Hack the Vote: Cyberrisk at the Ballot Box
Electoral infrastructure in the United States is overseen by a patchwork of local authorities, guided by the recommendations and assistance of national bodies, but not governed by federal regulations. As a result, when America heads to the polls on Nov. 8, it will be to carry out a critical civic duty on a wide range of equipment guarded by a variety of security processes, a reality that has led many experts to voice increasing concern about potential cyberrisks.
In fact, in a survey conducted by security software provider Tripwire, 63% of information security experts said they believe cybercriminals are influencing the outcome of the U.S. presidential election.
Indeed, whether through the spread of private data from the Democratic National Committee hacks or the rise of cybersecurity policy as a critical issue in evaluating a presidential candidate, cybersecurity has already played a prominent role in this election cycle. As the scale of vulnerability becomes more evident, however, experts are concerned that hackers could have a far more direct impact on the electoral process.
At this year’s Black Hat hacker conference, for example, Symantec Security Response set up an electronic voting booth to demonstrate the ease with which these machines can be hacked. Using a simple $15 device that is readily available online, researcher Brian Varner reset voter access cards, which could give a voter the ability to cast their vote as many times as they like. Varner estimated he could vote about 400 times in a couple of minutes and poll workers would be none the wiser, especially as it is illegal to monitor an individual’s activity in the voting booth.
Malware could also be implanted on voting machines since almost none have any kind of malware detection software. Even if they did, today’s advanced malware could be programmed to change a small enough number of votes to evade suspicion before automatically deleting itself.
The delivery systems for voting results are also vulnerable to breach. This would allow a hacker to boost numbers for a particular candidate or intercept the final results before they are reported back into the system.
“The results go from that machine into a piece of electronics that takes it to the central counting place,” Kevin Haley, Symantec Security Response director, told CBS News. “That data is not encrypted and that is vulnerable for manipulation.”
The bottom line is that, if connected to the internet, like any “smart” technology, a voting machine could be hacked. Fortunately, few are set up this way. According to Verified Voting, a nonprofit that advocates for election accuracy, 70% of voters will cast paper ballots this year.
Online voting systems are available in some jurisdictions, however, largely to accommodate the ballots of members of the military and Americans based abroad. An August report by the Electronic Privacy Information Center said 32 of the 50 states would allow voting by insecure email, fax and internet portals in this election cycle. As far back as 2010, an online voting pilot program in Washington, D.C., was hacked by University of Michigan students within 36 hours.
According to the Washington Post, the Department of Homeland Security issued a warning this spring that online voting is not yet secure and that the system currently introduces risk. “We believe that online voting, especially online voting in large scale, introduces great risk into the election system by threatening voters’ expectations of confidentiality, accountability and security of their votes and provides an avenue for malicious actors to manipulate the voting results,” said Neil Jenkins, an official in the department’s Office of Cybersecurity and Communications.
It is much more likely that many small attacks will happen in an attempt to discredit the results from various states or counties within states. It could be like the 2000 election but with a virtual hanging chad.
In addition to the voting machines themselves, voter registration databases present one of the most obvious and most vulnerable targets. On the most basic level, these databases represent repositories for significant amounts of personal data that is valuable to cyber criminals, which makes them target just like health or payment records. But tampering with these records also presents a way to meddle in an election. For example, deleting registration records could impact who is allowed to vote when they show up at the polls. If information provided by an individual attempting to vote is inaccurate when compared to the state’s voter identity data, they could be deemed ineligible to vote.
In August, the FBI issued a confidential “flash” alert to state officials to boost their election security in light of evidence that hackers targeted related data systems in several states. They described a “compromise” of one elections board website and “attempted intrusion activities” in another state’s system. The bureau reports that it is investigating the incidents and advised states to scan their systems for specific signs of hacking. The bulletin did not identify the states, but experts say it points to Illinois and Arizona, where state election websites experienced hack-related shutdowns earlier this summer that impacted parts of the sites related to online voter registration.
“This is not something that can be done in a few days or weeks, if an organization is going to be successful in this style of attack they must be well funded and have started work months ago,” Lamar Bailey, Tripwire’s senior director of security research and development, told Time. “It is much more likely that many small attacks will happen in an attempt to discredit the results from various states or counties within states. It could be like the 2000 election but with a virtual hanging chad.”
In July, Illinois officials discovered an intrusion into their election system, which resulted in a week-long shutdown of the registration system. Although no data was altered, federal officials note it marked the first known successful compromise of a voter registration database, and hackers were able to retrieve and access voter records. The Illinois State Board of Elections believes the sophisticated attack was most likely carried out by an international entity. In August, cybercriminals also prompted the closure of Arizona’s system for nearly a week after they stole the username and password of an election official.
Tom Hicks, chairman of the federal Election Assistance Commission, an agency set up by Congress after the 2000 Florida recount to maintain election integrity, told the Washington Post he is confident that states have sufficient safeguards in place to ward off attempts to manipulate data. For example, provisional ballots could be issued for voters whose data was deleted and did not show up on the precinct list. The vote would later be counted once the voter’s status was confirmed.
Backup systems are also in place to mitigate the risk. According to the New York University School of Law’s Brennan Center for Justice, “As long as states and local jurisdictions keep backups, including paper copies, of their registration lists, no manipulation of state computer registration databases should prevent legitimate voters from casting a ballot, or having their votes counted.”
Lawrence Norden, deputy director of the democracy program at the Brennan Center and author of a 2015 report about election cybersecurity, told Vice News, “If there was any doubt, this confirms that we need to be taking all necessary steps to secure our election infrastructure. At the same time, it’s important to note that attacks on these kinds of databases should not have an impact on the integrity of our elections.”
New Problems, Old Solutions
In the United States, there are more than 9,000 state, county and city jurisdictions that collect and tally votes. Unlike the regulations that attempt to protect data in the payment card or healthcare industries, there are no federal laws or standards governing the security of election infrastructure or mandating the use of specific voting platforms, and state and local governments independently certify and budget for their own voting infrastructure. While federal entities like the Election Assistance Commission provide guidance and offer certification, there are no compulsory federal requirements.
A number of officials, including Department of Homeland Security Secretary Jeh Johnson, have said the federal government should consider designating the election process as critical infrastructure, as it has with 16 sectors to date, including transportation services, energy, nuclear reactors, emergency services, the chemical industry, the defense industrial base, communications and financial services. Extending this designation to the election process would give DHS the authority to secure the system against cyberattacks and could provide federal funding to improve these critical services. While some states have expressed interest in government aid, others fear encroachment on local authority and prefer to retain the autonomy afforded by the current system.
In the meantime, officials have made important advances over the past few years to secure voting technology, but experts believe there is still work that can be done. “Between now and November, there are several steps officials can take to ensure America’s elections are properly protected,” Norden said.
The Brennan Center believes one of the biggest threats to election infrastructure is actually an over-reliance on technology to the point of omitting traditional security measures. In 14 states, at least some polling places will use machines that do not create a “voter-verified” paper record, which can be stored by election officials. The lack of paper backup creates the risk that, should someone alter the results, it would be nearly impossible to detect and there would be no hard copy to conduct an audit or a manual recount.
Four notably competitive states, including Pennsylvania, make use of such machines, which also risks facilitating distrust in an election where both candidates have raised concerns about hackers tampering with the outcome.
“With no paper trail you’re one calamity away from a treacherous situation,” former Rep. Robert Wexler (D-Fla.), who unsuccessfully pursued a federal lawsuit in 2004 against the paperless voting system then widely used in Florida, told Politico. “We would not tolerate this lackadaisical system with our financial records.”
Security experts largely believe the best long-term solution is for states to switch to optically-scanned ballots, which produce electronic results but leave a paper record in case questions arise. Another option is more widespread use of electronic machines that produce a voter-verified paper record. Particularly in jurisdictions with tight races or in critical swing districts, even small-scale or localized interference has the potential to create a significant impact. The investment in new infrastructure with concrete failsafes therefore must be prioritized, officials and researchers agree.
In a July Pew Research Center poll, more than half of registered voters expressed at least some degree of concern that their votes would not be counted accurately.
A Crisis of Confidence
“The very fact that [someone] has rattled the doorknobs, the very fact that the state election commissions are in the crosshairs, gives grounds to the average American voter to wonder: Can they really trust the results?” Rich Barger, chief information officer at ThreatConnect, told the Washington Post.
Voter disenfranchisement has been a significant issue in previous elections, and cyberrisk adds another level of uncertainty to the electoral process. In a July Pew Research Center poll, more than half of registered voters expressed at least some degree of concern that their votes would not be counted accurately. Donald Trump has expressly stoked these concerns among his supporters, suggesting that, were he to lose, it would be because the election is “rigged.”
Many state officials point out, however, that the decentralized system of voting districts arguably makes it more difficult for hackers to impact an election on a wide scale. Coupled with the fact that most voting machines are not connected to the internet in the first place—in the 2016 presidential election, 42 states will use voting machines that are more than a decade old—it means that the system has some insulation from remote hacking.
“The level of risk for attacks directly on votes themselves is relatively low,” said Tim Erlin, senior director of project management for Tripwire. “While isolated incidents may be possible, it’s unlikely that we’ll see the outcome of the election affected.”
But with increasing use of electronic voting and the trend towards connected systems, Erlin pointed out that electronic interference in elections is a possibility. “It’s best to address these concerns before they become serious problems,” he said.
Hackers may never directly interfere in the election, but documented intrusions in the infrastructure in November could indeed have a concrete impact by casting doubt on the legitimacy of this cornerstone of American democracy. The broader potential for questions over the process highlights that, as for so many other entities, the greatest risk may be one of the simplest: public perception.