By Alexandra Wolfe
In 2005, a concerned Florida election supervisor asked the Finnish data-security expert Harri Hursti to hack into one of the state’s commonly used voting machines to test its vulnerability. The verdict wasn’t reassuring. By modifying just a few lines of code on the machine’s memory card, Mr. Hursti says, he could change the results of a mock election. That same model, he adds, will be among those used in the 2020 elections. (A spokesperson for the machine’s vendor, Dominion Voting, says that these weaknesses were fixed in 2012, but Mr. Hursti says that he has tested the new version and found the updates insufficient.)
Mr. Hursti has spent the past 15 years trying to draw attention to the weaknesses in America’s voting systems. Last month, he was featured in an HBO documentary called “Kill Chain: The Cyber War on America’s Elections,” about far-reaching security breaches in multiple U.S. elections that he says have gone unfixed. He warns that both the American political establishment and the public are far too complacent. “Once you understand how everything works, you understand how fragile everything is and how easy it is to lose this all,” Mr. Hursti says in the film.
In 2017, the Department of Homeland Security notified 21 states that they had been targeted by Russian hackers in the previous year’s voting. (Russia denies the allegations.) Mr. Hursti has worked with some of those states to stave off future attacks, he says, but past breaches are rarely investigated. DHS has said that it found no evidence that votes were changed during the 2016 voting. A 2017 U.S. intelligence assessment—whose findings were unanimously reaffirmed Tuesday by the Republican-led Senate Intelligence Committee—described a significant 2016 Russian “influence campaign” to “undermine public faith” in American democracy and “help President-elect Trump’s election chances.”
Mr. Hursti focuses more on the hardware side of the voting process than information operations from hostile powers. He doesn’t offer direct evidence of vote tampering in 2016, but he warns that, given the security flaws he has uncovered, it was certainly possible. For years, voting rights groups have been suing states, alleging problems with voting machines. Last August, a judge in Georgia ruled that the state needed new voting machines to replace unsecure, outdated ones that had malfunctioned during the 2018 governor’s race.
Mr. Hursti is a jolly, round-faced 51-year-old with scruffy hair and a boyish demeanor. With humorous disbelief, he discusses the different ways that hackers can directly interfere in the mechanics of a democratic election, from changing voter-registration records to maliciously creating mechanical difficulties that stop voting machines from working properly.
In the film, Mr. Hursti bristles at assurances from such officials as former FBI director James Comey and U.S. Election Assistance Commissioner Thomas Hicks, who once said that American election results were secure in part because the voting machines can’t connect to the internet. But Mr. Hursti warns that many voting systems have modems or other forms of network connectivity that transmit data which, he says, a determined hacker could intercept. Election companies say the machines cannot be accessed externally if proper security protocols are followed. In the documentary, Mr. Hursti says that he found more than 1,000 such machines for sale on eBay : A hacker, he notes, could simply buy one, study it and learn how to connect to it remotely.
Growing up in Helsinki, Finland, Mr. Hursti was a precocious child. Before he was 7, he studied astronomy and math with university professors in his community, who suggested that he learn computer programming.
He soon became interested in encryption and hacking, and later, during his mandatory military service, he helped develop Finnish military encryption and secure communication protocols. In his mid-20s, he co-founded EUnet Finland, which became part of one of Europe’s first internet service providers. In 2001, he founded a software company that he sold a few years later.
In 2004, Mr. Hursti planned to retire, exhausted and financially independent after developing and selling two companies so quickly. While backpacking around the world, on his way to Tahiti, he stopped in Los Angeles. Friends there introduced him to an election-education nonprofit called Black Box Voting that asked him to look into security anomalies around the U.S. At first, he declined. “It sounded like conspiracy theories,” he says.
He finally agreed to explore the issues if an actual election supervisor would talk to him. Four months later, Ion Sancho, a supervisor who served Florida’s Leon County and was involved in the state’s bruising 2000 presidential recount, asked Mr. Hursti to look into vulnerabilities in the machines that his county and many others were still using.
Mr. Hursti discovered that the machines had removable memory cards that he could program to change votes. “These machines are so unsecure and so easy to hack,” he says. (At the time, Diebold, the company that made the machines, dismissed his findings as a “sham.”) Mr. Hursti’s report spurred the state of California to investigate; scientists at the University of California, Berkeley, concluded not only that Mr. Hursti was correct but that the machines had a host of other flaws.
These things may not be vulnerable from outside but are vulnerable from within.