By Stephen Cobb
With all the recent headlines about “hacking the
vote” and “voting hacked” quite a few people are asking if hackers could change
the outcome of the 2016 US presidential election. Unfortunately, it is
impossible to provide a responsible answer to that question in just a few
words, so for folks interested in the many complex issues that this question
raises I’ve compiled a list of objective, non-partisan answers to 10 Frequently
Asked Questions on the topic of election hacking.
I’m going to start with a fundamental question, the
answer to which provides some necessary context for the rest of the questions.
Q1. It’s 2016, why aren’t we voting online?
A1. Voting for
the 2016 US presidential election is not online because secure internet voting
is not possible in the US given the currently deployed technology. The vast
majority of voting in the US presidential election takes place on systems that
are not connected to the internet (in my professional opinion given the current
state of internet security, this is a good thing). There is more about the
technology requirements for internet voting in the answer to Question 10.
For a comprehensive overview of the security issues
unique to voting, I recommend reading “If I Can Shop and Bank Online, Why Can’t I Vote Online?” by
David Jefferson, a computer scientist at Lawrence Livermore National
Laboratory. Although it was written a few years ago, this essay remains an
accurate statement of the bottom line: The highly distributed and diverse
voting processes used for the US presidential election give a level of security
that is different from, and higher than, that required for online banking or
shopping. In other words changing the outcome of the US presidential election
through digital manipulation of the voting process is a lot harder than
stealing money from an ATM or making a fraudulent online purchase.
Q2. If it’s so hard to rig the election by
hacking the vote, why is everyone talking about it?
A2. There are
several reasons for the current conversations about vote hacking.
i. Some
polling places still use badly designed electronic voting machines. For many
years, security and voting experts such as myself have called for these
machines to be removed from the process. Because they are unfortunately still
in use in some places, they show up in the media during every election cycle
under headlines about voting machine hacking. Sadly, these articles often fail
to address how these admittedly deplorable machine vulnerabilities could be
exploited in an actual election-rigging scenario. The reality is that it would
be very difficult to produce undetectable bogus voting outcomes without a large
and coordinated effort by a determined entity that has a considerable
in-country presence.
ii. One of the
two leading 2016 presidential candidates has repeatedly claimed that the
election is rigged and, despite a lack of evidence, some people assume that
this candidate’s assertions mean fraudulent voting can take place at a scale
that would determine the outcome of the election. They tend to cite headlines
about “vote hacking” without reading the whole article, which may go on to say
“this security issue will have no effect on the election” (other than a
possible psychological effect, see Q8).
iii.
Historically there have always been some politicians and public figures who
find it convenient to say the presidential election is rigged. For example, if
you think your candidate is going to lose, then claims of a rigged election
before the votes are counted offer an excuse if they lose. Claims of a rigged
election can also serve to undermine the authority of the eventual winner of
the election, something you might want to do if you think it gives you
political advantage (although there are numerous potential downsides to this
strategy including the eventual repudiation of your strategy by voters in
future elections).
Prior to the introduction of computers into the
election machinery, claims of vote rigging centered on fraudulent balloting by
dead people or people voting more than once, and so on. Those strategies led to
the complex system of checks and balances in the voting processes that are used
today. This system can block fraudulent voting before it happens and also
detect it after the fact so that it can be remediated.
iv: In 2016 we
have seen several hacking incidents directed at parts of the voting system and
some of the players in the election. However, none of these have impacted the
integrity of the voting process (see Q6).
v. A popular
television program called Mr. Robot uses the tag line “Our democracy has
been hacked” although frankly I didn’t see much democracy hacking in the
program. I did see numerous realistic depictions of hacking activity that were
technically accurate, but it is important to remember that Mr. Robot is
not technically accurate in its portrayal of reality (my own take is that Mr.
Robot is a science fiction/fantasy taking place in an alternative reality
where the world economy is dominated by a single “too-big-to-fail” corporation.)
Q3. What exactly do you mean by “hacking the
vote” and “hacking the election”?
A3. By hacking
the vote I mean unauthorized access to, or manipulation of, information systems
used in the voting process. This includes breaking into digital devices used
for voting and denial of service attacks targeting any of these systems. What
is not included is “hacking the election” in the sense of manipulating public
opinion, like a disinformation campaign. Such actions are more accurately
described as “information warfare” and not hacking, although information
warfare may well use hacking. For example, you might be able to influence the
outcome of an election like this: first you hack source A which has ties to
your opponent; then you make sure the public knows that source A has
experienced a security breach; finally you publish documents that appear to
come from source A and have been doctored to make your opponent look bad.
However, this is an indirect swaying or disruption of the vote, in that the
votes would still reflect the intentions of the voters who cast them.
Q4. Can the voting machines used in the 2016
US presidential election be hacked?
A4. Yes, some
of the voting machines used in the 2016 US presidential election can be hacked,
but that in itself does not mean the election can be hacked. Millions of cars
and trucks on the road today can be hacked, but that doesn’t mean they
are being hacked or that we should stay off the roads. Converting the
exploitation of vulnerabilities in certain electronic voting devices into
fraudulent vote totals on Election Day would require considerable “meatspace”
resources (meatspace = people in the flesh, real world operatives prepared to
commit crime as opposed to criminal hackers who remain relatively untouchable
in cyberspace).
There are two main reasons that hacking voting
machines to affect an election outcome does not scale well. First, the US has
not embraced internet voting. Very few voting machines are networked and even
less are on the Internet. The lack of network connections between voting
systems actually works as a safeguard and imposes a manpower burden on would-be
fraudsters. Second, voting in US presidential elections is a highly fragmented
process. Each state votes separately and within each state there are scores of
different voting jurisdictions (some 8,000 altogether). So, for example, it is
not like you can use a phishing email to infect Arizona’s voting machines and
thereby steal the election.
A further level of protection against translating
election machine vulnerabilities into a rigged election outcome is the numerous
checks and balances in the US voting system, as discussed in Q5. So, even if
you individually hacked Arizona’s unconnected voting machines to produce
fraudulent vote totals on Election Day it is highly probable that this would be
detected and subject to intense scrutiny, auditing, even a recount. And yes, I
know that some voting systems make doing an audit and a recount very difficult
(the main problem is Direct Recording Electronic or DRE machines that have no paper
trail for backup). But if the goal is to get away with a fraudulent outcome by
hacking voting machines, my opinion is that such a goal would be very hard to
reach, even if the attempt produces a logistical problem that is very difficult
to solve.
Q5. What checks and balances exist to ensure
people don’t get away with hacking votes?
“election laws anticipate human error and cheating,
and guard against them at multiple levels”
A5. I’m inclined to let Chris Ashby answer this. Chris is a leading member of the Republican National Lawyers Association with a lot of election experience. His recent article “The Election Is Not Rigged” provides a pretty good summation of the checks and balances so I am quoting him at length here as he explains how “election laws anticipate human error and cheating, and guard against them at multiple levels”:
A5. I’m inclined to let Chris Ashby answer this. Chris is a leading member of the Republican National Lawyers Association with a lot of election experience. His recent article “The Election Is Not Rigged” provides a pretty good summation of the checks and balances so I am quoting him at length here as he explains how “election laws anticipate human error and cheating, and guard against them at multiple levels”:
·
Private
citizens — not government bureaucrats — serve as the “clerks,” “inspectors,”
“officers” or other election officials who run our polling places and conduct
the voting.
·
Most state
laws permit local political parties to appoint or nominate these officials, and
require a roughly even partisan balance between them.
·
The law also
permits parties and candidates to send pollwatchers into each polling place to
stand over the election officials and monitor them as they work.
·
Election
officials count votes and tally results.
·
Candidate and
party representatives also observe this process.
·
Following the
election, there is a public canvass at which the election night results are
redetermined, to make sure that they are aligned.
I urge everyone to read Mr. Ashby’s article, which
goes on to list five very difficult things you would have to do to rig the
election, on top of which “you’d still have to Jedi-mind trick lawyers,
political operatives and state election administrators, all of whom scrub
precinct-level returns for aberrant election results, and scrutinize any
polling place result that is not in line with what they would have expected,
based on current political dynamics and historical election results.”
Still not convinced? How about this recent quote
from Senator Marco Rubio of Florida, where voting is carried out by the states
67 counties, with each one operating independently of the other: “I promise you
there is not a 67-county conspiracy to rig this election.” Or this, from Texas
Secretary of State Carlos Cascos: “Texas has 254 counties using a variety of
voting methods. The decentralized system in addition to layers of checks would
make changing the outcome of a statewide election essentially impossible.”
Q6. What are voter rolls and if they’ve have
been hacked, how can we be sure voting is accurate?
A6. Voter rolls
are the lists of people who are registered to vote. These are managed and
scrutinized at the local level by the 8,000 different voting jurisdictions into
which the country is divided, but are typically aggregated at the state level.
Numerous voter roll hacking scenarios exist, like deleting a bunch of your
opponent’s supporters from the rolls or adding a bunch of fake supporters. The
problem with turning these scenarios into a fraudulent election outcome is that
you still need people to execute the plan at the scale required to change the
outcome. For example, the fake supporters you added to the rolls need to vote,
and someone needs to deflect the legitimate voters whose names you erased. And
you need to do this without detection by an election workforce made up of
people from both parties.
Of course, some media headlines are not helpful,
like this example from Illinois: “Voter Rolls Hacked”. Yes, unauthorized persons did access
records pertaining to thousands of voters, but no, they were not able to change
them, as the article notes. So, as upsetting as the above-mentioned incident in
Illinois might have been to the people whose information was exposed, that hack
is unlikely to materially affect voting there. (For the record, some states
actually allow your voter registration information to be published on the
internet, see Q9.)
Q7. Could unauthorized access to the voter
rolls enable hacking of the vote?
“If someone tries to go to the polling place and
vote as you, then they are very likely to fail. Clearly, affecting the outcome
of an election using this strategy is highly labor intensive.”
A7.You could potentially use data gleaned from the voter roll to find people who are likely to vote for the opposition and then find people to pretend to be them and cast votes for your candidate instead. But this is a tricky strategy to execute because in most voting scenarios in most states you need actual people to vote. The classic, time-honored “pen and paper in person” voting system works by having voters show up in person at the polling place and get a ballot. At that point their name is marked on the electoral roll. This is still the essence of the system under which the majority of votes are cast in the US presidential election.
A7.You could potentially use data gleaned from the voter roll to find people who are likely to vote for the opposition and then find people to pretend to be them and cast votes for your candidate instead. But this is a tricky strategy to execute because in most voting scenarios in most states you need actual people to vote. The classic, time-honored “pen and paper in person” voting system works by having voters show up in person at the polling place and get a ballot. At that point their name is marked on the electoral roll. This is still the essence of the system under which the majority of votes are cast in the US presidential election.
If someone tries to go to the polling place and
vote as you, then they are very likely to fail. Obviously they will fail if you
have already voted. But even if they turn up before you and successfully
pretend to be you – perhaps by knowing personal information about you that they
gained by hacking – their vote is going to be invalidated when the real you
turns up. Clearly, affecting the outcome of an election using this strategy is
highly labor intensive.
Q8. Could all the talk about hacking during
the election campaign affect the election outcome?
A8. Yes, this
is a possibility. A large amount of imprecise media coverage about vote hacking
could undermine confidence in the voting process. Consider articles that start
with a news item – something to do with hacking and voting and the US
presidential election – then proceed to a list of things that can go wrong with
voting. Experts are quoted. Fear is generated. Uncertainty is expressed. Doubt
is cast. And there you have the FUD trifecta, a hat-trick with the potential to
undermine the US presidential election. That could mean the biggest threat to
the 2016 US presidential election ends up being fear of threats to the
election.
Casting doubts on the legitimacy/accuracy/security
of the voting process in advance of voting is indeed one way to disrupt an
election. Consider these two strategies:
i. Get people
to believe that the voting system is liable to get hacked, so it’s pointless
for them to vote, which could help your candidate if they are likely to benefit
from low voter turnout.
ii. Get people
to believe that the voting system is liable to get hacked, so if you lose you
can claim the system is rigged and deny the legitimacy of the outcome.
It is interesting to note that talk of rigged
elections is nothing new in American politics. Indeed, one of the current
candidates openly rejected the outcome of the 2012 election, as shown in these tweets that were later deleted. It is also interesting that
many of the officials overseeing elections in key “battleground states” this
year are Republicans, some of whom have come forward to reassure the public
about the security and legitimacy of the voting process in their respective
jurisdictions, like the Florida, Iowa, and North Carolina officials quoted in this article. Additionally, it should be
pointed out that the people who process our votes come from all political
parties and work side-by-side in polling stations to facilitate free and fair
voting.
Q9. Is it true that voter registration information
from some states is published on the internet?
A9. Yes. For
example, anyone with an internet connection can legally download the voter roll
for every county in Florida. This information includes names, addresses,
birthdays, phone numbers, even email addresses for some people. Some Floridians
have two homes, so secondary out-of-state addresses are also listed for some
voters. The publication of this data on the world wide web may strike many
people as a huge violation of personal privacy; however, its legality stems
from the idea that the voter rolls should be a matter of public record and open
to challenge. Unfortunately, some public officials have not figured out that
“on the internet” is categorically – and possibly catastrophically – different
from “available for personal inspection in the registrar’s office during normal
business hours”.
Q10. You said secure internet voting is
currently impossible in the US so does that mean secure internet voting is
possible in other places?
A10. One of the
main prerequisites to secure internet voting in the US is a reliable means of
digitally identifying and authenticating voters, of whom there are over 200
million. But there is no official national digital identification system in the
US. Furthermore, past efforts to create one have run into serious opposition.
Back in the 1990s I spoke with the CEO of a smartcard manufacturing company who
had received death threats after President Clinton suggested all Americans
could carry chip cards that gave healthcare providers access to a national
database of their medical data.
That said, some countries have embraced digital
identities, notably Estonia, which has carried out some national elections over
the internet. One factor on Estonia’s side is scale: it is a small country with
a population less than half that of San Diego County, just one of 3,000
counties in the US. Furthermore, Estonia is where the NATO Cooperative Cyber
Defence Centre of Excellence is located (the CCD COE is an international military
organization that develops the cybersecurity capabilities of NATO countries).
In other words, it may be possible to vote securely
over the internet in a tightly controlled environment that is heavily defended,
with a small population of digitally-savvy citizens. That said, it is still
possible for errors to occur. Just take a look at this slide from a talk a few
years ago at a meeting of non-partisan organisation Verified Voting. It shows
actual lines of code from Estonia’s internet voting software. Admittedly that
was a few years ago, and I’m assuming the problem has since been addressed, but
still, this is not reassuring.
The slide was in a presentation by Joe Kiniry, a
researcher who has studied internet voting for many years. Joe is a former
professor at the Technical University of Denmark where he was Head of the
Software Engineering Section. He is now CEO and Chief Scientist at Free &
Fair, an elections technology consultancy, and a Principal Investigator at
Galois in Portland, Oregon. In other words, he knows a thing or two about
voting systems. He is widely quoted in that article I cited in Q4 about DRE
voting machines.
Bonus Question! Could a DDoS attack be used
to hack the 2016 US presidential election?
A. On Friday,
October 21, a large Distributed Denial of Service (DDoS) attack caused sporadic
internet service disruption in the US (we wrote about the attack here). This has raised fears that
such an attack could happen on Election Day, November 8. However, while such an
attack could interfere with internet-enabled media reporting of
election-related activity, the above-mentioned lack of internet connectivity
among voting systems would shield them from a DDoS attack. Election officials
would still be able to count votes and report totals.
Summary
Hopefully this FAQ has been helpful. To be clear, I
agree with many of my fellow security researchers that the US needs to get rid
of vulnerable voting equipment, preferably long before the 2020 presidential
election. And I acknowledge the feasibility of scenarios put forward by some of
my colleagues in which a relatively small amount of election hacking/rigging
could change the outcome in a close race. Yet I still believe that, as things
stand right now, such efforts would be detected and eventually thwarted.
What seems undeniable when you examine these issues
is that we all need to do a better job of educating our fellow citizens about
how voting actually works in practice so that we can have meaningful
discussions about its security and legitimacy, preferably unencumbered by myths
and misconceptions, not to mention unsupported and illogical allegations.