How Did Russia Hack the Vote? Are Our Elections Secure?
With all the talk of Russia influencing the election through the DNC hacks and fake news, we are finally realizing just how open the political process is to manipulation. One aspect that had taken a backseat until recently was how the votes themselves can be tampered with.
Over the last month, we have uncovered more and more information about just how severe the hacks were. At this stage, it is confirmed that 39 states had their voter registration databases accessed, although officials assume that attempts were made to break into all 50.
There was at least once incidence of voter data being altered, however it was detected and rectified without any long term damage. Almost 90,000 records were accessed and stolen from Illinois, 90% of which contained details such as drivers license numbers and the last for digits of an individuals’ Social Security number.
Officials are stating that these hacks didn’t influence the results of the election, as no databases were permanently changed. Some have suggested that the only reason the damage wasn’t worse is because US intelligence agencies caught onto the attacks and the Government issued Russia a stern warning.
Given that another country clearly had the chance to tamper with the voting process, it’s time to reevaluate our election security. How can we bolster our defenses to prevent further attacks? First, we need to understand which parts of the system are vulnerable.
How Can an External Actor Sabotage the Voting Process?
There are several ways that any motivated and resourceful group can influence an election. The easiest is by accessing the voter registration databases and changing or deleting information. These databases are connected to the internet to allow authorities to access recent voter registrations, which leaves them vulnerable to being hacked.
If voter information is changed or erased, it could either prevent or make the voting process much more burdensome for those affected, which may reduce the likelihood of a person voting. Although those who can’t verify their vote are supposed to be given a provisional ballot, this added difficulty could be used to sway marginal seats in an attacker’s favor.
Another threat is to the voting machines themselves, but it is much more complex. These machines aren’t normally connected to the internet, which means that remote hacking is impossible. The attackers would require physical access to each voting machine, making it much more difficult to influence the election without being noticed.
If an attacker has access to a machine, they could manipulate the vote by changing the software code. While this could alter the way a machine counts votes, it is likely that an attacker would need to access hundreds of machines to make a difference in an election.
There is also the chance of election hacking casting doubt over the results. Even if officials find that hacking didn’t influence the outcome, data breaches could cause both the public and politicians to question the results. This could cause significant political fallout, perhaps making it difficult for the victor to govern, or even resulting in demands for another election.
Security Challenges: The Voting System Is Decentralized
One significant factor is that the US system is decentralized and there are many different systems operating across the country. The advantage of this is that it makes it incredibly difficult to orchestrate a widespread attack – an attacker can’t just hack into one database and access everyone’s records, because it is spread across thousands of different systems.
Likewise, if hackers can change the voting machine software, they will only be able to affect a relatively small percentage of the vote. If a state actor wanted complete control of the system, they would have to mount hundreds or thousands attacks.
The disadvantage of this setup is that it makes it more challenging to coordinate security. The federal government has no direct authority over the state election systems. Despite offering assistance over the recent attacks, many states rejected the help, fearing any erosion of states’ rights.
Because of this, each state has to take care of its own election security for their unique systems. The inevitable result is that some states will do much better than others.
Securing Voter Registration Databases
Voter registration databases are similar to any other database that the government or a company might keep. As such, they are susceptible to a wide range of attacks that can grant the attacker access, allowing them to steal or erase the data.
These include SQL injection attacks, phishing and other types of social engineering, DDoS attacks, ransomware attacks and exploits that take advantage of XSS vulnerabilities. As there aren’t any unique threats to voter registration databases, states need to double down on standard security measures if they want to protect the integrity of their data. They also need to be aware that they are a high value target, which means that they need to take more significant security precautions.
These measures should include risk analysis, adequate staff training, access management, regular patching, application whitelisting, implementing firewalls, regular vulnerability scanning, penetration testing and having an incident response plan ready ahead of time.
How Are Votes Counted?
The decentralized nature of the US means that there is a some variation in voting systems between states and even individual counties. The systems in place are:
As outdated as it may seem, paper votes are a relatively secure option. This is because you can’t just steal or alter them with a few clicks. Someone has to physically be there, which adds significant challenges and raises the risks for state actors. Another benefit of paper ballots is that they act as independent hard copies which are useful for recounts.
It was predicted that 71% of voters would use paper ballots in the 2016 election, but they aren’t without their problems. If voters don’t mark them properly, it can be difficult to make out their choice.
The rest of America will be placing their votes with electronic voting machines. While these may sound like the more modern and sensible choice, they are fraught with problems. In 42 states, these machines are more than 10 years old and use outdated software.
This means that there are many vulnerabilities for hackers to take advantage of. Even though the machines are disconnected from the internet, anyone with physical access could theoretically rewrite the code to change the way that the machines count votes.
Some of these machines print off paper receipts as a measure to counter any tampering. The receipts can be compared against the machine’s tally to verify the count. While this does provide an extra safety mechanism, it doesn’t make these machines foolproof.
Keeping Ballots Secure
The electronic voting machines in the United States have numerous problems. To boost security during the voting process, states could buy new systems that can run more modern software. While this would help, it would also cost a significant amount of money. Another option would be to ensure that all machines print off receipts, so that there would be a paper trail.
States could also revert to paper ballots if they found that there were too many security risks with electronic systems. While these machines are incredibly insecure, we also need to recognize how difficult it would be to implement a widespread attack on voting machines. To influence the election, an attacker would have to have physical access to hundreds or thousands of machines. Not only would this be incredibly challenging, but the risk of being caught is very high.
Are Our Elections Secure?
Given that databases were accessed in 39 states, the answer is no, even if these hacks didn’t affect the outcome. Securing elections is incredibly challenging. Having so much at stake makes them huge targets.
It is impossible to make elections 100% secure from attacks, especially when you consider that the threats come from state actors with seemingly infinite resources. Despite this, there are certainly steps that the Government can take to boost its defenses.
These should start with a risk assessment, and probably include policy changes that make it easier for states to cooperate. The use of electronic voting machines should also be reevaluated.
This is the first election where we have seen such widespread attacks, but it is sure to become more common in the future. If the government dose not take the necessary precautions, cyber attacks could have significant effects on our future democracy.