Today, we're less than fifty days from the next U.S. presidential election, and over the next couple months, I fully expect to see a lot of speculation over the likelihood of someone "hacking the election." But what does that even mean?
The U.S. election system is a massively complex tangle of technology, and, at first, second, and third glance, it appears to embody the absolute worst practices when it comes to information security. There are cleartext, Internet-based entry points to the voting system. There is an aging installed base of voting machines running proprietary, closed-source code, produced by many vendors. And there is a bizarrely distributed model of authority over the election, where no one actually has the power to enforce a common set of security standards.
Sure, it seems bad. Nightmarish, really. But what are the actual risks here? If an adversary wanted to "hack" the "election," what could that adversary actually accomplish?
Online Voting in the U.S.
According to this PDF report from EPIC, the Verified Voting Foundation, and Common Cause, 32 states have some form of Internet-enabled voting. However, those systems are not the kind of easy, point-and-click kind of interface that most people think of when you say "Internet-enabled." They tend to be systems for distributing ballots that the voter needs to print out on paper (ugh), sign (often with a witness's countersignature), and then email or fax back to the state authority for counting.
Systems like these throw up privacy concerns. On a purely technical level, email and fax do not offer any sort of encryption. Ballots cast this way are being passed around the public internet "in the clear," and if an attacker is able to compromise any point along the path of transmission, that attacker can intercept these completed ballots. So, not only does this system do away with any notion of a secret ballot, it does it in such a way that it ignores any modern understanding of cryptographic security.
Clearly, this is a bummer for security professionals. We'd much rather see online voting systems with encryption built in. Web sites use HTTPS, an encrypted protocol, to avoid leaking important things like credit card numbers and passwords over public networks, so we'd like we see at least this level of security for something as critical as a voter's ballot.
That said, actually attacking this system doesn't scale very well for an adversary. First, they would need to target remote, online voters for snooping and interception. These voters are a minority, since most voting in every state happens either in person, or with paper ballots sent in the regular postal mail. Once the vulnerable population is identified, the adversary would then need to either wait for the voters to cast their ballots in order to change those ballots in transit, or vote on behalf of the legitimate voter before she gets a chance to. Active cleartext attacks like this work pretty well against one person or one location, but they are difficult to pull off at the kind of scale needed to tip an election.
Alternatively, the adversary could invent a population of phantom voters, register them to vote remotely, and stuff the ballot box with fake votes. Again, this isn't impossible, but it's also fairly high effort, since voter registration is already somewhat difficult for legitimate voters; automating it at scale just isn't possible in most counties in the U.S..
This leaves the servers that are responsible for collecting online ballots. The easiest thing to do here would be to kick them offline with a standard Denial-of-Service (DoS) attack, so all those emailed ballots would be dropped. This sort of attack would be pretty noticeable by the system maintainers, though, and I would expect people would switch back to paper mail pretty quickly. Remember, these systems aren't intended to be used on election day -- they merely collect absentee ballots, so there is going to be plenty of time to switch to the paper-based backup
A total compromise of the ballot collection servers could enable attackers to alter or destroy votes in a much sneakier way, and an attack like this could potentially avoid detection until after the election is called. On the bright side, this kind of attack appears possible for only five of the Internet-enabled voting states. Only Alabama, Alaska, Arizona, North Dakota, and Missouri have an "Internet portal." None of these states appear to be battleground states according to FiveThirtyEight's latest projections. So, regardless of their security posture (which isn't known), attacking these portals isn't likely to net a lot of gain for attackers wishing to influence the Presidential election one way or the other. If Florida or Pennsylvania had one of these portals, I'd be a lot more worried.
Hacking Voting Machines
Another common theme of "election hacking" stories involves attacking the voting machine directly, in order to alter the votes cast on site. Now, on the one hand, no electronic voting machine is cyber-bulletproof. I have every expectation that these voting computers have some bugs, and some of those bugs weaken the security of the system. I'd love to see open source, auditable voting machine code. Voting is important, and the machines we trust to tabulate results should be trustworthy.
On the other hand, if the adversary needs to physically visit voting machines in order to fiddle with results, then he'd need a whole lot of bodies in a whole lot of polling places in order to make a real dent in the results of an election. Don't get me wrong, wireless networking is getting ubiquitous, and high-gain antennae are a thing. But even with ideal placement and transmission power, the attacker is going to need to be within sight of a polling place in order to conduct practical attacks on a WiFi-enabled voting machine.
So, while such an attack is remote, it's not sitting-in-another-country remote. More like parked-outside-the-polling-place remote. WiFi voting machines are a terrible idea, but they don't appear to be an existential threat to democracy.
Ancillary Attacks: Voter Information
So, rather than attacking ballot-issuing and ballot-counting systems directly, attackers have much more attractive targets available connected to the election. Voter records, for example, are tempting to cyber criminals, since they contain enough personally identifiable information (PII) to kick off identity theft and identity fraud attacks at scale. Unfortunately, those particular cats are already out of the bag. 191 million voter records were accidentally leaked late in 2015, and the FBI warned in August that some state voter databases have suffered breaches.
Altering voter registration records is a big deal, for sure, since such attacks can help an adversary actually affect voter turnout for targeted voting blocs. While that's not what's being reported today, such an attack could not only nudge election results one way or another, but possibly bring into question the integrity of the democratic process itself. After all, "voter fraud," despite being practically non-existent in any recent election in the U.S., is a hot-button political topic. If an attack were detected that involved altering voter records, it would almost certainly be seen as a smoking gun that implies systematic voter fraud, therefore undermining confidence in the election for a huge chunk of the electorate. For more on likely voter data attacks, and what voter registration officials can do to safeguard that information, take a look at ST-16001, Securing Voter Registration Data from US-CERT.
Of course, "hacking elections" may not involve actually compromising the balloting or vote counting processes at all.
Imagine that someone decided to take down a couple voter information websites. Would this technically interfere with the election process? Maybe, if some people were trying to find out where their polling place is. The obvious effect, though, would be to create the impression that the election is under cyber-attack... and never mind the fact that voter registration and polling place information websites routinely crash under load on election day, despite the best efforts of the people running those sites.
So What Can We Do To Secure Elections?
Election infrastructure is complex, and there are certain to be bugs in any complex system. While elections, just like nearly everything else, are made safer, more convenient, and more efficient with technology, that same technology is going to introduce new risks that we've never had to deal with before and haven't anticipated. Naturally, there's cause for concern there, even if it doesn't rise to the level of Total Democolypse.
If you're in charge of voting technology in your area, we strongly urge you to test your systems now, ahead of the election. You should be attacking the system to see what's possible, and what mitigations are needed to ensure the election will not be affected by any kinks in the system. If you're not sure where to start, feel free to contact firstname.lastname@example.org - we're happy to connect you with security expertise (either our own or someone else from the security community) that will have a chat with you for free. We all have a vested interest in ensuring voting technology is not compromised, so we want to do what we can to help.
If you're a U.S. voter concerned about the integrity of the election process in your district, feel free to get in touch with your local office of elections and ask them what they've done to ensure that the election experience is resilient against cyber threats. If you're a real go-getter, I encourage you to volunteer with your county as a poll worker, and see what's going on behind the scenes, up close. Every county always needs help around election day, and I can attest that my own experience as an election judge was a fun and rewarding way to protect democracy without being particularly partisan.
NOTE: A version of this essay first appeared in CSM Passcode. You can read that version here: Opinion: Think hackers will tip the vote? Read this first - CSMonitor.com .