WASHINGTON: Leaked documents from the probe into Russia's interference in the 2016 US election underscore some of the worst fears about electronic voting systems -- that they may be vulnerable to hackers.
The intelligence report revealed by The Intercept showed a cyberattack that targeted more than 100 local election officials and software vendors, raising the prospect of an attempt to manipulate votes.
Security experts for years have warned that electronic voting, even without an internet connection, may be vulnerable in the United States, where a patchwork of systems run by states and municipalities have varying degrees of protection.
Russian President Vladimir Putin has denied any effort to influence the 2016 US election. But the report suggests meddling went beyond psychological warfare to an attack on voting systems themselves.
"These are our worst fears," said Joseph Hall, chief technologist at the Center for Democracy and Technology, who researches voting systems.
"For over 15 years, I and a lot of other people have said we had never seen a confirmed hack of voting systems. We're not going to say that anymore."
The top-secret document from the National Security Agency stops short of drawing any conclusions about the impact of the attacks and whether it affected any votes, but suggests hackers got deeper into US voting systems than previously believed.
Hall said voting systems may be vulnerable because localities rely on private software vendors that may lack the resources against a well-funded cyber adversary.
"A lot of those vendors are quite small," Hall said. "There's not a lot of hope when you have are going up against an 800-pound bear."
Hacking elections "has always been thought of as a theoretical possibility, but now we know it is a real threat," said Susan Greenhalgh, a researcher with the Verified Voting Foundation, an election systems monitor.
Greenhalgh added that "we need to ensure our voting systems are resilient going into 2018 and 2020" elections.
Matt Blaze, a University of Pennsylvania computer scientist, said any penetration of the election system would be alarming.
"Bottom line is that owning any part of a county election office backend system is a VERY powerful platform for an attacker," Blaze said on Twitter.
"All that said, it's a long way from 'systems were attacked' to 'election was tampered with.' But still very worrisome."
Andrew Appel, a Princeton University computer science professor who has studied election systems, said that if the report is accurate and the cyberattack occurred days before the November vote, it would likely have been too late to affect the outcome.
But Appel said any tampering with vote systems could have serious and far-reaching effects.
"If this kind of attack had taken place weeks before the election, it would be cause for significant concern" for the outcome, he said.
"And it's many weeks now before the next election, and if there has been Russian penetration of our election software systems or anyone else's penetration, it could continue to affect vote counting for years."
Appel said that if ballots are manipulated within a voting machine, "it won't be obvious, people won't know about it" unless there is an audit or recount.
Most US states now use optical scanners with paper ballots that can be audited, but a handful employ paperless systems with no paper trail to verify the count.
"Internet elections are even more hackable, and I'm glad we're not doing that," Appel said.
Bruce Schneier, chief technology officer of IBM Resilient and a fellow at Harvard's Berkman Center, said the report shows the weaknesses of US election systems.
"This (attack) feels more exploratory than operational, but this is just one piece. There are lots of vulnerabilities," Schneier said.
"Election officials are largely in denial. The next election will be no more secure than this election."