Over the summer, an alarming series of stories trickled out of DefCon, one of the world’s largest hacker conventions hosted in Las Vegas. In order to demonstrate the vulnerable nature of the U.S. election infrastructure, conference organizers collected 30 different voting machines and challenged a room full of information security researchers to break into them.
The results, detailed in a paper put together by conference organizers, were “sobering.”
“By the end of the conference, every piece of equipment in the Voting Village was effectively breached in some manner. Participants with little prior knowledge and only limited tools and resources were quite capable of undermining the confidentiality, integrity, and availability of these systems,” wrote the paper’s authors.
These findings, just seven months after intelligence agencies determined the U.S. was the victim of a massive cyber and disinformation campaign executed by Russia during the 2016 election, caused a large number of media outlets and politicians to express shock and question the very integrity of the U.S. voting system.
If a room full of information security researchers could compromise these voting machines in a single day, what chance did the U.S. electoral infrastructure have defending against organized hacking groups and dedicated nation-states?
However, a closer examination reveals that the most direct form of “hacking an election,” breaking into voting machines and altering vote counts, is a good deal more difficult than the headlines suggest. For instance, while many outlets reported that conference attendees were able to penetrate all 30 machines, less reported was the fact that in the vast majority of cases, hackers needed to have extensive and direct physical access, including taking them apart, in order to find the vulnerabilities that allowed them to access voting software.
Jeanette Manfra, assistant secretary for the office of cybersecurity and communications at the Department of Homeland Security, made this point during a Nov. 8 cybersecurity event hosted by the Washington Post.
“There have been people who’ve talked about being able to hack into those voting machines, but they still need to have physical access, and states and localities are very circumspect about how they treat those voting machines. They’re locked in warehouses, they’re transported securely. And a lot of them, while they may be digital, they’re not online,” Manfra said.
While hackers at DefCon were able to remotely hack into at least one machine, an AVS WinVote machine, that model was decertified in 2014 precisely because of its notoriously weak Wi-Fi security, and it hasn’t been used in U.S. elections since. Furthermore, many of the models used were older machines purchased on the secondary market and not necessarily representative of what most states rely on today.
The distinction between a remote and physical hack matters, because any attempt to alter an election at scale through vote tampering would almost by definition require secrecy, and it is logistically far more difficult to pull off a discrete hack when it requires taking apart a machine that is often subject to complex chain of custody protocols.
Jason Ogden, an information security specialist at DHS, gave an overview of U.S. election security Oct. 30 at the Executive Leadership Conference in Williamsburg, Va. While Ogden emphasized that “all future elections will face cyber threats,” he said the decentralized nature of U.S. election infrastructure is often one of its greatest shields against a large-scale, coordinated cyberattack. There are over 8,000 jurisdictions that administer local, state and federal elections across the United States. Each operates more or less independently of one another, with their own rules, protocols, equipment, technology and software.
After his presentation, he told FCW that while nobody should be resting on their laurels, the ability to break into voting machines is not as easy or direct as the results from DefCon imply.
“My personal opinion is that when we’re dealing with what occurred at Black Hat and DefCon, some of that is for show, obviously,” Ogden said. “As a best practice … if you’re controlling any kind of infrastructure you’re not going to let just anybody have access to it.”
That’s not to say the threat is nonexistent or that nation states and hacking groups aren’t actively looking for ways to access voting software. DHS itself notified 21 states in September that Russian cyber actors had “targeted” internet connected networks, like voter registration databases, related to their election systems. Several states subsequently disputed those assertions, questioning whether the information DHS provided backed up their claims.
Alex Halderman, professor of computer science and engineering at the University of Michigan, made headlines shortly after the 2016 election when he publicly urged the Hillary Clinton presidential campaign to call for a recount in three swing states based on evidence he had compiled that purported to show discrepancies between counties that relied on electronic ballots and paper ballots.
Halderman later acknowledged it was “probably not” the case that 2016 election results were tampered with, but he has continued to sound the alarm about election cybersecurity vulnerabilities since. During a September 2017 panel hosted by the Brennan Center for Justice, Halderman laid out the research he had done on electronic voting machine security over the past decade.
Today, most jurisdictions rely on two styles of voting machine: optical scan and direct-recording electronic (DRE) machines. While these machines are not typically connected to the internet, the software used to update them every election cycle is.
Before every election, each voting machine must be updated with the ballot, names of the candidates and specific races. A hacker could theoretically gain access and manipulate vote totals “by inserting malicious software into the removable memory cards that are used before every election to program the ballot design into the machine.” If poll workers used that card to update multiple machines, that could potentially cause the malware to spread.
While Halderman acknowledged that there is no evidence that vote counts have been manipulated in any previous election, he is convinced it is only a matter of time. Even if hackers are only able to penetrate a select number of voting machines, he argued that a targeted effort could still potentially influence election results.
“In a close election, a national outcome might depend on a few states or swing districts. A hacker could probe all of these jurisdictions, find the ones that are most weakly protected and target them,” Halderman said.
The wrong lens
Many officials believe that because of the level of difficulty and effort required, it doesn’t make sense for nation-states to influence an election through electronic vote tampering, especially since approximately 70 percent of counties still use paper ballots in some form. It may ultimately be far easier for a nation to wage a larger, covert disinformation campaign designed to exploit pre-existing political and societal fissures in an electorate and nudge voters at the margins toward or away from certain candidates.
“I have less concern about the data itself and more about [bad actors] causing confusion,” said Manfra.
While speaking at a Nov. 7 Center for Strategic and International Studies event, former CIA director Michael Hayden said the nation needs to stop looking at election influence through the lens of cybersecurity and start looking at the problem as a broader issue of information warfare.
“The [Russian] cyber attack could have been done by script kiddies. That was basic stuff,” Hayden said. “What happened afterwards was the big news.”