Are voting machine hacks overblown?

 

Connecting state and local government leaders

Breaking into voting machines and altering vote counts is a good deal more difficult than recent election-hacking headlines suggest.

When information security researchers at this summer's DefCon hacker conference had the opportunity to break into election systems, they quickly rose to the challenge, breaching every poll book and voting machine that event organizers had in the Voting Machine Hacking Village.

The results, detailed by DEFCON, the National Governors Association, the Atlantic Council, the Center for Internet Security and a number of universities and top technology vendors, were "sobering." The report cited vulnerabilities in the hardware supply chain,  weak passwords, unprotected USB ports and insecure firmware.

If a room full of information security researchers could compromise these voting machines in a single day, what chance did the U.S. electoral infrastructure have defending against organized hacking groups and dedicated nation-states?

Hands-on access

However, a closer examination reveals that the most direct form of "hacking an election," breaking into voting machines and altering vote counts, is a good deal more difficult than the headlines suggest. For instance, while many outlets reported that conference attendees were able to penetrate all 30 machines, less reported was the fact that in the vast majority of cases, hackers needed to have extensive and direct physical access, including taking them apart, in order to find the vulnerabilities that allowed them to access voting software.

Jeanette Manfra, assistant secretary for the office of cybersecurity and communications at the Department of Homeland Security, made this point during a Nov. 8 cybersecurity event hosted by the Washington Post.

"There have been people who've talked about being able to hack into those voting machines, but they still need to have physical access, and states and localities are very circumspect about how they treat those voting machines. They're locked in warehouses, they're transported securely. And a lot of them, while they may be digital, they're not online," Manfra said.

While hackers at DefCon were able to remotely hack into at least one machine, an AVS WinVote machine, that model was decertified in 2014 precisely because of its notoriously weak Wi-Fi security, and it hasn't been used in U.S. elections since. Furthermore, many of the models used were older machines purchased on the secondary market and not necessarily representative of what most states rely on today.

The distinction between a remote and physical hack matters, because any attempt to alter an election at scale through vote tampering would almost by definition require secrecy, and it is logistically far more difficult to pull off a discrete hack when it requires taking apart a machine that is often subject to complex chain of custody protocols.

Jason Ogden, an information security specialist at DHS, gave an overview of U.S. election security Oct. 30 at the Executive Leadership Conference in Williamsburg, Va. While Ogden emphasized that "all future elections will face cyber threats," he said the decentralized nature of U.S. election infrastructure is often one of its greatest shields against a large-scale, coordinated cyber attack. There are over 8,000 jurisdictions that administer local, state and federal elections across the United States. Each operates more or less independently of one another, with their own rules, protocols, equipment, technology and software.

After his presentation, he told FCW that while nobody should be resting on their laurels, the ability to break into voting machines is not as easy or direct as the results from DefCon imply.

"My personal opinion is that when we're dealing with what occurred at Black Hat and DefCon, some of that is for show, obviously," Ogden said. "As a best practice … if you're controlling any kind of infrastructure you're not going to let just anybody have access to it."

Alternate pathways

That's not to say the threat is nonexistent or that nation states and hacking groups aren't actively looking for ways to access voting software. DHS itself notified 21 states in September that Russian cyber actors had "targeted" internet connected networks, like voter registration databases, related to their election systems. Several states subsequently disputed those assertions, questioning whether the information DHS provided backed up their claims.

Alex Halderman, professor of computer science and engineering at the University of Michigan, made headlines shortly after the 2016 election when he publicly urged the Hillary Clinton presidential campaign to call for a recount in three swing states based on evidence he had compiled that purported to show discrepancies between counties that relied on electronic ballots and paper ballots.

Halderman later acknowledged it was "probably not" the case that 2016 election results were tampered with, but he has continued to sound the alarm about election cybersecurity vulnerabilities since. During a September 2017 panel hosted by the Brennan Center for Justice, Halderman laid out the research he had done on electronic voting machine security over the past decade.

Today, most jurisdictions rely on two styles of voting machine: optical scan and direct-recording electronic (DRE) machines. While these machines are not typically connected to the internet, the software used to update them every election cycle is.

Before every election, each voting machine must be updated with the ballot, names of the candidates and specific races. A hacker could theoretically gain access and manipulate vote totals "by inserting malicious software into the removable memory cards that are used before every election to program the ballot design into the machine." If poll workers used that card to update multiple machines, that could potentially cause the malware to spread.

While Halderman acknowledged that there is no evidence that vote counts have been manipulated in any previous election, he is convinced it is only a matter of time. Even if hackers are only able to penetrate a select number of voting machines, he argued that a targeted effort could still potentially influence election results.

"In a close election, a national outcome might depend on a few states or swing districts. A hacker could probe all of these jurisdictions, find the ones that are most weakly protected and target them," Halderman said.

The wrong lens

Many officials believe that because of the level of difficulty and effort required, it doesn't make sense for nation-states to influence an election through electronic vote tampering, especially since approximately 70 percent of counties still use paper ballots in some form. It may ultimately be far easier for a nation to wage a larger, covert disinformation campaign designed to exploit pre-existing political and societal fissures in an electorate and nudge voters at the margins toward or away from certain candidates.

"I have less concern about the data itself and more about [bad actors] causing confusion," said Manfra.

While speaking at a Nov. 7 Center for Strategic and International Studies event, former CIA director Michael Hayden said the nation needs to stop looking at election influence through the lens of cybersecurity and start looking at the problem as a broader issue of information warfare.

"The [Russian] cyber attack could have been done by script kiddies. That was basic stuff," Hayden said. "What happened afterwards was the big news."

This article was first posted to FCW, a sibling site to GCN.

NEXT STORY: What makes hackers tick?

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.