Election hacking has become a key topic during this year’s presidential elections, more so now that candidates and voters are being actively targeted by actors that are assumed to be acting with Russian support.
In this modified edition of CSO Online’s Hacked Opinions series, we explore the myths and realities of hacking an election, by speaking with a number of security experts.
Q: Can the national election really be hacked? If so, how?
“It’s unlikely that the national election could really be hacked to alter the outcome. Voter registration databases have recently proven vulnerable, but adding, modifying, or deleting records doesn’t produce the intended effect (changed outcome); it just raises questions about the integrity of the database on election day,” said Levi Gundert, CP of Intelligence and Strategy, Recorded Future.
So if the desired result is tampering, or to call into question the integrity of the system itself, Gundert added, then it’s possible to “hack” a national election, “especially if a majority of voter registration databases were compromised.”
Such a task could be accomplished remotely from the internet (as we’ve recently seen in Arizona and Illinois), or by an insider.
Based on state information provided by BallotPedia, the precincts in swing states like Florida that use Direct Recording Electronic (DRE) systems without a paper trail are the only ones that are even remotely problematic, Gundert explained.
“DRE systems are computers so there’s multiple ways to attack them, especially if you have access to components early in the supply chain. However, if the operating system and application hasn’t yet been tampered with, then remote access via the internet on election day is highly unlikely because these systems won’t be connected to the internet.”
But, if an attacker has physical access to DRE systems, then additional hardware (Bluetooth, WiFi, GSM, CMDA, etc.) could be added to allow for remote access at a later time, “but again, the scale of hardware additions needed would be impractical,” Gundert said.
Should the vulnerabilities in voting machines surprise anyone though? Alex Rice, CTO and co-founder of HackerOne, pointed out that slot machines currently undergo more security assurance and regulation than voting machines.
“The fact that voting machines are vulnerable shouldn’t be a surprise to anyone, all technology has been proven vulnerable and these computer systems are no different. Voting computers have not been subjected to basic security best practices such as third-party source code review, vulnerability disclosure, and any level of transparent peer review that a critical system should undergo before they are depended on by our democracy.
Q: What about local elections? Are they the easier target? If so, how can they be hacked?
The answer here all depends on the voting mechanisms in use, Gundert said. DREs introduce complexity, as opposed to paper ballots, but the challenge for someone planning to hijack an election is really the scale of tampering necessary to affect the election’s outcome. So on the scale of effort alone, a local election would be easier to coordinate than a national election.
“The same problems exist in both national and local elections, but with a few differing characteristics impacting risk vs reward,” Rice said, offering his own take on the question.
“On one hand, the stakes are lower in local elections and therefore the adversaries with a vested interest in the compromise of a local election are likely to be less advanced. On the other hand, the smaller statistical sample and reduced level of scrutiny means that attacks are more likely to go undetected.”
Q: How viable is it to hack into a given voting system? Would it be remote hacking or local physical access?
“A sufficiently motivated adversary would have no shortage of feasible strategies for the compromise voting computers,” Rice said.
Voting systems, for the most part, run end-of-life Windows XP with no security updates, which is a serious problem. Another layer to attack would be connected systems, “and we’ve seen no evidence that these computers are universally and permanently air gapped,” Rice added.
Additional risks and types of attack include a denial-of-service that could render computers inoperable in a targeted area.
“Most critically, the lack of transparency prevents any reasonable assurance that vote hacking did not occur. This lingering doubt is fertile breeding ground for conspiracy theorists to contest the election results in a manner that can not be strongly refuted. An inability for us to maintain a high degree of confidence in the authenticity of our election process is a threat to democracy in its own right,” Rice said.
Q: Assume an attacker does get in and can alter election results somehow, how quickly could they be detected by local election officials or the federal government?
“Detection of tampering with a DRE system without a paper trail is unlikely if the DRE is operating properly. Obviously the unauthorized access to voter registration databases in Arizona and Illinois has already been detected,” said Gundert.
Again, Rice adds, the issue of transparency comes into play, because without it, little is known about the controls that would detect such tampering. “This is insufficient,” he said.
Q: Realistically, what would be the point of hacking the vote?
“Assuming an attacker could access large amounts of DRE systems (which is highly unlikely) and alter the removable media, potential motives would be numerous. A nation state effort aimed at disruption/chaos is one possibility,” Gundert said.
One possible objective could be based on espionage, with a focus on policy shifts between candidates, said Art Gilliland, CEO of Skyport Systems.
[ MORE ON CSO: Can you hack the vote? Yes, but not how you might think ]
“For example Pro-Russian versus adversarial stances would make a huge difference in international relations. Another option could just be to create chaos, selection of David Duke for example. Anarchists and Hacktivists like Anonymous would do it just to make a point.”
Q: Why would someone target voting systems during the election cycle? All eyes are on the systems and data, isn’t this a bit counterproductive?
“The question assumes we’d detect the compromise,” Rice said.
“Even in more mature security systems, we still only detect a minority of compromises and believing that voting systems are immune to this property is hubris. The only prudent route is to both conclude that compromise is possible and that it will be extremely hard to detect.”
It’s hard to argue with events over the past year. Criminal hackers stole millions of records and millions of dollars from some of the most sophisticated companies and organizations in the world, and they made it look easy.
“Nation States are hacking into sensitive systems all the time with our best and brightest defending us. Modifying the voting systems manned and monitored by volunteers would be essentially ‘child’s play’ for the hacker community,” Gilliland said.
When questioned for this story, Simon Crosby, the CTO of Bromium, offered some interesting perspectives. Cyber paranoia, he said, is leading to a new state of absurdity – where the protagonists are those who could be easily called ‘Cyber Luddites.’
“Here’s their narrative: ‘The most credible security researchers agree that it is impossible to build a secure voting system. Therefore we should stick with paper, forever.’”
“Sticking to paper-based voting systems has massive drawbacks. Does anyone remember hanging chads? It is impossible to build a perfect voting system. But we are getting very good (collectively) at building computer systems that are massively secure by design. Such systems, appropriately audited and tested by independent professionals, would improve accuracy of voting and move the world forward substantially.”
This story, "Q&A: The myths and realities of hacking an election" was originally published by CSO.