27.10.16

Election hacking FAQ: 2016 US presidential election edition


With all the recent headlines about “hacking the vote” and “voting hacked” quite a few people are asking if hackers could change the outcome of the 2016 US presidential election. Unfortunately, it is impossible to provide a responsible answer to that question in just a few words, so for folks interested in the many complex issues that this question raises I’ve compiled a list of objective, non-partisan answers to 10 Frequently Asked Questions on the topic of election hacking.
I’m going to start with a fundamental question, the answer to which provides some necessary context for the rest of the questions.
Q1. It’s 2016, why aren’t we voting online?
A1. Voting for the 2016 US presidential election is not online because secure internet voting is not possible in the US given the currently deployed technology. The vast majority of voting in the US presidential election takes place on systems that are not connected to the internet (in my professional opinion given the current state of internet security, this is a good thing). There is more about the technology requirements for internet voting in the answer to Question 10.
For a comprehensive overview of the security issues unique to voting, I recommend reading “If I Can Shop and Bank Online, Why Can’t I Vote Online?” by David Jefferson, a computer scientist at Lawrence Livermore National Laboratory. Although it was written a few years ago, this essay remains an accurate statement of the bottom line: The highly distributed and diverse voting processes used for the US presidential election give a level of security that is different from, and higher than, that required for online banking or shopping. In other words changing the outcome of the US presidential election through digital manipulation of the voting process is a lot harder than stealing money from an ATM or making a fraudulent online purchase.
Q2. If it’s so hard to rig the election by hacking the vote, why is everyone talking about it?
A2. There are several reasons for the current conversations about vote hacking.
i. Some polling places still use badly designed electronic voting machines. For many years, security and voting experts such as myself have called for these machines to be removed from the process. Because they are unfortunately still in use in some places, they show up in the media during every election cycle under headlines about voting machine hacking. Sadly, these articles often fail to address how these admittedly deplorable machine vulnerabilities could be exploited in an actual election-rigging scenario. The reality is that it would be very difficult to produce undetectable bogus voting outcomes without a large and coordinated effort by a determined entity that has a considerable in-country presence.
ii. One of the two leading 2016 presidential candidates has repeatedly claimed that the election is rigged and, despite a lack of evidence, some people assume that this candidate’s assertions mean fraudulent voting can take place at a scale that would determine the outcome of the election. They tend to cite headlines about “vote hacking” without reading the whole article, which may go on to say “this security issue will have no effect on the election” (other than a possible psychological effect, see Q8).
iii. Historically there have always been some politicians and public figures who find it convenient to say the presidential election is rigged. For example, if you think your candidate is going to lose, then claims of a rigged election before the votes are counted offer an excuse if they lose. Claims of a rigged election can also serve to undermine the authority of the eventual winner of the election, something you might want to do if you think it gives you political advantage (although there are numerous potential downsides to this strategy including the eventual repudiation of your strategy by voters in future elections).
Prior to the introduction of computers into the election machinery, claims of vote rigging centered on fraudulent balloting by dead people or people voting more than once, and so on. Those strategies led to the complex system of checks and balances in the voting processes that are used today. This system can block fraudulent voting before it happens and also detect it after the fact so that it can be remediated.
iv: In 2016 we have seen several hacking incidents directed at parts of the voting system and some of the players in the election. However, none of these have impacted the integrity of the voting process (see Q6).
v. A popular television program called Mr. Robot uses the tag line “Our democracy has been hacked” although frankly I didn’t see much democracy hacking in the program. I did see numerous realistic depictions of hacking activity that were technically accurate, but it is important to remember that Mr. Robot is not technically accurate in its portrayal of reality (my own take is that Mr. Robot is a science fiction/fantasy taking place in an alternative reality where the world economy is dominated by a single “too-big-to-fail” corporation.)
Q3. What exactly do you mean by “hacking the vote” and “hacking the election”?
A3. By hacking the vote I mean unauthorized access to, or manipulation of, information systems used in the voting process. This includes breaking into digital devices used for voting and denial of service attacks targeting any of these systems. What is not included is “hacking the election” in the sense of manipulating public opinion, like a disinformation campaign. Such actions are more accurately described as “information warfare” and not hacking, although information warfare may well use hacking. For example, you might be able to influence the outcome of an election like this: first you hack source A which has ties to your opponent; then you make sure the public knows that source A has experienced a security breach; finally you publish documents that appear to come from source A and have been doctored to make your opponent look bad. However, this is an indirect swaying or disruption of the vote, in that the votes would still reflect the intentions of the voters who cast them.
Q4. Can the voting machines used in the 2016 US presidential election be hacked?
A4. Yes, some of the voting machines used in the 2016 US presidential election can be hacked, but that in itself does not mean the election can be hacked. Millions of cars and trucks on the road today can be hacked, but that doesn’t mean they are being hacked or that we should stay off the roads. Converting the exploitation of vulnerabilities in certain electronic voting devices into fraudulent vote totals on Election Day would require considerable “meatspace” resources (meatspace = people in the flesh, real world operatives prepared to commit crime as opposed to criminal hackers who remain relatively untouchable in cyberspace).
There are two main reasons that hacking voting machines to affect an election outcome does not scale well. First, the US has not embraced internet voting. Very few voting machines are networked and even less are on the Internet. The lack of network connections between voting systems actually works as a safeguard and imposes a manpower burden on would-be fraudsters. Second, voting in US presidential elections is a highly fragmented process. Each state votes separately and within each state there are scores of different voting jurisdictions (some 8,000 altogether). So, for example, it is not like you can use a phishing email to infect Arizona’s voting machines and thereby steal the election.
A further level of protection against translating election machine vulnerabilities into a rigged election outcome is the numerous checks and balances in the US voting system, as discussed in Q5. So, even if you individually hacked Arizona’s unconnected voting machines to produce fraudulent vote totals on Election Day it is highly probable that this would be detected and subject to intense scrutiny, auditing, even a recount. And yes, I know that some voting systems make doing an audit and a recount very difficult (the main problem is Direct Recording Electronic or DRE machines that have no paper trail for backup). But if the goal is to get away with a fraudulent outcome by hacking voting machines, my opinion is that such a goal would be very hard to reach, even if the attempt produces a logistical problem that is very difficult to solve.
Q5. What checks and balances exist to ensure people don’t get away with hacking votes?
“election laws anticipate human error and cheating, and guard against them at multiple levels”
A5. I’m inclined to let Chris Ashby answer this. Chris is a leading member of the Republican National Lawyers Association with a lot of election experience. His recent article “The Election Is Not Rigged” provides a pretty good summation of the checks and balances so I am quoting him at length here as he explains how “election laws anticipate human error and cheating, and guard against them at multiple levels”:
·         Private citizens — not government bureaucrats — serve as the “clerks,” “inspectors,” “officers” or other election officials who run our polling places and conduct the voting.
·         Most state laws permit local political parties to appoint or nominate these officials, and require a roughly even partisan balance between them.
·         The law also permits parties and candidates to send pollwatchers into each polling place to stand over the election officials and monitor them as they work.
·         Election officials count votes and tally results.
·         Candidate and party representatives also observe this process.
·         Following the election, there is a public canvass at which the election night results are redetermined, to make sure that they are aligned.
I urge everyone to read Mr. Ashby’s article, which goes on to list five very difficult things you would have to do to rig the election, on top of which “you’d still have to Jedi-mind trick lawyers, political operatives and state election administrators, all of whom scrub precinct-level returns for aberrant election results, and scrutinize any polling place result that is not in line with what they would have expected, based on current political dynamics and historical election results.”
Still not convinced? How about this recent quote from Senator Marco Rubio of Florida, where voting is carried out by the states 67 counties, with each one operating independently of the other: “I promise you there is not a 67-county conspiracy to rig this election.” Or this, from Texas Secretary of State Carlos Cascos: “Texas has 254 counties using a variety of voting methods. The decentralized system in addition to layers of checks would make changing the outcome of a statewide election essentially impossible.”
Q6. What are voter rolls and if they’ve have been hacked, how can we be sure voting is accurate?
A6. Voter rolls are the lists of people who are registered to vote. These are managed and scrutinized at the local level by the 8,000 different voting jurisdictions into which the country is divided, but are typically aggregated at the state level. Numerous voter roll hacking scenarios exist, like deleting a bunch of your opponent’s supporters from the rolls or adding a bunch of fake supporters. The problem with turning these scenarios into a fraudulent election outcome is that you still need people to execute the plan at the scale required to change the outcome. For example, the fake supporters you added to the rolls need to vote, and someone needs to deflect the legitimate voters whose names you erased. And you need to do this without detection by an election workforce made up of people from both parties.
Of course, some media headlines are not helpful, like this example from Illinois: “Voter Rolls Hacked”. Yes, unauthorized persons did access records pertaining to thousands of voters, but no, they were not able to change them, as the article notes. So, as upsetting as the above-mentioned incident in Illinois might have been to the people whose information was exposed, that hack is unlikely to materially affect voting there. (For the record, some states actually allow your voter registration information to be published on the internet, see Q9.)
Q7. Could unauthorized access to the voter rolls enable hacking of the vote?
“If someone tries to go to the polling place and vote as you, then they are very likely to fail. Clearly, affecting the outcome of an election using this strategy is highly labor intensive.”
A7.You could potentially use data gleaned from the voter roll to find people who are likely to vote for the opposition and then find people to pretend to be them and cast votes for your candidate instead. But this is a tricky strategy to execute because in most voting scenarios in most states you need actual people to vote. The classic, time-honored “pen and paper in person” voting system works by having voters show up in person at the polling place and get a ballot. At that point their name is marked on the electoral roll. This is still the essence of the system under which the majority of votes are cast in the US presidential election.
If someone tries to go to the polling place and vote as you, then they are very likely to fail. Obviously they will fail if you have already voted. But even if they turn up before you and successfully pretend to be you – perhaps by knowing personal information about you that they gained by hacking – their vote is going to be invalidated when the real you turns up. Clearly, affecting the outcome of an election using this strategy is highly labor intensive.
Q8. Could all the talk about hacking during the election campaign affect the election outcome?
A8. Yes, this is a possibility. A large amount of imprecise media coverage about vote hacking could undermine confidence in the voting process. Consider articles that start with a news item – something to do with hacking and voting and the US presidential election – then proceed to a list of things that can go wrong with voting. Experts are quoted. Fear is generated. Uncertainty is expressed. Doubt is cast. And there you have the FUD trifecta, a hat-trick with the potential to undermine the US presidential election. That could mean the biggest threat to the 2016 US presidential election ends up being fear of threats to the election.
Casting doubts on the legitimacy/accuracy/security of the voting process in advance of voting is indeed one way to disrupt an election. Consider these two strategies:
i. Get people to believe that the voting system is liable to get hacked, so it’s pointless for them to vote, which could help your candidate if they are likely to benefit from low voter turnout.
ii. Get people to believe that the voting system is liable to get hacked, so if you lose you can claim the system is rigged and deny the legitimacy of the outcome.
It is interesting to note that talk of rigged elections is nothing new in American politics. Indeed, one of the current candidates openly rejected the outcome of the 2012 election, as shown in these tweets that were later deleted. It is also interesting that many of the officials overseeing elections in key “battleground states” this year are Republicans, some of whom have come forward to reassure the public about the security and legitimacy of the voting process in their respective jurisdictions, like the Florida, Iowa, and North Carolina officials quoted in this article. Additionally, it should be pointed out that the people who process our votes come from all political parties and work side-by-side in polling stations to facilitate free and fair voting.
Q9. Is it true that voter registration information from some states is published on the internet?
A9. Yes. For example, anyone with an internet connection can legally download the voter roll for every county in Florida. This information includes names, addresses, birthdays, phone numbers, even email addresses for some people. Some Floridians have two homes, so secondary out-of-state addresses are also listed for some voters. The publication of this data on the world wide web may strike many people as a huge violation of personal privacy; however, its legality stems from the idea that the voter rolls should be a matter of public record and open to challenge. Unfortunately, some public officials have not figured out that “on the internet” is categorically – and possibly catastrophically – different from “available for personal inspection in the registrar’s office during normal business hours”.
Q10. You said secure internet voting is currently impossible in the US so does that mean secure internet voting is possible in other places?
A10. One of the main prerequisites to secure internet voting in the US is a reliable means of digitally identifying and authenticating voters, of whom there are over 200 million. But there is no official national digital identification system in the US. Furthermore, past efforts to create one have run into serious opposition. Back in the 1990s I spoke with the CEO of a smartcard manufacturing company who had received death threats after President Clinton suggested all Americans could carry chip cards that gave healthcare providers access to a national database of their medical data.
That said, some countries have embraced digital identities, notably Estonia, which has carried out some national elections over the internet. One factor on Estonia’s side is scale: it is a small country with a population less than half that of San Diego County, just one of 3,000 counties in the US. Furthermore, Estonia is where the NATO Cooperative Cyber Defence Centre of Excellence is located (the CCD COE is an international military organization that develops the cybersecurity capabilities of NATO countries).
In other words, it may be possible to vote securely over the internet in a tightly controlled environment that is heavily defended, with a small population of digitally-savvy citizens. That said, it is still possible for errors to occur. Just take a look at this slide from a talk a few years ago at a meeting of non-partisan organisation Verified Voting. It shows actual lines of code from Estonia’s internet voting software. Admittedly that was a few years ago, and I’m assuming the problem has since been addressed, but still, this is not reassuring.
The slide was in a presentation by Joe Kiniry, a researcher who has studied internet voting for many years. Joe is a former professor at the Technical University of Denmark where he was Head of the Software Engineering Section. He is now CEO and Chief Scientist at Free & Fair, an elections technology consultancy, and a Principal Investigator at Galois in Portland, Oregon. In other words, he knows a thing or two about voting systems. He is widely quoted in that article I cited in Q4 about DRE voting machines.
Bonus Question! Could a DDoS attack be used to hack the 2016 US presidential election?
A. On Friday, October 21, a large Distributed Denial of Service (DDoS) attack caused sporadic internet service disruption in the US (we wrote about the attack here). This has raised fears that such an attack could happen on Election Day, November 8. However, while such an attack could interfere with internet-enabled media reporting of election-related activity, the above-mentioned lack of internet connectivity among voting systems would shield them from a DDoS attack. Election officials would still be able to count votes and report totals.

Summary

Hopefully this FAQ has been helpful. To be clear, I agree with many of my fellow security researchers that the US needs to get rid of vulnerable voting equipment, preferably long before the 2020 presidential election. And I acknowledge the feasibility of scenarios put forward by some of my colleagues in which a relatively small amount of election hacking/rigging could change the outcome in a close race. Yet I still believe that, as things stand right now, such efforts would be detected and eventually thwarted.
What seems undeniable when you examine these issues is that we all need to do a better job of educating our fellow citizens about how voting actually works in practice so that we can have meaningful discussions about its security and legitimacy, preferably unencumbered by myths and misconceptions, not to mention unsupported and illogical allegations.