some machines, like the DS200, an optical scanning model used in many districts, comes with an optional wireless ability. The good news: They can report results automatically. The bad news: Any wireless connection is a vulnerability.

There are other worries. Five states do not have paper backups to create an audit trail if the electronic ballots are questioned. Pennsylvania, a swing state, has paper backups in only some communities. Members of the military who are based overseas are often permitted to e-mail their ballots, and Alaskans can use what the state calls "secure online delivery."