Public officials provided false assurances about the legitimacy of Trump’s poll-defying win in 2016.

25 min readJul 27, 2021

@jennycohn1 on Twitter
7/26/21

People sometimes ask me why I became an advocate of election security and transparency. One of the main reasons is that, in the wake of reports of Russian interference in 2016, I learned that public officials and others in leadership positions had provided false assurances about the security of our election system. Regardless of intent, these false assurances served to legitimize Donald Trump’s questionable victory in the 2016 election. I could not bear the possibility of a repeat performance at any level of government. I feel the same way today.

I’m painfully aware that now former President Trump has directed a fire hose of falsehoods at the 2020 election, which unseated him. I did a presentation debunking many of those lies for No Lies Radio. But Trump’s election lies do not justify ignoring legitimate concerns about election security. Nor do they provide a free pass to others who have spread misinformation, including false assurances about election security and Trump’s suspicious ascent to power in 2016. The truth matters now more than ever. Without it, the Democrats may yet concede their way into a permanent Republican majority without bothering to confirm that the GOP didn’t cheat.

1. The “no internet connectivity” myth.

The following is an account of what Jim Comey, James Clapper, Jeh Johnson, David Becker, Thomas Hicks and others told the American public about the possibility of remote attack on U.S. voting systems and how sharply it diverged from the truth. I do not know if they intended to lie or if they were conned themselves. They have never explained how they got it so wrong.

An accounting matters because our systems remain vulnerable to remote attack, and officials are unlikely to take appropriate measures to mitigate this and other risks if they and their surrogates are allowed to bury the problem or to deny that it exists. Voters must be told that they were misled so that they will understand the importance of election transparency, rather than continuing to blindly trust that public officials have taken adequate precautions to secure voting systems.

In September 2016, after media reports that Russian hackers had targeted America’s election system, James Comey testified to Congress that, “[T]he vote system in the United States .. is very, very hard for someone to hack into…Those things are not connected to the internet, but the voter registration systems are,” Comey said.

The same month, David Becker, the former Elections Initiatives director for Pew Charitable Trusts told Congress that “I know of no jurisdiction where voting machines are connected to the Internet. This makes it nearly impossible for a remote hacker.”

In October 2016, DHS Secretary Jeh Johnson and ODNI Director James Clapper similarly claimed in a joint statement that “[s]tates ensure that voting machines are not connected to the Internet…”

Many other people in positions of public trust, including Thomas Hicks, who has served as chairman of the US Election Assistance Commission (EAC) since 2014, have also told Congress that voting machines are not connected to the Internet.

What they said was false.

In 2015, the swing states of Florida and Wisconsin had allowed ES&S to install cellular (wireless) modems in some or all of their precinct ballot scanners. At some point, ES&S installed them in parts of Michigan, Illinois, Rhode Island, Tennessee, and Indiana too.

County administrators use these modems to transfer unofficial results from the precinct ballot scanners to the county central tabulators (centralized systems that aggregate precinct totals after the polls close). ES&S modems connect both the scanners and the receiving end systems to the internet. “Every expert you talk to will tell you, ‘Yes, cellular traffic goes through the internet,’” cybersecurity journalist Kim Zetter told WisPolitics.com.

As explained by the National Institute of Standards and Technology (NIST), these modems “make the voting system a node on the internet” that “could provide an entryway for remote attackers.” (Italics added.)

The people who falsely claimed — some under oath — that voting machines don’t connect to the internet have never explained how they got it so wrong. Did they lie or were they lied to themselves? If the latter, by whom and how can we ensure we have accurate information in the future? Unfortunately, no one in a position to extract this information seems to have asked them these questions.

Meanwhile, in October 2018, a group of about thirty highly respected election-security experts and prominent election-integrity organizations sent a letter to the Department of Homeland Security and Election Assistance Commission (EAC) to warn about cellular modems and the internet. “To justify the use of cellular modems in election systems, many will assert that cellular modems operate on a network separate from the Internet and that use of these modems does not expose voting systems to the public Internet. This assertion is not accurate. Modern cellular modems (unlike older wired analog modems) use IP packets, IP addresses, and IP routers, and in fact, are part of the Internet.” (Italics added.)

The letter urged both the EAC and DHS to “caution state and local election officials against using wireless and cellular communication and recommend suspending use of wireless modems in voting machines for the upcoming elections.” The letter further advised that “cellular modems within voting systems should be physically removed, and not simply disabled by software means.”

For years, ES&S had denied this internet connectivity. In January 2017, however, the Columbus Free Press reported that Chief Wisconsin Election Commission administrator Michael Haas had stated in sworn testimony that, “‘Some of the newer equipment does have modems that operate using wireless internet. And so after the polls close, then when those unofficial results are transmitted, in some cases, they could be transmitted. The instantaneous transaction would be conducted over the internet.’”

Moreover, as journalist Kim Zetter reported in 2018, “an ES&S document that the company supplied to Rhode Island in 2015 calls the modem transmission of votes an ‘internet’ transmission.” (Italics added.)

Nonetheless, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), under the leadership of Chris Krebs, issued election-security “best practices” guidelines in June 2018 that did not discuss wireless modems much less recommend that officials remove or disable them. When experts asked the DHS (which includes CISA) to instruct states to remove the modems, Krebs declined to do so. To the extent he or his agency discussed the issue with states at all, it appears they did not do so in writing.

Krebs did, however, make time to present ES&S’s VP of governmental relations, Kathy Rogers, with a certificate of appreciation in February 2019.

About six months later, Zetter reported that a team of researchers led by Kevin Skoglund had found nearly three dozen backend ES&S election systems in 10 states connected to the internet, including systems in:

Nine Wisconsin counties,
Four Michigan counties, and
Seven Florida counties

The back-end systems had been on the receiving end of wireless transmissions from ES&S’s precinct ballot scanners. Some had been “online for a year and possibly longer.” Skoglund’s findings were first reported by Zetter and later by Cynthia McFadden for NBC News who spoke both with Skoglund and Tim Burt, the president of ES&S.

McFadden: Why is there a Sprint thing here and a Verizon thing there?

Burt: There is a small percentage of jurisdictions in the country, a lot of them are in Florida, who have decided that they want to modem unofficial results, uh, to the election office.

McFadden: You know you do wonder sometimes whether our thirst for quick results may be interfering with our thirst for accurate results:

Burt: You know, Cynthia, that’s not my place to judge that….

According to McFadden’s report, ES&S claimed that the modems are turned on for “just seconds.” However, “[f]or a skillful, motivated attacker, it doesn’t matter much if [the system is connected] two minutes or a whole year,” according to election-security expert Harri Hursti.

Moreover, Skoglund’s team found that “[s]ome of the systems ha[d] been online for a year and possibly longer.” (Italics added.)

McFadden: If you were able to get inside these systems, could you do more than just mess with the preliminary results. Could you actually get deeper into the system?

Skoglund: Absolutely, and that’s my biggest concern. *** We should make sure that voting machines are not connected to the internet.

McFadden: Period.

Skoglund: Period.

Even after McFadden’s segment on NBC News, ES&S’s FAQ’s falsely stated that the company’s systems “never” connect to the internet.

***

Unfortunately, vote tallies can be vulnerable to internet hacking even without cellular modems, another truth ignored by Comey, Johnson, Clapper and others who provided false assurances about the risk of remote attack. As election-security expert Professor Rich DeMillo of Georgia Tech told me last year, “‘all voting machines…receive programming before each election via memory cards or USB sticks prepared on centralized election-management computers systems that are likely connected to the Internet on occasion.”

Thus, as explained by DeMillo, “‘a hacker or corrupt insider could transfer malware to every [voting machine] within the county or state by compromising either these centralized computers or the memory cards or USB sticks.’” We don’t know whether or not this has happened because the software is proprietary, which means that the vendors won’t let anyone look to find out.

As the Open Source Technology Institute (OSET) explained in a letter to the Senate Intelligence Committee in March 2017, small election offices are sometimes unable to afford a separate dedicated computer for the election management system, which means that the EMS computer “may also be used for email, web browning and connecting to other data services. And as a result, it is possible for such a machine with its multipurpose use, will be connected from time to time (or continuously) to the public internet.”

Election security expert Professor Alex J. Halderman agrees that “ election management systems ‘sometimes are connected to the Internet or the data that’s programmed into them passes through an internet-connected system,’ so that “we’re just one or two hops away from an online attacker.” As he testified to the House Appropriations Subcommittee a few years back, “‘hackers who compromise an election management system can… spread a voter-stealing attack to large numbers of machines.’”

Moreover, ES&S has sold election management system computers with pc anywhere (remote-access) software pre-installed from 2000 through 2006. Diebold, which ES&S acquired in 2009, reportedly also sold election management system computers containing remote-access software.

According to Zetter, who broke the story in 2018, ES&S had previously denied selling systems with remote-access software. “In a [February 2018] statement, ES&S said, ‘’None of the employees who reviewed this response, including long-tenured employees, has any knowledge that our voting systems have ever been sold with remote-access software.’”

But in a letter to Sen. Ron Wyden (D-OR) in April 2018, ES&S “acknowledged that it had ‘provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006,’ which was installed on the election-management system ES&S sold them.”

ES&S later admitted to NPR that it had done this for about 300 of its customers (not such a small number after all). But it has refused to identify these customers. “Although Wyden’s office asked ES&S to identify which of its customers were sold systems with pcAnywhere installed, the company did not respond.”

As far as I can tell, the only member of Congress who has been straightforward with the public about election security is Senator Ron Wyden. As Wyden warned on CNN in March 2018, remote-access software would be a dream for foreign hackers.

ES&S told Zetter that remote-access software is no longer installed in its systems. But it refused to say when it was removed. “ES&S would only say that it had confirmed with customers who had the software installed that they ‘no longer have this application installed.’ The company didn’t respond to questions … asking when these customers removed the software — whether…it had only recently told customers to remove it following concerns raised in the 2016 presidential elections that Russian hackers were targeting election networks in the US.”

***

2. The “decentralization” myth.

Johnson and Clapper also lied to the American public when they claimed in October 2016 that the “decentralized nature” of our election system would make it “extremely difficult” for hackers to alter an election outcome.

Johnson would later acknowledge that this assurance was false, which he had to have known all along because the point is obvious. “It’s a bit awkward because we say there are thousands of jurisdictions, it would be hard to alter, which in reality is not really true, because all you’d have to do is go to key precincts in key states,” he said. (Rigged, p. 193.)

Representative Ted Lieu (D-CA) has also called out the myth of decentralization. “In a close … election, they just need to hack one swing state. Or maybe one or two. Or maybe just a few counties in one swing state.”

Moreover, only a tiny handful of private vendors account for the bulk of America’s electronic voting systems. If hackers or corrupt insiders infiltrated one of the top two or three vendors (ie, ES&S, Dominion, or Hart), which collectively account for more than 90% of US election equipment, they could spread malware to voting systems throughout the country.

Last year, Professor Halderman warned the House Appropriations Committee that“[a] small number of election technology vendors and support contractors program and operate election management systems used by many local governments. The largest of these services over 2,000 jurisdictions spread across thirty-four states.”

Thus, as explained by Halderman, bad actors “could target one or a few of these [private] companies and spread an attack to election equipment that serves millions of voters.”

In a piece for Scientific American, Halderman again warned that a single election-system vendor does pre-election programming for 2,000 jurisdictions in thirty-four states from an office building in the Midwest.

“All of that’s done from its headquarters, in a room I’ve been in that I’d describe as being part of a typical work building shared with other companies,” Halderman added. “If attackers can hack into that central facility and remotely infiltrate the company’s computers, they can spread malicious code to voting machines and change election results across much of the country.”

ES&S often conducts this type of pre-election programming for its customers. In July 2019, the Senate Intelligence Committee report on Russian election interference in 2016 included a section titled, “Russian Activity Directed at Voting Machine Companies,” which stated that “malicious cyber actors” had “scanned [name redacted], a widely used vendor of election systems.” (Report, pp. 29–30.)

The report redacted the vendor’s name, but “Election Systems and Software, LLC,” fits the number of redacted letters and spaces exactly.

The report did not explain what it meant by “scanned.”

In short, Comey, Clapper, Johnson, and others spread lies in 2016 and 2017 about the ability of remote hackers to change vote tallies and the outcome of a national election. To a large extent, these lies are what made me a determined advocate of evidence-based elections: hand marked paper ballots, plus a secure and transparent chain of custody, plus public hand counting or public hand audits. If our government wants me to trust election results, it will have to prove that they are trustworthy.

I feel it is crucial that others knows that these public officials spread election-security misinformation so that they, too, will demand evidence-based elections, as opposed to blindly trusting that public officials and vendors have provided appropriate safeguards.

3. Misleading claims about the legitimacy of Trump’s alleged “win.”

No one expected Trump to win the 2016 election. On the eve of that election, almost all major national polls predicted that Clinton would win. In its final pre-election poll, Fox News gave Clinton a four-point edge over Trump.

The New York Times gave Clinton an 85% chance of winning.

Reuters/Ipsos gave Clinton a 90% chance of winning.

ABC news gave Clinton a 95% chance of winning.

Nate Silver’s 538 election forecast was an outlier giving Clinton only a 71.4% chance of winning. Even Silver, however, considered a Trump victory improbable.

As of 5:00 p.m, confidential exit polling data showed Clinton leading by wide margins in most battleground states. A pro-Trump ABCNews producer named Chris Vlasto leaked this confidential data to the Trump campaign at 5:01 p.m., just as George W. Bush’s cousin had done for the Bush campaign in 2004.

“Vlasto had the early exit numbers that the consortium of news networks — the Associated Press, ABC News, CBS News, CNN, Fox News, and NBC News — had collected,” two members of Trump’s campaign later wrote. “The consortium followed eleven battleground states, including Ohio, Florida, and Pennsylvania. Trump was down in eight of the eleven states by five to eight points. The news was devastating. A kill shot.”

Then, just as Bush had surprised everyone by outperforming the exit polls in 2004, Trump shocked the nation by outperforming the exit polls in the battleground states. At about 11:45 p.m., the networks called the race for Trump.

Philip Bump of the Washington Post did the math. The swing states of Michigan, Wisconsin, and Pennsylvania, had given Trump the win by less than 80,000 votes. “Trump won those states by 0.2, 0.7 and 0.8 percentage points, respectively — and by 10,704, 46,765 and 22,177 votes.”

According to the unadjusted exit polls, Clinton should have defeated Trump in North Carolina, Pennsylvania, Wisconsin, Ohio, and Florida.

The chart was prepared by Jonathan Simon, author of Code Red: Computerized Elections and the War on Democracy. (Michigan posted only adjusted exit polls, i.e., adjusted to match the reported totals, so it is not on the chart.)

Nationally, the exit polls had been generally accurate, making the swing-state deviations even more striking, according to Simon. (Code Red, p. 29.)

The US government was not in a position to know if Trump’s reported win was legitimate. “We don’t have surveillance tools to surveil what is happening with voter registration and election infrastructure,” Jeh Johnson told author David Shimer years later. (Rigged, p. 182.) Rather, the US government had to rely on election officials to volunteer information and/or to let them inside their systems.

Although state election offices from all 50 states had accepted some form of assistance from the DHS before the 2016 election, only thirty-six out of about ten thousand local election jurisdictions had done so. (Rigged, p. 192.) This was a problem because most vote tallying equipment was (and is) within the custody and control of local election officials, not state election officials.

Nonetheless, Obama reportedly called Clinton twice on election night, urging her to concede. “‘You need to concede,’ Mr Obama told his former Secretary of State” over the phone. “At last, Clinton said, ‘Give me the phone,’ got her opponent on the line and said two words she had never expected to say: ‘Congratulations, Donald’”

After Clinton’s concession, election-security experts approached Jill Stein, a third-party candidate who had run against Clinton (and dined with Putin in Russia), about requesting a recount of the presidential race. Stein agreed to seek manual recounts in Wisconsin, Michigan, and Pennsylvania, but Trump objected and the effort was derailed in court.

The Pennsylvania recount never got off the ground. In Wisconsin, the court refused to order a hand recount, and most large counties refused. In Michigan, the recount excluded precincts with broken voting-machine seals or discrepancies between the number of voters and the numbers of votes. The court halted it after three days.

Trump would be America’s next president.

In December 2016, Obama sought to reassure the country about the legitimacy of Trump’s win. “I can assure the public that there was not the kind of tampering with the voting process that was a concern and will continue to be a concern going forward. The votes that were cast were counted. They were counted appropriately. We have not seen evidence of machines being tampered with. So that assurance I can provide. That doesn’t mean that we find every single potential probe of every single voting machine across the country. But we paid a lot of attention to it. We worked with state election officials, etc. And we feel confident that that didn’t occur. And that the votes were cast. And they were counted.”

The following month, the DHS released a report, which claimed that “the types of systems Russian actors [had] targeted or compromised [during the 2016 election] were not involved in vote tallying.”

By September 2016, however, “the US. Intelligence community had reported [behind closed doors] that Russian hackers could edit actual vote tallies,” according to David Shimer’s book Rigged, which cites four (anonymous) senior members of the Obama administration. (Rigged, p. 176.) This claim is difficult to reconcile with the DHS’s public report.

Moreover, neither Obama nor the DHS was in a position to eliminate the possibility that Russia or domestic actors had changed electronic vote tallies without completed manual recounts or (perhaps) a forensic analysis of the voting equipment. Neither had occurred.

In June 2017, the DHS admitted that it had conducted no forensic analysis of voting equipment to determine whether tallies had been altered and said that it did not intend to do so.

Unless the DHS changed its mind or the FBI secretly conducted such an analysis, the very unsatisfying answer is that the US government cannot have known whether Trump legitimately won the 2016 election or not. Claims to the contrary have been at best misleading, even if motivated by arguably noble intentions, such as a desire to maintain the public’s trust in an untrustworthy election system.

As far as I can tell, the only current member of Congress who leveled with the American public is Senator Ron Wyden. “People are always saying, well, no votes were changed [in 2016]. Nobody knows that!,” he bellowed from the floor of the Senate in 2019. “Because we wouldn’t know that unless we have a real forensic analysis, you really broke the system down, and that hadn’t been done.”

It is alarming that other Democratic leaders remained silent. Regardless of intent, their silence strongly suggests that the Democratic party is perfectly capable of conceding its way into a permanent Republican majority without confirming that the GOP didn’t cheat. Democratic voters cannot let that happen.

4. The public learned in 2017 that Russia had penetrated further into America’s election system than officials had led them to believe.

In May 2017, a 25 year old Army veteran and NSA contractor named Reality Winner leaked a confidential NSA report to the Intercept .

The leaked report stated that the GRU’s hackers had used information obtained from an August 2016 breach of election-systems vendor VR systems to send spear phishing emails to over 120 email accounts used by Florida county election officials.

These spear phishing emails “contained an attached Word document coded with malicious software (commonly referred to as a Trojan) that permitted the GRU to access the infected computer,” according to Volume I of special prosecutor Robert Mueller’s report.

Might some of these election officials have used the same computer for emails and the county election management system? In other words, might these spearphishing emails, if successful, have given the GRU access to election management systems and thus the vote tallying in Florida? Election management systems are not voting machines but they are just as important to the vote tallying process because they provide the pre-election programming for all voting machines in a county or state and aggregate precinct totals after polls close. As the Open Source Technology Institute (OSET) explained in a letter to the Senate Intelligence Committee in March 2017, small election offices are sometimes unable to afford a separate dedicated computer for the election management system, which means that the EMS computer “may also be used for email, web browning and connecting to other data services.”

Adding further to the mystery regarding the nature of the attack, Mueller’s report revealed in March 2019 that Russian hackers had breached at least one Florida county “network” in 2016 as a result of the spear phishing attack. “We understand the FBI believes that this operation enabled the GRU to gain access to the network of at least one Florida county government,” the report stated.

The vague reference to a breached county network raises legitimate concerns about the integrity of vote tallies (as well as voter registration systems). An election-security handbook published by the Center for Internet Security in 2018 stated that the “diversity of functions delivered by an EMS [election-management system] makes it difficult to generalize the level of connectedness of any given system, but most will have at least some aspects of a network connected system.” The handbook further stated that “In some cases, vote tabulation equipment will be network connected, whether through a wired or wireless connection.”

In response to the report of a breached Florida county “network,” Jeremy Bash, who had served as chief of staff at the Department of Defense and the Central Intelligence Agency under Obama, voiced concerns on CNN about vote tallying and reporting. “I think we all have been worried about the hacking of voting machines,” he said. “But what this [hacked election network] story suggests is the potential for hacking the [Florida] vote tabulation systems, where the votes are tallied and how the results are displayed.”(Video, 7:43.)

Meanwhile, because the Intercept did not protect Winner’s anonymity, the DOJ arrested her and charged her under the Espionage Act. She was convicted and received a five-year sentence, the longest sentence ever handed down under the Act.

According to the Intercept, “[s]everal key state officials said no one had warned them about the Russian scheme until the leaked memo from the...NSA, appeared in The Intercept in June 2017. To them, Winner's leak was a form of public service.”

In May 2018, the bipartisan Senate Intelligence Committee published a memo summarizing its preliminary findings, which included scathing criticism of the DHS for having waited more than a year to notify state election officials that their systems had been scanned.

The bipartisan Committee’s 2018 memo further disclosed that, “In at least six states, the Russian-affiliated cyber actors went beyond scanning and conducted malicious access attempts on voting-related websites” and that in a “small number of states, these cyber actors were in a position to, at a minimum, alter or delete voter registration data.” Other than Illinois and Florida, these states have never been identified.

To my dismay, Biden has failed thus far to pardon Winner for providing some of the transparency that the US government withheld and continues to withhold regarding the 2016 election.

In July 2019, the bipartisan Committee’s final report advised that Russian hackers had targeted election systems in all 50 states before the 2016 election. But the report also stated that the Committee had “found no evidence” that vote tallies were altered. Senator Ron Wyden, a member of the Senate Intelligence Committee, wrote a blistering dissent, pointing out that no one had looked to see whether vote tallies were altered or not.

5. The public learned in 2019 that Manafort had shared confidential polling data with a Russian operative.

In 2019, thanks to a sloppily redacted court filing, the public learned for the first time that Paul Manafort, Trump’s former campaign manager, had shared confidential polling data in 2016 with a Russian operative named Konstantin Kilimnik. Kilimnik worked closely with Russian oligarch Oleg Deripaska (a close ally of Russian president Vladimir Putin), who claimed at the time that Manafort owed him millions of dollars. Based on text messages, Manafort hoped to use his position on Trump’s campaign to “get whole” with Deripaska. Special prosecutor Robert Mueller was unable to determine what, if anything, was done with the polling data because Manafort and others refused to cooperate and had often used encrypted communications. I wrote in detail about the polling data here: https://jennycohn1.medium.com/paul-manafort-oleg-deripaska-konstantin-kilimnik-and-the-polling-data-7819004ce568?sk=fb8e82046c65a5668aba5b09e159b70d

6. The GOP blocked necessary election-security legislation in 2020, and Democrats have not reintroduced it.

In 2020, Democrats led by Wyden introduced an election-security bill, the SAFE Act, which would have banned paperless voting machines and internet-connectivity to voting systems (including wireless modems), while requiring robust manual audits for all federal races.

The SAFE Act would have been a significant step toward evidence-based elections, but the GOP blocked the bill before the election.

Wyden discussed what had transpired with Fast Company:

Fast Company: When you proposed a discussion of your election-security bill today, was it again [Tennessee Republican] senator Blackburn who shut it down for the Republicans?

Senator Ron Wyden: Yes, Marsha Blackburn objected to both Senator Warner’s proposal and my efforts to pass the Securing America’s Federal Elections Act (SAFE), which largely incorporates my earlier bills [requiring] hand-marked paper ballots and [risk-limiting] audits and cybersecurity standards. [Minnesota Democrat] Amy Klobuchar and I are the sponsors of it in the Senate.

I was struck by the fact that the Republicans will accept no — repeat, no — cybersecurity standards. And I pointed out that right now, today, you can have a voting machine with an open connection to the internet, which is the equivalent of stashing American ballots in the Kremlin. And the Republicans objected and then sat down, and I said, “You all won’t even have a conversation about the seriousness of this problem?” I mean it’s one thing to have a different view of how you would tackle election security, but they just use their raw power to go, “Nothing to fear. All done.” And I was just slack-jawed by that. I used a specific example of a fundamental cybersecurity standard, and they just said, “Nope, not interested.”

His signature election-security legislation, the SAFE Act, never passed. Due to the GOP’s obstruction, America conducted the 2020 election without the basic election-security protections that the SAFE Act would have provided.

To be sure, in November 2018, Congress had established the Cybersecurity and Infrastructure Security Agency (CISA) to help safeguard U.S. elections. I have no doubt that CISA made many improvements. In 2017, “the Department of Homeland Security told FiveThirtyEight that it was providing ongoing cyber hygiene scans to five private voting companies, though it declined to name which ones.”

And according to the testimony of former CISA director Chris Krebs, the agency encouraged better communication and educated election officials on election security “best practices,” including the importance of updating passwords, using multi-factor authentication, and installing intrusion-detection sensors (called Albert sensors) on voter-registration systems.

These best practices, however, were voluntary. Moreover, CISA appears to scan only for known malware and IP addresses. This is a concern. CISA missed the SolarWinds attack precisely because it used new (unknown) malware. For a potential attack on voting machine vendors or internet-facing systems, bad actors could do the same (use new malware), evading CISA’s scans. Corrupt insiders with access to election management systems or memory cards could also change vote tallies without installing malware onto the system.

In addition, despite warnings from election-security experts about the dangers of wireless modems, the written guidelines that CISA distributed to election officials did not include removing or disabling the wireless modems that ES&S and perhaps other vendors had installed in precinct ballot scanners in Wisconsin, Florida, Michigan, and beyond.

In October 2020, America’s foremost election-auditing expert, Philip Stark, a professor of statistics at the University of California at Berkeley, told me that “only a few jurisdictions currently audit elections in a way that has a good chance of catching and correcting wrong reported outcomes. That requires a trustworthy paper trail — primarily hand-marked paper ballots kept demonstrably secure throughout the election and the audit — and [what is known as] a risk-limiting audit using that paper trail. But, to the best of my knowledge, even those states only audit a few contests in each election.” (Emphasis added.)

In other words, even when the presidential election is subjected to a robust manual audit, most other races are not. This is concerning, given that the GOP won all 27 out of 27 House races that were rated as tossups before the election.

For reasons unknown, the Democrats have yet to reintroduce the SAFE Act in 2021. This is a travesty. Given the GOP’s purported concerns about the security of the 2020 presidential race, this may be a rare opportunity for bipartisan support. Election security is no less important now than it was when Trump occupied the White House. Without both security and transparency (the cornerstone of evidence-based elections), we will remain vulnerable both to election fraud and to false claims that fraud occurred. I warned of this before the 2020 election, and it remains true today. Our democracy barely survived the 2020 election. We may not be so lucky in 2022.

Update, August 3, 2021

I added this paragraph:

Moreover, CISA appears to scan only for known malware and IP addresses. This is a concern. CISA missed the SolarWinds attack precisely because it used new malware. For a potential attack on voting machine vendors or internet-facing systems, bad actors could do the same (use new malware), evading CISA’s scans. Corrupt insiders with access to election management systems or memory cards could also change vote tallies without installing malware onto the system.

Update, August 5, 2021

I added this:

I also added this:

Updated 4/28/22

I added a few paragraphs about Chris V lasto leaking exit polling data. I also added a section about Reality Winner and a section about Manafort’s transfer of polling data to Kilimnik.