Watching coverage of pro-Trump rioters storm the Capitol building Jan. 6, Matt Bernhard had to wonder: How much were he and his colleagues to blame?
“We spent the last five years putting in all this work,” said Bernhard, an engineer at VotingWorks, a nonprofit election technology company, and an expert in election cybersecurity. “And somehow despite all that, there was the worst insurrection in the country since the Civil War because people don’t trust the outcome.”
Like all cybersecurity research, election security relies heavily on the premise that to make any system better, you first need to draw attention to the ways people can hack it. Bernhard’s peers have done that with gusto since the beginning of the Trump administration. They’ve showed how, in the right isolated circumstances, a voter registration machine can be rewired to play the 90s computer game Doom, or how a child could hack a vulnerable website that was coded to look like Florida’s election night reporting site.
While their research heavily contributed to security upgrades ahead of the contentious 2020 election — one that election officials jointly called “the most secure in American history” — it has proven to be a double-edged sword. Election cybersecurity researchers who spoke with NBC News say they worry it also provided ammunition to bad-faith actors who have sought to convince some Americans that the election was illegitimate.
“We always knew we were walking a bit of a scary line when flagging vulnerabilities,” Maggie MacAlpine, an election security researcher, said. “We’re always battling the fact that the appearance of a hack can be as impactful on an election as an actual hack.”
That’s taken a toll on the researchers themselves. Some of them have gone from working in obscurity for more than a decade to becoming the targets of harassment. Three of them said that they have received death threats since the election, echoing the larger trend of threats against election officials.
It’s a dynamic that threatens to push the once-transparent field of election cybersecurity research into the shadows and intimidate people from joining what has become a crucial discipline.
“As someone who’s been in this space for as long as I have, It’s amazing to me how it’s got so bad so quickly,” said Eddie Perez, the global director of technology development at Open Source Election Technology Institute, a nonprofit that advocates for transparent and secure voting technology. “I think it’s reasonable to wonder if the contentiousness of the climate, the amount of emotion and anger, can certainly have a chilling effect.”
(NBC News previously collaborated with the Open Source Election Technology Institute to monitor U.S. election technology and voting issues.)
The U.S. computerized its election systems in the aftermath of the contentious 2000 presidential election, where issues with paper “hanging chads” led to recounts and questions over its legitimacy. That sparked a small field of computer scientists who tested election equipment and wrote papers about flaws they found.
Things changed after the 2016 election after Russia hacked Hillary Clinton’s campaign and made a handful of attempts to hack U.S. election infrastructure. By coincidence, that was the year that a copyright provision expired, paving the way for the country’s largest hacker conference, Def Con, to start an annual “Voting Village” that allowed roaming hackers to tear apart decommissioned voting equipment, which they did with spectacular results.
The election industry and local government officials complained that such hacks were extremely unlikely in an actual election scenario. But the Voting Village’s biggest takeaway — that since no machine was unhackable, the entire country needed to use paper ballots, which can be verifiably recounted — resonated with the U.S. government.
Chris Krebs, then the head of the Cybersecurity and Infrastructure Security Agency, told a Def Con crowd in 2019 that paper ballots were a national security priority. Congress passed $1.2 billion in grant money to replace old election equipment, prompting the largest election infrastructure overhaul since the country largely went digital after the 2000 election.
Sen. Ron Wyden, D-Ore., a longtime election and cybersecurity advocate, said that research helped pass that legislation.
“The Voting Village organizers performed a great public service and made a real difference in educating the public and Congress,” he said in an emailed statement.
“Their work was influential in the increased adoption of voting machines that produce auditable paper ballots, and my own work to draft the toughest election security legislation ever introduced,” he said.
But that same work provided ammunition for people who wanted to sow doubts about election integrity, said Matt Masterson, who was CISA’s top election cybersecurity official during the 2020 election and now works on election misinformation at Stanford University.
“The Voting Village served a necessary purpose,” he said. “They brought to the forefront the national security implications of election system vulnerabilities, though the way they went about it lessened the impact they could have had.”
That in turn paved the way for pro-Trump conspiracies to create “a perversion of election researchers’ work, in some cases careers, in pursuit of lies and what I would call the grift around the 2020 election,” Masterson said.
A week after the U.S. media called the election for Joe Biden but before then-President Donald Trump was permanently banned from Twitter for potential to incite violence over the results, Trump tweeted a video of NBC News’ coverage of the Voting Village, citing it as evidence that elections were untrustworthy.
Trump allies used election security researchers’ findings to try to overturn states’ results. Trump lawyer Sidney Powell cited Voting Village organizer Harri Hursti’s prior research in her unsuccessful lawsuits against Georgia and Michigan for what she claimed was “massive election fraud.”
Hursti said that wasn’t a fair representation of his work, and that Powell never contacted him.
“My work has been taken and just turned to something that it’s not, taken out of context,” he said. “They took our affidavits from other lawsuits, and then wrote in the text something we would never say, which was not backed by the affidavits,” he said.
Howard Kleinhendler, an attorney for Powell, said in an email that Hursti’s works were public, as they had been filed in other election suits, and “She did not require Mr. Hursti’s knowledge or consent” to use Hursti’s research in her filings.
Earlier this month, top election officials from each state gathered together for the first time since the start of the pandemic, at the annual National Association of Secretaries of State conference in Iowa.
In one area, a handful of cybersecurity experts volunteered Hacking Demystified, a mini Def Con, of their own. State officials could learn skills like how to pick locks — a favorite hacker tool for visualizing how to break into a system — and get a demonstration of what it looks like to work through a ransomware infection, Jack Cable, one of its organizers, said.
“It feels a lot different. It seems like secretaries recognized the value of security research.”
Def Con also resumed as an in-person conference this year after going remote in 2020. Instead of a host of experts, though, Hursti helmed the entire village himself, as most prominent researchers opted to stay home over coronavirus fears.
He was angry that MyPillow CEO Mike Lindell, a prominent Trump-supporting election conspiracy theorist, planned to host a cybersecurity symposium to prove the election was hacked. (Lindell has since hosted the conference, and Hursti attended. Lindell did not actually provide such data.)
“Putting this together is very important, because for example there’s claims that there’s a secret algorithm in these machines,” Hursti said.
“This is a chance for people to rip it apart and find if there’s the algorithm,” he said. “This is for debunking the claims so people can see what is the truth.”