October 19, 2016
Cyber Risk Wednesday: Hacking the Vote
By Jeff Stone, CSM Passcode
Probably not. But it's still a question many technical and election experts are asking, Washington is worried about, and both Donald Trump and Hillary Clinton are talking about in the final stages of a presidential campaign already marked by unprecedented warnings of fraud at the polls.
In a statement earlier this month, the Department of Homeland Security and the Office of the Director of National Intelligence said the US "is confident that the Russian government directed the recent compromises of emails from US persons and institutions ... to interfere with the US election process." Separately, in August, the FBI reported breaches into Illinois and Arizona's voter registration databases and cautioned other states to bolster cybersecurity protections against of Nov. 8.
The Russian allegations sparked a heated exchange during Wednesday's final debate after Mrs. Clinton claimed that Russian operatives "hacked American websites ... to influence our election" in favor of her Republican opponent. Mr. Trump, who has not blamed Moscow for hacking into Democratic National Committee computer networks, did say he would condemn Russian interference in US elections. "By Russia or anybody else," he said.
During an event on Wednesday at the Atlantic Council think tank in Washington, a panel of cybersecurity and election experts said troubles at the polls originated long before this election season.
"It goes back perhaps as long as there have been elections, and the idea of influencing elections is nothing new to national and international players," said Daniel Chiu, deputy director of the Brent Scowcroft Center on International Security at the Atlantic Council.
Here's what we learned at the event:
1. Paperless voting complicates the audit process
Five states – South Carolina, New Jersey, Delaware, Georgia, and Louisiana – rely on electronic voting machines that do not include any paper trail, according to the election watchdog Verified Voting. Without that physical record, experts said, it's essentially impossible to double check the results, as officials did in the 2000 presidential election.
"If the vote is extremely close, like for instance Bush v. Gore, then the way to confirm the result is to actually count the ballots," said Joseph Lorenzo Hall, chief technologist with the Center for Democracy and Technology, a Washington tech advocacy group. "If you don't have sort of a fire drill about what you would do in a data breach then you're not doing it right."
2. Poll workers aren't security pros
In 2014, the Presidential Commission on Election Administration, a bipartisan commission charged with examining potential voting issues, reported that volunteers with little experience oversaw the approximately 8,000 voting jurisdictions in the US. More than two years later, experts at the Atlantic Council event said changing technology highlights the need for more trained volunteers at polling places.
"The average poll worker is 73 years old," said Jeremy Epstein, a program manager at the Pentagon's Defense Advanced Research Projects Agency. "Let's think about that when we're asking them to secure this technology on Election Day. We're asking them to be the information technology staff on the most important day in our country."
3. A widespread voting hack isn't likely
Most voting machines in most states do not connect to the internet, therefore it would take an extraordinary attack on polling places to actually compromise voting results. It would require physically tampering with machines, and vast manpower. Still, the very knowledge that a nation-state is working to manipulate America's big decision could be enough to create confusion.
Mr. Hall noted that Russian hackers attacked election systems during Ukraine's 2014 presidential elections. He also said media outlets that forecast the election results could be targets. "You really need to be careful what you believe" if it seems like "something weird" is happening on election night.