While the matter is of grave concern across the country, Kill Chain: The Cyber War on America’s Elections delves into problems with some specific machines and issues in certain states. For instance, back in 2005, security researcher Harri Hursti (a key figure in the film) demonstrated a memory card exploit that could alter votes on an optical scan voting machine. Those Diebold machines are still in operation in 20 states and are slated for use in November, the filmmakers note.

Elsewhere, a judge banned Georgia from continuing to use the vulnerable systems it had in place for well over a decade. In the wake of the contentious 2018 gubernatorial election, officials had new machines in place for this month’s presidential primary. While the replacements can print paper ballots, which are important for proper vote auditing, they’re still very much vulnerable as they run on Windows 7 — for which Microsoft recently ended support.

We also hear from an Indian hacker who says he was able to gain full access to Alaska’s system, including live voting data, during the 2016 presidential election. He claims he’d have been able to remove a candidate from the ballot or change any vote, but decided not to for fear of triggering some kind of alarm.

The documentary adeptly skirts the line between spelling out specific vulnerabilities and making the problems clear enough for the less technically-minded among us. It touches on many other issues related to election security, such as remote access and the case of the NSA whistleblower Reality Winner and some prominent figures weigh in, including recent presidential candidate Amy Klobuchar.

The film is effective in hammering home its message about the technical issues that pervade many US polling machines. It’s not much of a spoiler to reveal its main call-to-action: ask for a paper ballot if you’re not completely certain that your district’s electronic system is secure. Kill Chain: The Cyber War on America’s Elections premieres at 9PM ET on HBO, HBO Now and HBO Go.

Committee Chairman Richard Burr (R-NC) said the Obama administration “struggled to determine the appropriate response” and “debated courses of action without truly taking one.” The administration worried about alarming the American people and that a statement could be perceived as political, given that then-President Obama was actively campaigning for Hillary Clinton.

“There were many flaws with the U.S. response to the 2016 attack, but it’s worth noting that many of those were due to problems with our own system – problems that can and should be corrected,” said Vice Chairman Mark Warner (D-VA).

The committee concluded that in the case of future attacks, the public should be notified “as soon as possible with a clear and succinct statement of the threat.” Though, Burr says that as the 2020 presidential election approaches, the US is in a better position to identify foreign interference efforts.

This Senate report is the third of an expected five that will investigate the government’s handling of Russia’s election interference. The first report was released in July. We don’t know when the final two will be complete, but they are expected to detail the intelligence community’s 2017 assessment on Russian interference and the final counterintelligence findings.

Today the US Senate Select Committee on Intelligence released Vol. 1 of its report (PDF) on Russian attempts at election hacking in 2016. However, much of the information in it has already been released — like knowledge that hacking attempts reached all 50 states in one form or another — or is blacked out. As the New York Times notes, information redacted includes some of the key lessons for 2020.

In public statements about the report, senators in both parties on the committee noted there is still work remaining to be done to ensure election security in 2020. Despite that, earlier today Senate Majority Leader Mitch McConnell blocked the consideration of election security bills. In response, Senator Ron Wyden said in a statement that “We shouldn’t ask a county election IT employee to fight a war against the full capabilities and vast resources of Russia’s cyber army. That approach failed in 2016 and it will fail again.”

Key Findings and Recommendations:

• The Russian government directed extensive activity against U.S. election infrastructure. The Committee found the activity directed at the state and local level began in at least 2014 and carried into at least 2017. The Committee has seen no evidence that any votes were changed or that any voting machines were manipulated.
• Russian efforts exploited the seams between federal authorities and capabilities, and protection for the states. The Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) are, by design, limited in domestic cybersecurity authorities. State election officials, who have primacy in running elections, were not sufficiently warned or prepared to handle an attack from a hostile nation-state actor.
• DHS and FBI warnings to the states in the late summer and fall of 2016 did not provide enough information or go to the appropriate people. The Committee found that while the alerts were actionable, they provided no clear reason for states to take the threat more seriously than other warnings.
• DHS has redoubled its efforts to build trust with the states and deploy resources to assist in securing elections. Since 2016, DHS has made great strides in learning how election procedures vary across states and how to best assist those states. The Committee determined DHS’s work to bolster states’ cybersecurity has likely been effective but believes more needs to be done to coordinate efforts.
• Russian activities demand renewed attention to vulnerabilities in U.S. voting infrastructure. Cybersecurity for electoral infrastructure at the state and local level was sorely lacking in 2016. Despite increased focus over the last three years, some of these vulnerabilities, including aging voting equipment, remain. As states look to replace machines that are now out of date, they should purchase more secure voting machines. At a minimum, any machine purchased going forward should have a voter-verified paper trail.
• Congress should evaluate the results of the $380 million in state election security grants allocated in 2018. States should be able to use grant funds provided under the Help America Vote Act (HAVA) to improve cybersecurity in a variety of ways, including hiring additional IT staff, updating software, and contracting vendors to provide cybersecurity services. When those funds are spent, Congress should evaluate the results and consider an additional appropriation to address remaining insecure voting machines and systems.
• DHS and other federal government entities remain respectful of the limits of federal involvement in state election systems. America’s decentralized election system can be a strength against cybersecurity threats. However, the federal government and states should each be aware of their own cybersecurity limitations and know both how and when to obtain assistance. States should remain firmly in the lead on running elections, and the federal government should ensure they receive the necessary resources and information.
• The United States must create effective deterrence. The United States should communicate to adversaries that it will view an attack on its election infrastructure as a hostile act and respond accordingly. The U.S. government should not limit its response to cyber activity; rather, it should create a menu of potential responses that will send a clear message and create significant costs for the perpetrator.