Assessing the threat of Russia hacking the US election

Vladimir Putin
Ivan Sekretarev | Pool | CNBC
Vladimir Putin

Much of this year's election cycle has centered around the relationship between the U.S. and Russia, especially U.S. allegations that Russia is using cyberattacks to disrupt the democratic process. But the true nature of the threat is a little different than most Americans imagine.

Last week, the Obama administration accused senior Russian officials of authorizing hacks into the Democratic National Committee and other targets. They also pointed to "scanning and probing" of online election rolls in some states that seemed to be coming from Russian servers.

The U.S. government may be reticent about retaliating against Russia with its own cyberattacks right now, according to The New York Times, because Russia could come back to disrupt the U.S. elections next month. The Times wrote, "Attacks on online voter registration rolls could sow chaos at polling places, and the election infrastructure has never truly been tested against a power like Russia."

However, several cybersecurity experts we spoke with suggested the harm that could be caused by Russian attacks would be more psychological than anything else. According to a statement released last week by the U.S. intelligence community and Department of Homeland Security, the federal government has determined it would be "extremely difficult" for even a nation-state to use cyberattacks to alter actual ballot counts in America's decentralized election system.

"It's not clear whether these attacks could change the integrity of the data," said Rahul Telang, a professor at Carnegie Mellon University who studies the economics of information security and privacy. "The storyline that someone was trying to access these systems is more damaging than any actual damage to the data."

Most state voting systems still maintain a paper trail and other checks and balances, but it would take only one perceived success to introduce doubt about the process for many Americans. In a September poll by The Washington Post and ABC News, half of Donald Trump's supporters already aren't confident that the "votes for president across the country will be accurately counted this year."

Vote to see results
Total Votes:

Not a Scientific Survey. Results may not total 100% due to rounding.

"Russia probably has the ability to hack parts of our election system, but perhaps more importantly, it would be easier to target a particular city and have some success against the integrity or credibility of the election," said Kenneth Geers, senior research scientist at cybersecurity firm Comodo and a former NSA analyst. "You could even imagine a particular city being targeted so it has all Trump votes or all Clinton votes, and all of a sudden the whole system is in question."

It wouldn't be the first time Russian hackers have created doubt in an election. Russia employed similar techniques against former Soviet republics Estonia and Ukraine, said Geers. But there isn't much evidence that hackers could directly access voting machines or even alter election rolls, said Telang. The attacks on election rolls that were discovered in Arizona and Illinois were more about stealing data, he said, not actually changing records.

Art Gilliland, CEO of cybersecurity firm Skyport Systems, disagreed with that detail. "If you can steal the data, you can change it." But he agreed that the biggest risk is psychological. "They could set a tone in the community — can we even trust this? That's the biggest risk."

"The integrity of the voting process strikes right at the heart of our federal government and who we are as a nation." -Marcus Christian, Partner, Mayer Brown

The experts who spoke to CNBC didn't think the U.S. is holding back against Russia for fear of Election Day damage. Russia has an inherent interest in doing things that make problems for the U.S., said Marcus Christian, a partner in Mayer Brown's cybersecurity and data privacy group. If they're planning on interrupting the election, it probably won't help that the United States is trying not to upset them.

"Even if the U.S. withholds attacks against Russia, who's to say they won't indulge in some of these tactics during the election?" Telang asked.

America's diverse election systems across its cities, counties and states bring both pros and cons. The biggest pro is that there isn't one giant national system that could be hacked at once (unlike, for example, Estonia's centralized system). The con is that there may be less-secure systems that could be individually attacked.

Brett McDowell, executive director of the FIDO Alliance — a group of 250 companies that are working to improve user security — said the oldest systems could be the safest, because they may not be on the internet at all.

In a statement Monday, Secretary of Homeland Security Jeh Johnson said 33 states have approached the department about getting help with cybersecurity services. DHS is offering voluntary "hygiene" scans and vulnerability assessments for local authorities. Johnson has also suggested the election system should be added to the government's list of critical infrastructure, such as the power grid and national memorials. The department did not respond to requests for comment.

"The integrity of the voting process strikes right at the heart of our federal government and who we are as a nation," said Christian of Mayer Brown. "So whether or not it's designated as critical infrastructure, it's something that has to be protected."