The ballots were programmed incorrectly—and testing prior to the election missed the problem. Consequently, Ms. Zirkle gathered affidavits from people who said they had voted for them. This was used to help convince a judge to order a new election. The Zirkles easily won their new election.
The list of electronic voting machines in use is long, in part because they stay in service for many years and models vary by purchase dates. Although researchers may pick a certain touch-screen system for testing, the sharpest criticisms are directed at a particular class of machine—those without a voter-verified paper record.
There are about 10 states that use Direct Voting by Electronics (DRE) without Voter Verified Paper Audit Trail (VVPAT). The list is approximate because county systems may vary. Some of the states with at least some electronic-only systems include New Jersey, South Carolina, Georgia, Louisiana, Pennsylvania, Virginia, Kentucky, Indiana, Texas, Delaware, according to Verified Voting.
State officials insist their systems are secure. Getting at voting machines, in particular, may require a physical attack. But computer security threats follow an evolving pattern that may start with physical access and move on from there.
At the same time Pennsylvania voters filed their lawsuit in 2006 challenging the electronic system, computer scientists at Princeton University were demonstrating how to hack touch-screen voting machines. The scientists physically hacked into a machine, replaced the original memory card with an infected card, rebooted, and returned the original memory card. The machine was now infected. Researchers even used a minibar-type key to open the electronic machine.
Whether the Princeton attack was fair demonstration or not may not be as important as understanding the process in computer security.
Progression of a hack
“Things go through a sequence that looks like: Theoretically possible, proof of concept, weaponized,” said Eckhardt.
Scientists work to understand the threats coming down the road. The same process has been applied to viruses, rootkits, BIOS rootkits, and now ransomware, which is arguably the next stage after something is weaponized, and that’s commercialization, said Eckhardt.
State-level actors are weaponizing things, said Eckhardt, and they “have the money and they are good.”
The IT and security practices around voting, aggregation and registration systems may vary considerably from state to state and county to county. This gives attackers options and opportunity.
“Hypothetically, what if endpoint protections, or the lack thereof, allowed ransomware to execute?” said Zach Lanier, director of research at security firm Cylance. The message to election officials might be: “ ‘You can’t have an election until you pay $1 million to unlock all your machines.’ “
The attackers may not care who wins.
The goal instead may be “to create a mistrust in the ‘system,’ “ said Samir Kapuria, the senior vice president and general manager of Symantec’s Cyber Security Services business unit. “You don’t want people to lose faith in the outcome of the election.”
The risk “is less about throwing an election, as opposed to creating a lack of confidence in the results,” said Kennet Westby, president of Coalfire Systems, an IT audit and compliance firm.
If the goal is to wreck confidence in the U.S. election, then Donald Trump’s recent comment that he fears a “rigged” election is just more stirring of this pot.
Elections are decentralized, run by states and local governments, and a near-universal worry shared by cybersecurity experts is that the election staffs may be out-gunned by hackers.
A majority of poll workers are retired senior citizens who “may not be computer literate,” said Jim Christy, vice president of investigations and digital forensics at cybersecurity start-up Cymmetria. The average age of poll workers is estimated to be over 70, he explained. Christy was also a former chief election judge in Anne Arundel County, Md.
“Mistakes, ignorance, and manipulation of the poll workers is possible as the average training for poll workers is only 2.5 hours,” said Christy.
The U.S. Department of Homeland Security recently offered nationwide help with cybersecurity issues, and Pennsylvania is one of the states that has accepted this assistance.
But there will be concerns about the level of federal involvement, said Daniel ‘DJ’ Rosenthal, a cybersecurity expert in Kroll’s Investigations and Disputes practice. He has previously worked in the Obama administration on cyber security and counterterrorism.
Federal involvement in state and local elections is “inconsistent with our structure” of the federal system, and state governments may fear that federal involvement in local elections could mean a start to creating standards for other systems. The federal government is involved in election security—after the attack, to investigate breaches, but does not have a preventive role, he said.
Andrew Appel, a computer science professor at Princeton, testified before a U.S. House committee on Sept. 28, and urged lawmakers to eliminate use of touch-screen voting machines, in the same way they outlawed punch-card ballots following the 2000 presidential contest between George W. Bush and Al Gore.
Appel said more states are using optical scanners, and while the scanning machine has a computer in it, there is also a “ballot of record, and it can be recounted by hand, in a way we can trust,” he told lawmakers.
Despite all the potential risks ahead, Eckhardt says, “People should vote. The only way that your vote for sure doesn’t get counted is you don’t cast it.”
This story, "If the election is hacked, we may never know" was originally published by Computerworld.