How Clinton, Trump Could Champion Cybersecurity | Dark Reading
Although we are aware of the efforts by the Russian government to discredit American democracy and interfere with the election, the chance that a malicious actor can carry out a hack that would change the outcome of the presidential election seems virtually impossible. Nonetheless, the recent high-profile hacks of Democratic political organizations and states’ voter registration databases by Russian hackers have already achieved the desired effect of sowing at least some doubts about the integrity of the US election, a concept reinforced repeatedly by Republican nominee Donald Trump in his proclamations that the election is “rigged.”
Skeptics have dismissed those concerns based on the fact that the electoral system is a decentralized system managed at the state and local levels, and that the voting machines themselves – which are what voters will use to cast their ballots – are standalone systems that are not connected to the Internet. Unlike state voter registration systems that have been hacked or probed in past weeks, the actual voting machines would be much harder to hack remotely and the probability of hacking at the polls remains low. The election may still be manipulated, however, through other cyber means such as bribing a machine operator to inject malicious software, rewriting software to change the way that votes are counted or tabulated, manipulating other weak points in the system, or directly exploiting a vulnerability in the machine’s software. So, if the question is, ‘Is it possible to hack the vote?’, the answer is yes, definitely!
Moreover, research shows that the technology behind most voting machines is grossly outdated – 43 states have voting machines that are at least a decade old – and that many of those machines are so riddled with vulnerabilities that almost anyone with rudimentary technical skills could break into them in order to corrupt voting results. And most states don’t have the funding to upgrade their equipment, which in turn doesn’t motivate technology providers to innovate those systems.
In addition to legacy systems and outdated technology, another concern with voting machines is that some of them don’t have any form of paper trail. Over the past few years, almost all states have moved to using paper ballots or electronic voting systems that maintain a verifiable paper audit trail of the ballots. Five states (Delaware, Georgia, Louisiana, New Jersey, and South Carolina), however, use completely paperless voting systems. If even one of the voting machines in those jurisdictions is hacked, or malfunctions, or if concerns arise about the legitimacy of a county or state’s election results, there is no independent means to audit individual votes in those particular precincts. Other states, including Pennsylvania, Virginia, Kentucky, and Tennessee, use a combination of paper ballots and paperless voting systems, depending on the jurisdiction. The concern with paperless systems is that they do not offer the same solid audit trail that a paper ballot does, and would make it much harder to prove with absolute certainty that votes were recorded as cast. Additionally, 31 states allow Internet voting, which could in principle be intercepted and subverted by a sophisticated hacker. Fortunately, most states that allow online voting restrict it to military and overseas residents or citizens with disabilities only. Many states also require voters to mail in paper ballots separately. Only Alaska allows for any registered voter to ask for and submit ballots electronically.
Another threat to the ballot box would be if hackers were able to delete voters from the database entirely, meaning when they arrived at the polls, their names wouldn’t appear in the system. In this case, however, voters could still cast a provisional ballot and then follow up to verify their registration in the days following the election. The process would be tedious, but not prohibitive.
While public officials continue to reassure us that the idea that someone could actually hack in any meaningful way into the election system so as to skew the result of the presidential election is far-fetched, rumors of hacking – even if not successful – or even one small case of electronic tampering or manipulation on November 8 could seriously undermine confidence in the election and play into a losing politician’s claim that the election was “rigged.”
So, what can citizens, state administrators, and federal officials do to ensure the confidentiality and integrity of these elections?
State boards of elections and law enforcement officials have been hard at work to safeguard elections, and the Department of Homeland Security is working with election officials to monitor suspected breaches on voting systems and bolster security in general. In particular, election officials should continue to implement proper security controls, scan all systems for flaws, test all equipment prior to the election, assure a chain of custody for voter records, maintain up-to-date master files of voter records separate from the public facing online system, put adequate physical security measures in place to prevent unauthorized access, and introduce contingency measures in case of equipment failure.
As a citizen, if you see anything suspicious such as signs of tampering with voting machines or any sort of intimidation of voters, you should alert local authority and election observers available at all the polling locations. In addition, you should carry your voter registration card and be reassured that most states keep also frequently updated back-up copies of voting rolls offline or in hard copy. Those back-ups could be used to rectify any wrong changes made by malicious actors.
– Francesca Spidalieri, Senior Fellow for Cyber Leadership