With the next U.S. election only two weeks away, it’s a good time to check in to see how cybersecurity may affect one of the most significant votes in American history.
At the Polls
The American federal voting system consists of a remarkably varied array of local processes and procedures. There is no over-arching election apparatus: instead, each state – and often individual counties with a state – will have its own idiosyncratic method of collecting and tabulating votes. This independence sees each jurisdiction – potentially influenced by the incumbent government – creating its own rules for managing the vote.
The devices used for tabulating ballots vary widely from state to state, with many using devices that have known vulnerabilities to hackers. Lack of funding or appreciation for the seriousness of the exposures has left the devices unpatched and open to compromise for years. The well-documented voting machine “hack-a-thon” at the DEF CON 27 conference in 2019 demonstrated that every single device currently in use in the field is readily breachable. This includes the ES&S AutoMARK, used in 28 states in 2018, and Premier/Diebold AccuVote-OS, used in 26 states that same year. These devices are still expected to see widespread use in 2020.
Defenders of the current system argue that the dizzying array of processes and approaches provides a kind of “security by diversity” at the polling stations, making a broad or systematic attack on the vote impractical. Further, they see the risk is mitigated because some of the breaches require a hacker to gain physical access to the device, something that likely would draw the suspicion of a poll worker. Finally, they posit that, unless the vote in a particular constituency is especially close, only a widespread compromise of ballot machines would have any compelling impact on the results.
Response has been varied, and time and attention that may have spent in correcting the deficiencies has been pulled away by the ongoing COVID-19 pandemic. Some counties have responded by scrapping use of the unsecure voting machines altogether, going back to a paper ballot system for 2020. Georgia has come under particular scrutiny, with security breaches and suspected vote tampering in 2016 and 2018 elections resulting in a widespread replacement of voting equipment. The costly new system will be more complex for voters and may still be subject to cyber attack, but it now features paper confirmation records of votes cast. Each state is making its own decisions, without central oversight or guidance.
The cyber threat on polling day extends beyond tampering with vote counts. Attacks on polling places could be used to disrupt voting processes themselves. Threat actors – either external, or even opposing candidates looking to gain an advantage by hampering access to the ability to vote – could swing close local elections with denial of service attacks. Long lines and delays created by attacks – and exacerbated by valid COVID-19 health concerns and potential weather issues – could cause voters to stay away, thereby subverting the democratic process.
Absentee Balloting
Here too, there is a wide variety of voting approaches that are acceptable for absentee ballots. Some jurisdictions insist that absentee ballots be submitted by mail exclusively. Meanwhile, other states actually permit some absentee ballots to be cast by fax, email, government portal, or mobile phone over the Internet. Critics of Internet voting have a number of arguments about the integrity of the ballots, ranging from voter privacy, security of the voter’s computer and their connection to the election servers, auditability and authentication of the voter and their vote, through to exposure to denial of service attacks on the voting system, preventing votes from being tabulated at all. The future of widespread web-based elections seems very far off.
At the Counting Stations
While targeting individual polling stations might require a great deal of coordination, an attack compromising the results of regional votes could have wider impact. The systems used at many polling stations have no paper confirmation or recording of votes – the anonymity and privacy of an individual vote that is so central to the voting process leads to complications in validating the results.
At DEF CON 26 in 2018, it took an 11-year-old under ten minutes to hack into a replica of the Florida state election website and change voting results. Officials were quick to dismiss the simulation as an inadequate representation of real-life security structures, but the ease and speed of the breach suggest that there are security concerns that need to be addressed.
Social Media Influence
In the 2016 election, it is believed that widespread use of bots and “fake news” generators was used to influence voters and spread misinformation. Social media channels like Facebook have vowed to make efforts to target and take down obvious falsehoods and baseless attacks, but all parties involved have a clearer understanding of the potency of using social media to sculpt voter opinion. Illegally or unethically harvesting information to micro-target voters – as evidenced by the Cambridge Analytica scandal during the 2016 elections – is widely considered to present a danger to the democratic process as well.
Nation-State Attack
In September, Microsoft released a report outlining a variety of attacks on individuals and groups affiliated with the 2020 election process. Microsoft identified a wide range of coordinated attacks from hackers based in Iran, Russia, and China against, among others, American political interests. Many of these brute-force assaults have targeted political organizations, presumably in an effort to compromise strategic data and spread misinformation. Worse yet, many of these attacks have reportedly been successful, leading to heightened concerns about the integrity of the November elections.
The Microsoft bulletin comes on the heels of an August 2020 statement about election tampering, made by National Counterintelligence and Security Center (NCSC) Director William Evanina. Evanina suggested that while Russian interests are working to support Trump’s re-election bid and damage Biden’s campaign, China “prefers that President Trump – whom Beijing sees as unpredictable – does not win re-election,” and that Iran is working to undermine the president and U.S. democratic institutions.
Of course, Russian interference in the electoral process is nothing new. Indictments were filed against a dozen Russian hackers who allegedly conducted cyberattacks against the Democratic National Committee in 2016. In fact, the Select Committee on Intelligence concluded that Russian interests tampered with U.S. elections as early as 2014, and attempted to influence voting results in all fifty states in the 2016 election. Volume 1 of the committee’s sweeping report details active measures, campaigns, and interference used by foreign forces. It underscores the exposure faced by the archaic systems still used in many jurisdictions: “In 2016, cybersecurity for electoral infrastructure at the state and local level was sorely lacking; for example, voter registration databases were not as secure as they could have been. Aging voting equipment, particularly voting machines that had no paper record of votes, were vulnerable to exploitation by a committed adversary. Despite the focus on this issue since 2016, some of these vulnerabilities remain.”
Volume 2 documents the social media tactics employed by Russian-based, innocently named “Internet Research Agency” (IRA) to use “targeted advertisements, intentionally falsified news articles, self-generated content, and social media platform tools to interact with and attempt to deceive tens of millions of social media users in the United States”.
Learn More
The Brennan Center for Justice, a non-partisan law and public policy think-tank, has numerous articles, research papers, and opinions on issues regarding cybersecurity on the U.S. elections. They released a detailed analysis of cyber exposures in their March 2020 expert brief, followed by a list of recommendations for keeping the vote safe in their June 2020 opinion piece.
Verified Voting is a non-partisan organization founded to provide analysis and insight with the aim of supporting the democratic process through secure, modernized methods. They have an interactive map that allows U.S. voters to preview the available voting methods in their local jurisdictions. According to their analysis, a third of eligible American voters will be using purely digital – and therefore potentially vulnerable – methods to cast their votes in 2020.
The 2020 documentary Kill Chain presents a decidedly biased view of some of the hacking dangers, and live footage from DEF CON 27, held in Las Vegas in 2019.