Hacking the Vote

From left: Kim Zetter, a freelance cyber security journalist, moderated a discussion with Jeremy Epstein, a senior computer scientist at SRI International; Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology; and Massimo Tommasoli, permanent observer for International Institute for Democracy and Electoral Assistance (IDEA). (Atlantic Council)

In an election season marred by cyberattacks—an activity the White House has blamed on Russia—the security of voting machines is a prominent concern for voters.  Such concerns could undermine voters’ faith in the system as well as the legitimacy of the result of the presidential election, the Atlantic Council’s Daniel Chiu said in Washington on October 19.

“Hackers may not even need to actually compromise voting computers or systems to undermine the people’s trust in the election results,” said Chiu, who is director of the Strategy Initiative in the Atlantic Council’s Brent Scowcroft Center on International Security. “[M]erely a credible claim of doing so could compel voters to cry foul, undermining the legitimacy of the vote, at home in the United States, and abroad,” he added.

On October 7, the White House officially accused Russia of using cyber hacking to interfere in the presidential election. Russia denies the accusation.

Over the summer, Debbie Wasserman Schultz was forced to step down as chairman of the Democratic National Committee after a hack of her e-mails revealed her preference for Hillary Clinton over Senator Bernie Sanders (D-VT) as the Democratic Party’s presidential nominee. [Clinton eventually won the nomination.]. The e-mails of former secretary of state Colin Powell and Clinton campaign chairman John Podesta have also been hacked.

Additional incidents of hacked e-mails and compromised voter databases further highlight the vulnerabilities of an electronic electoral process.

“Computers, even voting computers, are hackable,” said Chiu.

Chiu delivered the opening remarks at an event at the Atlantic Council that focused on the technical flaws and cybersecurity vulnerabilities that could undermine the credibility of the presidential election on November 8. Panelists included Jeremy Epstein, a senior computer scientist at SRI International; Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology; and Massimo Tommasoli, permanent observer for International Institute for Democracy and Electoral Assistance (IDEA). Kim Zetter, a freelance cybersecurity reporter, moderated the discussion.

“When we’re talking about hacking the vote this year, unlike any other year we’ve had before, we’re talking about two kinds of hacking,” said Zetter. She said the issue is “not only technical hacking of voting machines, but hacking the minds of voters for influencing the outcome of an election.”

Republican presidential nominee, Donald Trump, has already claimed that the election is rigged against him. In the final presidential debate on October 19, Trump refused to pledge that he would accept the result of the election if he loses, saying instead that he would prefer to keep the nation “in suspense.” He later said he would accept the result—“if I win.”

According to Tommasoli, the greatest threat to democratic processes is the lack of trust in the electoral process, related to the risk of a cyber hack. “Unless the environment, the procedures, and the systems are safe enough, there will be a growing tendency toward using these means of [electronic] voting, and there will be a high risk of manipulating voting, before, during, and after elections,” he said.

The security measures protecting electronic voting machines are weak. The panelists described how an actor with a malevolent intent could easily circumvent measures in place with either a remote hack, possible if a system is somehow connected to the Internet, or a proximity hack achieved by accessing the ports of the machine in the polling booth or when the machine is in insecure storage between elections. Tommasoli described how, “if you assess a system, you would also look at how data that are produced through electronic voting machines are processed by computers that may be hooked to the Internet.” Indirect connection to the Internet creates further risks of manipulation. 

Though voting machines and the procedures around them have significantly improved in the past decade, due in part to testing conducted by the Election Assistance Commission, “testing only gets you a certain level of confidence; there’s always going to be a way to get around it,” said Hall.

Additionally, Internet voting opens a new realm of possibility and risk. Though many states are exploring the possibility, widely supported by younger generations—thirty states currently allow Internet voting under certain circumstances—it remains a fundamentally insecure means of conducting an election, according to Epstein. 

Electronic voting, designed to increase voter participation, significantly increased with the Help America Vote Act of 2002. States bought direct recording electronic (DRE) machines designed to accommodate disabled voters and facilitate the voting process in general. However, the machines, connected to the Internet, are fraught with vulnerabilities. Initially the machines kept no paper trail, though most have now implemented a way to manually track votes. Epstein said that “it’s great to have a paper trail, but if nobody looks at it, if there’s no audits, it doesn’t mean anything.” An audit is effectively a recount.

“The whole reason to do an audit is to check the computer tally of a voting computer against a manual tally,” said Hall. However, audits replace technical malfunctions with human error. Hall said, “having the paper is one thing, but counting it correctly is another thing.” Certain measures and procedures based on statistics are designed to further vet the auditing process, but regulations remain faulty and insufficient, he added.

There is a long history of issues with voting systems and electoral processes, not only in the United States, but in other countries as well. “This is an international problem just as much as it is an American problem,” said Chiu. In 2004, Russia hindered Ukraine’s elections. The US Central Intelligence Agency (CIA) also has a history of interfering in international elections.

Responding to the possibility of Russian interference in the 2016 general election, Hall said that it is unlikely that Russia will directly hack a nationwide election. If it were to happen, he said, the United States would not know. US voting systems are not designed for resistance against sophisticated cyberattacks from state actors, nor are they enabled to retain evidence if such a hack were to occur. “If you’re doing something intentionally, you can design it in such a way that it disappears after it’s caused its problem,” Zetter said. Epstein added, “sometimes it’s hard to tell the difference between a bug and a hack because the symptoms look the same.”

According to Zetter, “you can have a problem with an external actor who gets access to these machines and does something, but you can also have a problem with simply upgrading machines at the last minute in a way that the software is not examined or certified.” There have been numerous instances of such malfunctions that undermine faith in the electoral system and challenge its credibility.

While many issues related to voting technology and instances of unreliable election results are presumably due to technological malfunctions, there is no way to tell for sure, according to Zetter. “It’s always hard to know what’s a glitch and what’s intentional,” she said. The mere existence of vulnerabilities opens the door to a directed attack.

The election process is flawed, but at the moment, aside from updating technology, the panelists agreed there is no infallible alternative. “We do need more regular federal funding of elections,” according to Hall, but right now that responsibility remains with the states. Ultimately, “technology is just a fragment of a mosaic that has to be consistent, and that is the system people should build confidence in,” said Tommasoli. 

Rachel Ansley is an editorial assistant at the Atlantic Council.