Inside the Secret Plan to Stop Vladimir Putin’s U.S. Election Plot

The Secret History of Election 2016.

Riverside County District Attorney Michael Hestrin was at his desk on June 7, 2016, when the calls started coming in. It was the day of the California presidential primary, and upset voters wanted the county’s top prosecutor to know that they had been prevented from casting their ballots. “There were people calling our office and filing complaints that they had tried to vote and that their registration had been changed unbeknownst to them,” says Hestrin. Soon there were more than 20 reports of trouble, and Hestrin, a 19-year veteran of the office and a graduate of Stanford Law School, dispatched investigators to county polling places to see what was going on.

At first what they found was reassuring. Everyone who had been blocked from voting had been offered a provisional ballot, and most had cast their votes that way. But as the investigators dug deeper, things looked less innocuous. In the days after the vote, more people started coming forward to say they’d also had problems with their voter registration on primary day. In at least half a dozen cases, Hestrin and his investigators concluded, the changes had been made by hackers who had used private information, like Social Security or driver’s-license numbers, to access the central voter-registration database for the entire state of California.

There the trail went cold. The California secretary of state’s office told Hestrin’s investigators that the state’s system hadn’t recorded the Internet addresses of the computers that had made the changes, so there was no way to learn the identity of the hackers. Hestrin could go no further, but that wasn’t the end of it. The lingering mystery of the voter-registration changes bred doubt among members of both parties. Local Republicans publicly alleged that Democrats were ignoring the issue and privately accused them of trying to suppress the GOP vote. Democrats thought Republicans were making up an excuse for their losses at the county polls. “That was a big concern,” says Hestrin, an elected Republican. “People should still have faith in our election systems.”

It was only months later that it dawned on investigators in D.C. that undermining voters’ faith may have been the point of the Riverside County hack all along. In the months following the California primaries, the feds discovered that Russian hackers had broken into more than 20 state and local election systems and attempted to alter voter registration in several of them. Looking back at the events in Riverside County, cybersecurity officials at the White House wondered whether it had been a test run by the Russians. “It looked like a cyberattacker testing what kind of chaos they could unleash on Election Day,” says one former federal cybersecurity official who looked into the case. “There was no forensic evidence, so we may never know for sure, but the intelligence told us the Russians were bragging about doing just that.”

The previously undisclosed 15-page plan, produced by President Obama’s cybersecurity officials and obtained by TIME, shows just how worried Washington was. It deferred to states in most cases of a cyberincident on Election Day. But in a severe attack “likely to result in demonstrable impact to election infrastructure,” it provided for “enhanced procedures” in response. The plan allowed for the deployment of “armed federal law enforcement agents” to polling places if hackers managed to halt voting. In a crisis, it also foresaw the deployment of “Active and Reserve military forces” and members of the National Guard “upon a request from a federal agency and the direction of the Secretary of Defense or the President.” For three days after the election, a special interagency effort would be tasked with addressing “any postelection cyberincidents,” including “planted stories calling into question the results.”

On Nov. 1, the White House went so far as to war-game an Election Day attack.

As it happened, Nov. 8 came and went with no final, spectacular attack on the integrity of the election. But the Russian effort may nonetheless be working, helped wittingly or otherwise by Donald Trump.

The diminished faith may deepen. Recent revelations and testimony have shown that the Russian operation targeting state and local voting systems was broader and more intrusive than previously thought. They have also shown that our election systems remain vulnerable to different kinds of attack designed to undermine not the vote count itself but America’s faith in the result. Which is why the story of how officials scrambled to secure the 2016 vote only to become mired in partisan suspicion is important. Because the question of U.S. vulnerability to election meddling is less about the past votes than it is about the next ones.

THE PLAN AND THE LAST STAND

Paralyzed by politics at home, Obama tried to blunt the threat directly abroad. In a now famous one-on-one meeting with Putin in early September in Hangzhou, China, Obama told him to “cut it out” or face unspecified consequences. The confrontation was memorialized in a photo of the two men staring icily at each other.

For a while it looked as if the warning might work. “The intelligence community basically told us that [they were] not seeing [the Russians] continuing to go down that road,” says a former senior White House official. And in the U.S., DHS scanned voting systems remotely across the country and found and patched vulnerabilities. Some states also accepted visits by DHS cybersecurity teams that checked for vulnerabilities in person. But relations between the states and the feds remained chilly.

Then, in October, the attacks resumed. The GRU launched an operation against a software company, VR Systems, that provided election software and devices to at least eight states, according to a report by the Intercept. The intruders used the information to craft a convincing-looking email that served a spear-phishing campaign against the electoral officials across the country.

With just weeks to go until the vote, the White House cybersecurity team realized there was little it could do to stop a Russian attempt to undermine the credibility of the vote on Election Day, so it shifted into damage-control mode. In late October, the White House distributed its 15-page plan to deal with an Election Day attack to the top cybersecurity officials across the federal government.

The Justice Department’s election-crimes unit and civil rights divisions were on standby, as were parts of DHS and the Secret Service.

Heavier forces waited in the wings. The White House plan included the possibility of deploying active and reserve components of the military.

At 6 a.m. on Election Day 2016, Ferrante opened the door to the “second Situation Room,” a carbon copy of the President’s secure West Wing conference room.

Over the course of the day, reports came in that made the group think it might be seeing a repeat of Riverside County, or worse. In Colorado, the election voter database went down for 30 minutes. In Utah, lines formed in what had become an unlikely battleground thanks to the independent candidacy of Evan McMullin. At one point, sensitive intelligence came in that needed to be run to ground. But ultimately the level of disruption was no greater than in any normal national election, and all in all, the vote went off smoothly. As the polls closed, and the election was called for Donald Trump, some on the White House cyberteam celebrated the fact that there had been no disruptive attack.

FROM BAD TO WORSE

On Nov. 25, amid talk of possible challenges to the vote in Wisconsin, Pennsylvania and Michigan, the Obama White House released a statement saying, “We stand behind our election results, which accurately reflect the will of the American people [and] believe our elections were free and fair from a cybersecurity perspective.” But even as the calls for recounts faded, doubts about the security of the election system spread.

… the counterintelligence operation at the [FBI] aimed at uncovering whether the Russian operation was trying to aid Trump only really began in earnest once the election was over. Given the focus of FBI cyber and counterintelligence officials on Hillary Clinton’s emails, this looks like a spectacular blunder in retrospect.

At the same time, some division remained over who the real threat was to America’s electoral system remained. Georgia was the only state that didn’t accept some form of assistance from the federal assistance, according to officials familiar with the matter. But as the Georgians looked for intruders themselves, they found a DHS employee scanning their system on Nov. 15. DHS looked into the matter.

… some state officials remain angry about the perceived threat of federal overreach, …

More From TIME Magazine: