How real is the threat of election results being hacked?
As we’ve posted here on the Buzz Blog previously, cybersecurity is an ever-growing concern, especially since so many things have shifted to a remote setting since the COVID-19 pandemic hit earlier this year. And let’s be honest, it was an issue before your banker was servicing your account while the dog begs for a treat and her toddlers play on the carpet in the other room. The question though that is on the minds of many people is just how real the threat is in the context of the elections coming up. It’s impossible to accurately predict this with 100% certainty, but we’d like to take a look at some of the very real and valid concerns that people have.
To begin with, many people have questions about election security itself. How safe are the databases that store voters’ sensitive information? In 2016 it was confirmed by CBS News that the state election databases in Arizona and Illinois had been hacked. If that weren’t bad enough, at the Black Hat convention earlier that year, it was proven that voter smart cards could be used to vote multiple times. And when not all states are using a paper ballot verification system, this is concerning.
But how exactly does a voting machine get hacked? To start with, there are two types of voting machines: paper and electronic. And the problem with many electronic machines is that they are over a decade old. These machines were designed in a time when cyberattacks, while by no means unheard of, at the very least were less rampant. And the software, issued by companies like Microsoft, isn’t being updated. And because most voting machines don’t have firewalls to prevent unauthorized remote access, it’s not hard for an attacker in close proximity to target an attack with the intent of taking over the device.
We’ll talk about what can be done in light of these concerning revelations, but first, we’d be remiss if we didn’t take this opportunity to point out that cybercriminals also look to exploit the interest people take in the elections by flooding every available channel with malicious spam. Clickbait stories go out every day in emails with the hopes that people will unknowingly open and forward them, spreading malware. We’ve heard from people who had a check in their gut, but opened a suspicious email anyway and now regret it. The best advice we can give you here is that if something doesn’t feel right—pay attention to that. It’s better to double-check the source of a suspicious email and be safe.
Cybersecurity’s role in helping limit the risk of exposure
Most experts agree that election officials need to take a more revolutionized approach to prevent hacking and prevent being left behind as other industries move towards modernization and digitizing outdated infrastructure. A recent article by Security Magazine identifies 9 major election infrastructure components that are necessary in order for any election to be deemed secure, accurate, fair, and accessible:
- Voter registration and database systems
- Electronic poll book/onsite voter registration systems
- Vote capture devices
- Vote tally systems
- Election night reporting systems
- State and other county systems that process election data
- Traditional and social media communication applications used for situational reporting
- Vendor election equipment/service architectures
They also recommend that elections jurisdictions bring in a cybersecurity and advisory consulting team to assess whether there are any weaknesses in any of the above areas. Cybersecurity experts can more readily identify these areas because they are trained to know what patterns to look for. Doing so will reinforce the local elections jurisdictions to be able to pinpoint important security issues and target them for quick remediation, better understand how prepared they are to respond quickly to a security event, and be able to evaluate the strategic priority of using certain methods to reduce methods and frequency of attack.
The Bottom Line
Circling back to our original question: Can the elections be hacked? The answer is yes. There are definitely enough weak links in the system countrywide. And although a cyberattack is preventable, with the election being days away, it’s unlikely that steps will be taken between November 3rd at 7pm and the time that this blog goes to print.
If a prototype of an election cybersecurity program could be implemented, it should include precepts that would empower an election jurisdiction to pinpoint, isolate, and update any obsolete OSes on election business systems, as well as routinely conduct elections cyber-maturity assessments. Some experts advocate only using paper ballots.
The most important thing right now is to keep asking probing questions and continue to advocate for updated protocols and systematic approaches that will streamline the process and make attacks harder to succeed. While we have no doubt that these very attacks will continue to get more sophisticated and more frequent, we remain optimistic that continued vigilance and education will reduce the chances that elections will continue to be hacked.