With Election Day Fast Approaching in the USA, Many Are Concerned About Cybersecurity at the Polls
It’s almost that time again. Election Day is just a few weeks away for residents of the United States, and citizens want to make sure that their vote is counted. Concerns with ballot integrity are nothing new, dating back to the earliest days of democracy in ancient times. You probably remember the controversy in the 2000 election and the “hanging chad” question that arose with paper ballots in Florida.
In the two decades since, we’ve moved more and more towards electronic voting systems as technology has continued to evolve and proliferate. The concerns remain, however, even though the mechanics of the balloting procedures have changed. There are security threats abounding in cyberspace, so what’s to say they can’t affect our voting machines?
The stakes are certainly high enough, and the ramifications of a successful attack this November could have severe and catastrophic effects in both the short and long term. Accordingly, having proper security measures at polling stations has been a primary focus of governments at local, state, and federal levels. There has been a lot of media attention on the subject recently–and rightfully so, the public has a right to know how their vote is being handled and protected.
Have we done enough since then to adequately prepare and fix prior vulnerabilities? Just how safe are the actual voting machines on a technical level? And what is the probability that a large-scale attack could be successfully pulled off?
Let’s hash it out.
Cybersecurity Issues With the 2016 Election
The 2016 election resulted in a litany of cybersecurity-related questions after it was all said and done. In that instance, Russia-linked groups were the main hostile parties, as they attacked the campaigns of candidates on both sides, probed state voter registration databases for vulnerabilities, and released disinformation and propaganda on social media.
Over the past three and a half years, we’ve gradually learned more about what exactly went down thanks to intelligence agency memos, court documents, witness testimony, and investigative reports from the news media.
SQL Injecting the Illinois Voter Registration Database
There’s some good news and some bad news that came out of it all. The bad news? Russian hackers were able to access the Illinois voter registration database and got themselves into a position where they could’ve theoretically altered or deleted voter registration data. The good news is that there was no evidence that they actually did so, and no actual votes were changed or deleted either (either at the voting machine or while the data was in-transit). As Matt Dietrich, spokesperson for the Illinois Board of Elections, explained in 2018,
For a lot of voters there has been a lot of fear that there is going to be Russian hacking and stealing my vote after I cast my vote…Not one vote was changed in Illinois based on what happened 2 years ago. Not one vote was attempted to be changed based on that.
They did succeed in stealing the personal information of over 500,000 Illinois voters however, which isn’t exactly a silver lining. The Senate Intelligence Committee eventually concluded in mid-2019 that all 50 states were ultimately targeted during the election.
As far as how exactly they were able to pull it off in Illinois, they used a common method used by data-thieves, SQL injection. It typically begins with hackers entering certain commands on a site via elements like web forms or dynamic URLs. So, for example, instead of typing “Mark” in the first name box of a form, they’ll enter a piece of code. These inputs allow the malicious party to run SQL commands on the database to obtain or manipulate whatever data they’re interested in. A report from Illinois state investigators reported how “Processor usage had spiked to 100% with no explanation. Analysis of server logs revealed that the heavy load was a result of rapidly repeated database queries on the application status page of the Paperless Online Voter Application (POVA) web site.”
Illinois election officials say they’ve since taken measures to eliminate these kinds of vulnerabilities from databases and web apps. Other states have done similar, and to further accelerate the process Congress approved a $380 million election security funding bill in 2018. The money hasn’t gone to waste either, and states are on track to spend the majority of funds prior to the 2020 election.
How the States Stack Up Today
SecurityScorecard released a report recently that examined the overall cybersecurity posture and election-rated infrastructure of every state. At first glance, the ratings definitely could’ve been better. 75% of states received a ‘C’ grade or lower, and 35% got a ‘D’ or below. It’s a relative rating system however, so context is important. For example, a ‘C’ grade state is three times more likely to experience a breach compared to an ‘A’ state. A ‘D’ grade is five times as likely. See how your state stacks up below:
Perhaps more interesting is the average scores among the various security categories, as seen in the following graph:
SecurityScorecard determined that the most severe potential consequences of these low scores were:
- Phishing attempts and malware delivery via email and other mediums, with the end goal of infecting networks and spreading misinformation
- Attacks via third-party vendors since many states use common ones
- Voter registration databases could be affected (as we saw earlier)
Election Cybersecurity Best Practices
Even though we’ve seen increased election security funding from congress since the last presidential election, these scores prove that further and continued investment is still needed. The report did suggest some best practices that states should adapt immediately, such as:
- The creation of election-specific websites under the official state domains. These are better than brand-new domains that could be subjected to typosquatting.
- Establish an IT team whose primary focus is on voter and election website security.
- Create clear lines of authority for updating these sites, and employ the “two-person” rule so that no single person (or perhaps more accurately, no single set of credentials) has the authority to make changes.
- Continuously monitor the cybersecurity exposure of all election-related assets, and ensure that vendors are subject to strict processes.
The In’s and Out’s of Voting Machine Hacking
We’ve seen that election-related databases and websites can be breached, but what about the voting machines themselves? Punch card voting and optical scanners (for use with paper ballots) are still in use, but we’re moving more and more towards director recording electronic (DRE) systems. These record votes via touchscreen or buttons and the information is submitted directly to a computer, to be recorded on a hard drive, removable memory card, or even directly printed to paper. There’s clearly some variability here, but regardless of the medium they are tabulated and retained in the case of an audit request or recount.
DEFCON, one of the preeminent ethical hacking groups, has been hosting their own Voting Village events in past few years to help identify and eliminate voting infrastructure vulnerabilities for all types of machines. They’ve been able to compromise every single one that’s been put in front of them, successfully executing actions such as altering vote tallies, changing the ballot displayed to voters, or modifying the internal software that controls the machines.
What sort of vulnerabilities allowed them to carry out these malicious actions, exactly? They included:
- Unrestricted ports including USB, RJ45, and CF
- Plain-text encryption keys stored in XML files
- No BIOS passwords set, allowing the boot order and other system settings to be changed
- Unencrypted hard drives
- Unnecessary software such as web browsers and bloatware (even Netflix was found on some machines)
- Default credentials
If you have the right tools, sufficient access, and enough time, pretty much any machine can be compromised. This applies to every type of voting system, as well. As Avesta Hojjati, DigiCert’s Head of R&D, points out,
While paper ballots may be the only truly ‘unhackable’ method of voting, if governments do not secure voter data, election sites and election communication, then any election can be vulnerable to attacks.
But how serious and realistic are these risks in reality?
A Practical Analysis of Voting Machine Vulnerabilities
Before you get too worried though, it’s important to remember that these tests were carried out in lab environments and didn’t replicate election booth conditions. Additional configuration can be (and hopefully is) carried out before the machines reach the public on election day.
It can be easy to fall for the media hype surrounding these kind of events as well, like a couple years ago when it was reported that an 11-year-old was able to change votes on a replica Florida state website. These kinds of clickbait headlines don’t tell the whole story though, and leave out details about the replica site and how it was set up. As the National Association of Secretaries of State explained in a statement,
It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols. While it is undeniable websites are vulnerable to hackers, election night reporting websites are only used to publish preliminary, unofficial results for the public and the media. The sites are not connected to vote counting equipment and could never change actual election results.
Nonetheless, some vulnerabilities certainly exist. However, an attack of this type is far from the ideal method of approach for hostile parties trying to affect an election. The vast majority of machines aren’t connected to the internet or are only connected for a brief period to transmit ballots. A physical presence would thus be needed at the machine, and therefore the attack would be extremely difficult to scale. So while the possibility is technically out there, it would be next-to-impossible to launch a coordinated attack on enough machines to have a significant impact on results. You’d almost certainly be detected first. (Then arrested and given a one-way ticket to a lovely cell in a Federal prison somewhere.)
DEFCON’s Voting Village agrees with this sentiment. Harri Hursti, one of the founders, said that
[It’s] not about proving that voting machines can be hacked. They all can be hacked and 30 years from now, those can be hacked, too. It’s about making sure we understand the risk.
This philosophy has led to states implementing risk-mitigation measures that attempt to cover all the bases in case a cyber-attack does occur. These include having an audit trail with hard copies of ballots and tallies (although thirteen states still do not require a paper trail), risk-limiting audits (manually checking paper copies against the electronic results), and proper security procedures when dealing with voting equipment and software.
The Human Element, The Biggest Vulnerability?
While electronic systems may possess vulnerabilities, the most likely vector of attack is people. Human error isn’t something that can simply be patched or upgraded, and things like spear-phishing attacks can end up being the easier and faster way for hackers to gain access to election systems.
Just last year, a Vice investigation revealed how 35 systems from one of the top voting machine companies were accidentally left connected to the internet. Those particular machines should only ever be connected for a few minutes, immediately before the election to perform a test transmission and immediately afterwards to submit the actual ballots. The rest of the time they should be air gapped. However, 10 states total made the mistake of leaving them online for months and even years in some cases.
Robert Graham, CEO of Errata Security, brought up the fact that
These are all secure technologies that if [configured] correctly work just fine. It’s just that we have no faith that they are done correctly. And the fact that [election officials are] saying they aren’t on the internet and yet they are on the internet shows us that we have every reason to distrust them.
Further steps could be theoretically added at various stages in the voting process to add protection measures in case of human error, but then again there is a fine line that must be toed between security and accessibility. DigiCert’s Hojjati expands on this idea, saying
In any democracy, a method of voting must prevent fraud, offer privacy and be cost effective. The problem is that adding security to elections generally decreases usability. For instance, requiring multi-factor authentication requires additional steps to access accounts. And while we try to keep layers of security as simple as possible, right now adding security to voting means additional steps and investment in the election process.
It is a challenge that election officials will continued to be faced with moving forward.
Nevertheless, there are currently a variety of voting machine attack vectors out there for cybercriminals to theoretically exploit, but is that even the best option for someone that’s looking to affect the election?
The Real Risk – Disinformation and Social Attacks
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) recently released a PSA to alert the voting public about the threat of widespread disinformation campaigns. This sort of attack isn’t meant to change actual ballots, but instead to sway undecided voters and cast doubt about the legitimacy of the election in order to sow political discord. As the FBI says, the goal is to “manipulate public opinion, discredit the electoral process, and undermine confidence in US democratic institutions.” It wouldn’t be the first time it’s happened, as you can see below in a previous attempt to use disinformation to manipulate the stock market:
Artificial social media-based campaigns are both easier to carry out and have a potentially higher reward than on-premise voting machine hacking. Controversial claims can spread like wildfire on social media platforms, whether or not they have any basis in reality. They can sway undecided voters in swing states and can even lead to animosity and violence between parties. And with social media, attackers can reach thousands if not millions of people at once, as opposed to physically hacking single voting machines whose visitor count is orders of magnitude lower.
The risk is less, as well. Cybersecurity professionals can use forensics to trace the source of voting machine attacks. Hacking most voting machines requires you to be physically there, leaving you at risk of being arrested by local law enforcement. Social media influencing, on the other hand, is much harder to trace and governments have minimal control over the content posted on the platforms. In this case, the responsibility is ultimately on voters to make an informed decision based on the facts at hand. It may be impossible to totally stop the threat of disinformation, but by seeking news from multiple, verified sources, you can minimize the biases and be better equipped to filter out the junk.
Facts vs Fears in the 2020 Election
It’s clear that vulnerabilities do indeed exist in our voting machines, as they do with almost any other system on earth. Thankfully though, it would be quite difficult to implement a mass vote-tampering operation that would have a significant effect on election results. This is due to the variability in systems and processes across the country, and the requirement of a physical presence to carry out the attack.
The bigger risks lie in people-related areas, like simple human error and phishing attacks, as well as large scale social media disinformation campaigns that can sway public opinion and lead to political unrest. Increasing election security has been a bipartisan focus all over the country in recent years, and hopefully it stays that way. Security is a journey, not a destination—election security is something that’ll need to be a top priority for the foreseeable future. But at the same time, it’s up to the public as well to follow proper security practices and get their news from reputed and trusted sources. Then they can avoid being manipulated by disinformation and propaganda campaigns, since that is the more realistic threat facing the voting public.
In the end though, none of these risks should dissuade you from doing your civic duty and casting your vote. As DigiCert’s Hojjati explains,
There is no perfect solution: each method of voting has vulnerabilities. Regardless of the method your area uses to vote, you should still participate in the voting process. Not participating is a guarantee that your vote won’t count.
So with that being said, see you at the polls on November 3rd!