Reality Winner Just Provided Evidence of Russian Election Hacking

The news of the arrest of Reality Winner, the inappropriately named NSA contractor who allegedly leaked classified information to The Intercept, is overshadowing the real news. In a looking-at-the-forest-versus-the-trees moment, the world seems focused on Ms. Winner herself, a 25-year-old blonde, and the details of her arrest rather than the content of her leak.

The big news is that Ms. Winner has provided what many Russia skeptics have been asking for over the past few months: evidence of Russian meddling in the election. The report contains direct, unfiltered insight into the NSA findings on Russian hacking of election officials and companies.

The Intercept published many details of the report that Ms. Winner purloined from an NSA facility at Ft. Gordon, Georgia. The report, dated May 5, 2017, “indicates that Russian hacking may have penetrated further into U.S. voting systems than was previously understood. It states unequivocally in its summary statement that it was Russian military intelligence, specifically the Russian General Staff Main Intelligence Directorate, or GRU, that conducted the cyberattacks” on US companies that provide election software. The NSA found that the Russians stole data that they then used to conduct “a voter registration-themed spear-phishing campaign targeting U.S. local government organizations.”

The report does not assess the impact of the cyberattacks, but there was previously no indication that Russia had targeted computers connected to actual voting in the election. “It is unknown,” the NSA notes, “whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor.”

While electronic voting machines are not connected to the internet, Alex Halderman, director of the University of Michigan Center for Computer Security and Society and an electronic voting expert, told The Intercept that a major risk would be if the Russian attacks compromised vendors who program voting machines prior to Election Day.

“Usually at the county level there’s going to be some company that does the pre-election programming of the voting machines,” Halderman said. “I would worry about whether an attacker who could compromise the poll book vendor might be able to use software updates that the vendor distributes to also infect the election management system that programs the voting machines themselves. Once you do that, you can cause the voting machine to create fraudulent counts.”

Another possibility would be a denial of service attack. Pamela Smith, president of Verified Voting, an elections watchdog group, said, “If someone has access to a state voter database, they can take malicious action by modifying or removing information. This could affect whether someone has the ability to cast a regular ballot, or be required to cast a ‘provisional’ ballot — which would mean it has to be checked for their eligibility before it is included in the vote, and it may mean the voter has to jump through certain hoops such as proving their information to the election official before their eligibility is affirmed.”

The Intercept article noted that polling station computers that deal with registration and check-in are tied to the internet and connect directly to country voter databases. A virus spread by the polling equipment could quickly infect other government computers. Malware that changed or deleted voter rolls could throw an election into confusion.

At this point, the investigation is still ongoing and most of the results are still secret, like Reality Winner’s report should be, but this glimpse that the report provides into what is already known by the government is disturbing. Even if the attacks were ultimately unsuccessful, the mere fact of the attempt could undermine public faith in the outcome of the elections.

“It’s not just that [an election] has to be fair, it has to be demonstrably fair, so that the loser says, ‘Yep, I lost fair and square.’ If you can’t do that, you’re screwed,” said Bruce Schneier, a cybersecurity expert at Harvard. “They’ll tear themselves apart if they’re convinced it’s not accurate.”

Originally published on The Resurgent