Congratulations on a Successful Midterm Election 

I was all set to do a newsletter on what we could expect from a Republican-controlled Senate and House on issues like national security, cybersecurity, and technology. But that’ll have to wait. Maybe for a while.

Like you, I’m reading everything Jonah, David, Nick, Kevin, and the rest of the Dispatch team are writing about the election so that I can know what happened, why it happened, and how I should be thinking about it. I guess my part of this effort should focus on the cyber side of the story. So, here we go.  

First, let’s talk about DDoS attacks. In Illinois and Mississippi, websites used by state election officials, campaigns, and partisan groups were hit by distributed denial of service (DDoS)  attacks, temporarily preventing their use. To set the table: A DDoS attack isn’t really a “hack,” because no system is compromised, and no data is leaked or changed (more on that in a bit). A bad guy will infect hundreds, thousands, or potentially millions of computers with code that allows them to then use this “botnet” to flood a website with fake traffic, slowing or shutting it down under the strain. It’s like if I were to remotely cause every Dispatch reader’s phone to simultaneously call the main line of the Alexandria, Virginia, police department—this would quickly prevent anyone from getting through to the department because its phone lines would be overwhelmed by the traffic.

It’s more of a harassment technique that, under the right circumstances, can have a significant impact. For example, in 2016 the Mirai botnet attack used more than 145,000 compromised devices to temporarily shut down access to several high-profile websites, including Airbnb, GitHub, Netflix, Reddit, and Twitter. 

That’s essentially what happened to some election-related websites in Illinois and Mississippi on Tuesday. According to local, state, and federal officials, these attacks may have prevented citizens from getting information about voting locations, hours for voting, etc., but they had no impact whatsoever on ballots, vote counting, or any other aspect of the actual voting process. “There is no specific or credible threat that is disrupting election infrastructure,”one official from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) told the Wall Street Journal. 

While a Russian activist group is claiming credit for the DDoS attacks, that’s all we’ve got, and we just don’t know who did this. The fact is that DDoS attacks are getting easy to do, with some internet jerks even offering their botnets as a DDoS service—just fill out your credit card information, tell them what webpage you want to hit and for how long, and they’ll take care of the rest.  

The bottom line here is that, while annoying, DDoS attacks happen every day and the ones perpetrated on Tuesday should in no way undermine anyone’s confidence in the integrity of elections in Illinois or Mississippi. There were, however, other technical complications at other voting locations. 

Early on Tuesday, some vote tabulation machines in Arizona’s Maricopa County malfunctioned and had difficulty accepting completed ballots. County election officials were able to quickly resolve the issue by calling in technicians and changing printer settings. Importantly, any ballot that could not be counted by a machine was placed in a locked dropbox, then securely transferred to a counting facility, where it was recorded under the supervision of a bipartisan team. “Everyone is still getting to vote; no one is being disenfranchised,” Bill Gates, chairman of the county board of supervisors and a Republican, said. “This is a technical issue and we have a redundancy for it.” 

Here’s my understanding of what happened: Voters made their selections using an electronic voting machine that printed a voter’s completed ballot. The voter then takes the printed ballot to an election official who uses a scanning machine to record and count the votes on the ballot. Unfortunately, about 20 percent of the counting machines in Maricopa County had trouble reading the printed ballots for a short while until the technical solution was made. 

To be very clear: There is no reason to believe that these temporary disruptions had any meaningful effect on the outcome in Maricopa County or in Arizona more broadly.  

And that’s it. As of right now, those are the two big cyber stories in this year’s midterm elections, and we should all be proud and thankful for that. That doesn’t mean, however, that partisans will not be using these and other purported examples of “rigged” voting to justify their rejection of the election outcomes. But doing so is a huge mistake. 

Our entire political system is predicated on the notion that our elected officials hold their offices because they have been legitimately placed there by the people of the United States. To say that one of these officials—especially the president—is illegitimate due to “rigged” elections is to directly call this fundamental presupposition of representative democracy into question. Any American has a right to make such a claim, but it is incumbent upon them to then prove this claim—or at the very least mount a compelling argument that it could be the case.  

And over the coming days and weeks, some might try to make this case. So, I want to preemptively help you decipher between facts and some assertions you’re likely to hear. 

Assertion: Elections in Illinois and Mississippi were hacked. 

Reality: No, some election-related websites were temporarily unavailable, but there is no sign that hackers gained access to, or changed in any way, voting data in any state. 

Assertion: Problems with ballot scanners mean votes weren’t counted. 

Reality: The use of paper ballots and other redundancies in Maricopa County, Arizona, and in every other state ensures votes can be counted under the supervision of bipartisan teams and recorded appropriately.  

Assertion: Voting machines and software aren’t reviewed or tested, and they are easily “hacked” or manipulated.  

Reality: Voting machines and software undergo extensive review and testing at the federal, state, and local levels. According to CISA, “Under federal and state certification programs, voting system manufacturers submit systems to undergo testing and review by an accredited laboratory or state testers. This testing is designed to check that systems function as designed and meet applicable state and/or federal requirements or standards for accuracy, privacy, and accessibility, such as the Voluntary Voting System Guidelines set by the U.S. Election Assistance Commission. Certification testing usually includes a review of a system’s source code as well as environmental, security and functional testing. Varying by state, this testing may be conducted by a state-certified laboratory, a partner university, and/or a federally certified testing laboratory.” 

Assertion: Hackers just released a bunch of private voter information—this means the election must have been hacked. 

Reality: No, some voter registration data is publicly available to political campaigns, researchers, and members of the public, often for purchase. Cyber actors will sometimes release this information as a way of sowing doubt in election integrity or as a way of “phishing” more information from hacking targets. 

Assertion: A local or state jurisdiction’s information technology (IT) systems have been compromised; therefore, the election results in that locality or state cannot be trusted. 

Reality: Local or state IT infrastructure is not necessarily connected to these municipalities’ election infrastructure. In fact, they typically are not connected. Even if an election-related system is compromised, multiple safeguards—including backup paper ballots and provisional ballots—can be used to ensure the proper tabulation and recording of election results. 

Now, none of this is intended to minimize or sweep away Americans’ concerns about election integrity—we should all want free, fair, and accurate elections. And here’s the good news: We have them. It is certainly true that some states could do a lot more to make voting results known and available in a timely fashion. And sure, some fraud, voter intimidation, and other dirty tricks happen on the margins. But these challenges are on the periphery and do not significantly affect our election outcomes. 

Both sides of the political aisle have developed a bad habit of calling disappointing election results into question and then trying to use these fears to drive up voter participation in the next cycle. But that’s not only cynical and wrong, it’s also stupid. What sane voter is going to keep voting after they become convinced that their vote doesn’t count? This is when alternative measures for making opinions known—sometimes even violent measures—begin being considered, and that’s when our democratic system faces an existential risk. 

Every one of us should thank God for the freedom and privilege of living in a nation where our government, as frustrating and silly as it can be, is still a government “of the people, by the people, [and] for the people.” Regardless of whether your candidate won or lost their race this week, this is something we can all celebrate. 

That’s it for this edition of The Current. Be sure to comment on this post and to share this newsletter with your family, friends, and followers. You can also follow me on Twitter (@KlonKitchen). Thanks for taking the time and I’ll see you next week!