There has been a great deal of controversy and consternation about the results of the 2016 presidential election. One side of the aisle argues that Russian interference and the spread of fake news had a direct impact on the outcome of the election, while the other side claims that any interference was negligible, and that claims of vote rigging are nothing more than sour grapes. So what is going on here? Are voting machines vulnerable to attack, or are the claims of hacking and invalid election results overblown?
As the two sides argue back and forth, there is an even bigger threat looming in the background, one that could impact future elections and throw American democracy into even greater turmoil.
In a survey by Venafi at the Black Hat conference in Aug 2018, 88% of cybersecurity professionals believe that attacks that disrupt election infrastructure should be considered acts of war. “Essentially, this is a war about compromising and controlling information. Once you fully understand that, it’s pretty easy to see that we are in a full-on cyber war right now,” said Jeff Hudson, CEO at Venafi.
A recent report by DEFCON Voting Village should serve as a wakeup call for anyone who values the integrity of the voting process. The study shows voting machines vulnerable to a number of issues, with both traditional optical scan devices and newer electronic voting machines potentially at risk.
Voting machines vulnerable to hacking attempts
That DEFCON Voting Village report showed that some of the most popular and widely used voting machines are vulnerable to hacking and that their security in the upcoming election is anything but assured. The fact that many election machines do not provide any kind of paper trail, and that many state and local cybersecurity efforts have expressed concerns that their voting equipment is vulnerable to hacking, is certainly cause for concern.
Election officials are definitely concerned about voting machines vulnerable to hacking, both in person and remotely. From the secretary of state to local election management officials, a number of individuals and organizations have already expressed concern. Some have even proposed abandoning electronic voting equipment altogether and returning to the old-fashioned paper ballot.
The need for a paper trail
As Election Day approaches, many cybersecurity experts have expressed support for a verifiable paper trail, one that could provide voters with reassurance that their preferences have been accurately recorded. No matter what your party or political beliefs, election security is a critical part of American democracy, and compromised voting systems could put the entire system at risk.
According to research conducted by Global Cyber Policy Watch, one of the most well respected voter integrity organizations in the world, voting machines and voting processes remain vulnerable to a number of attacks, and there is a real risk that multiple attacks could take place simultaneously. These simultaneous attacks, should they occur, have the potential to throw the entire American democratic system into chaos, a situation that could dwarf the controversy that continues to cloud the results of the 2016 presidential election.
It is clear that the United States government takes these risks very seriously, but so far efforts to protect the integrity of the voting infrastructure has been somewhat muted. The infrastructure for elections has been a part of the nation’s critical infrastructure since January 2017, and attempts to study and understand the inherent vulnerabilities of the election system have been ongoing since that time.
Study shows voting machines vulnerable to multiple attacks
As part of those attempts, Global Cyber Policy Watch recently shared its latest research, a study conducted by the DEFCON Voting Machine Hacking Village. That report, released by the aptly named Voting Village, was released on September 2018, nearly two years after the conclusion of the 2016 presidential election and less than six weeks before the upcoming midterms.
That report was deeply troubling, uncovering not one but several potential vulnerabilities in the current election infrastructure. Specifically, the report by Voting Village detailed four potential dangers in the way American elections are currently conducted. Those four potential vulnerabilities are as follows:
#1. Supply chain insecurity
In the corporate world, problems with the supply chain could lead to shortages of raw materials and issues with the quality of finished products. When those supply chain insecurities happen in the voting process, the results could be far more dire.
Supply chain insecurity was the first of the four findings by Voting Village, and it is one of the most troubling. The report points out that the supply chain for the parts used in voting machines is global in nature, and that there is no specific process that identifies where those parts come from or how they are manufactured.
That means an adversary, like China or Russia, could potentially introduce back doors and other vulnerabilities along the supply chain. When the voting machines are manufactured, those deliberate deficiencies could leave those machines, and the entire election infrastructure that relies on them, vulnerable to hacking.
#2. The possibility of remote attacks
Defenders of the current voting process often point out that voting machines are not connected to the internet during elections, but Voting Village found that those machines are still vulnerable to remote attacks. Despite assurances that the voting machines used in American elections are “air gapped” from the Internet, researchers from both DEFCON 25 and 26 cited multiple exploits that could lead to remote hacks of those machines.
Importantly, the study found that these remote exploits did not require physical access to the machines themselves, making them far more vulnerable to attack than many experts previously realized. One specific vulnerability cited in the report involved the use of an electronic card, one that is already in use by millions of Americans. That commonly used electronic card could be used to activate the voting terminal, using it to cast a ballot via a remotely reprogrammed mobile phone.
#3. Hacking faster than voting
The recent study also found that hacking could take place faster than legitimate voting. In the study, Voting Village found that it takes an average of six minutes for a voter to cast a ballot. At the same time, the organization identified 15 states whose voting machines could be hacked in just two minutes, using nothing more than a simple Bic pen.
That troubling finding suggests that the vote could be hacked, in real time, on Election Day, right at the polling place. The simplicity of the tools required to conduct the in-person hack, combined with the speed at which it takes place, is enough to give every voter pause.
#4. Past hacks have not been fixed
The recent study has revealed some troubling issues with the election infrastructure, including findings that showed voting machines vulnerable to a wide variety of hacking attempts. In many ways, the final vulnerability is the most troubling, since it reveals that even previously reported hacking attempts and vulnerabilities often go unaddressed.
In their findings that found voting machines vulnerable to hackers, Voting Village cited information that when vendors have been told their machines are vulnerable, and that they have serious security flaws, those issues have still gone unfixed.
As an example of how voting machines vulnerable to attack are still in widespread use, Voting Village cited a critical vulnerability, reported way back in 2007, which had gone unaddressed, and unfixed, for nine years. That particular indication of voting machines vulnerable to hacking was finally patched in 2016. The fact that multiple presidential and midterm elections had been conducted in the interim is enough to give every voter, and every candidate, sleepless nights.
So with voting machines vulnerable and future elections at risk of hacking, what can ordinary voters and concerned citizens do? American democracy is everyone’s responsibility, and having voting machines vulnerable is a danger to the American way of life. The results of the Voting Village study should serve as a real wakeup call, and it is important for voters to put pressure on their elected officials to make some serious changes.