U.S. Department of Homeland Security (DHS) officials now say it’s likely that in 2016, Russian hackers at least attempted to break into election systems in all 50 states.
So far this year, there’s been no evidence of attempts of hacking election systems before the midterm congressional races, but federal, state, and local officials are still taking steps to keep any intruders at bay. Congress in March appropriated $380 million to help states beef up election security, and the DHS has been working with states to help them test and improve the security of their election systems.
“The president has been clear, and the DHS and our interagency partners have been clear: We will not allow any foreign adversary to change the outcome of our elections,” Homeland Security Secretary Kirstjen M. Nielsen said at April’s RSA security conference in San Francisco.
Hackers digitally flipping votes is the worst-case scenario, and it’s one that experts take seriously. Thirteen states use at least some voting machines that only record votes electronically with no paper backups, meaning a hack or even a malfunction could mean votes permanently altered or lost. And despite the new legislation, at least 11 of those states won’t receive enough money from the federal government to replace all those machines by November, according to a recent report by the Brennan Center for Justice at New York University’s School of Law. Nor, says Lawrence Norden, deputy director of the center’s democracy program, will state legislatures necessarily make up the difference.
“Election officials are eager to replace them,” he says. “That doesn’t mean the states are eager to provide the money.”
Last year at the Defcon hacking conference, security experts and amateurs deconstructed used electronic voting machines, exposing a number of potential flaws. Many experts say an attack designed to systematically sway an election by tampering with voting machines would be quite difficult, since the machines are usually not connected to the internet and are secured under lock and key before elections.
But almost equally worrisome is the possibility that, in an era of conspiracy theories and foreign powers spreading misinformation, enterprising hackers could manage to throw the election in doubt without altering a single ballot.
“The vote results could be exactly correct and capture perfectly the voters’ intent, but there are some opportunities for activities that could cause the American public to lose confidence,” says John Gilligan, executive chairman of the Center for Internet Security. That nonprofit recently produced an election security handbook and established an Elections Infrastructure Information Sharing and Analysis Center to help officials share data. (The DHS is also working to get security clearances for state election officials so they can get access to restricted intelligence data.)
Hackers could tamper with voter rolls so registered voters would find themselves forced to wait in long lines or cast provisional ballots at the polls. Or they could manipulate election night reporting systems so that incorrect totals were disseminated to the public. While officials could later ensure the proper ballots were counted and report correct totals, the public would still lose faith in the results of the election. Many election experts are also now advocating that states with paper ballots conduct some kind of manual audit of any results. That can often be done by recounting a sample of the ballots to spot any unusual discrepancies.
“In general, smaller margins of victory and fewer total votes cast require auditing a larger percentage of the ballots cast,” the CIS-issued handbook advises.
To try to prevent any sort of tampering, many states are deploying new digital safeguards, like requiring multifactor authentication to gain access to critical election systems, says Indiana Secretary of State Connie Lawson.
“We’ve always whitelisted our IP addresses so that we know which computers have access to the system,” says Lawson, who is also president of the National Association of Secretaries of State. “But now with this multifactor access they will have to have a token that’s inserted into the computer so that they have to be physically present, and then they also have to put in another password.”
A number of states, including Lawson’s Indiana, are also participating in a CIS program called Albert, which sends network traffic data to systems at the organization that can spot known suspicious behavior, she says. They’re also training state staff and local authorities to watch out for common hacking tricks like phishing emails that could let saboteurs into their systems.
“We know our state system is only as secure as the most unsophisticated employee who has access to that,” Lawson says.
Even in jurisdictions where voters manually fill out paper ballots with a pen or they’re generated by an interactive machine, votes are still generally tabulated using some sort of computer. And even election-related tabulators or voting machines that are never hooked up to the internet generally still get updated somehow, perhaps with a memory card or USB stick. Sufficiently skilled hackers could still manage to take them down or install malicious code on them if they get into the machine used to program the others, warns Marian K. Schneider, president of the nonprofit Verified Voting.
“If you can get in that computer, then you don’t need physical access to all the devices,” she says.
Even systems outside of government control could be targets of resourceful hacking groups: One of the private sector organizations on a DHS election infrastructure coordinating council is the arm of the Associated Press that delivers election-night projections. Security experts have warned that the governmental push to secure digital systems could drive hackers to find other election-related targets, including the news media.
“Because of this, I believe we will likely see–either now, or in the future–more attacks targeted to fringe or indirect groups involved in the election,” writes Tom Pageler, chief risk officer and chief security officer at Neustar, in an email to Fast Company. “For example, widespread DDoS attacks targeting news services to throw out the news cycle and cause public panic.”
But even the public sector could benefit from still more investment in election security—like getting the money to finally replace those aging, digital-only voting machines. A bill pending in Congress for months, dubbed the Secure Elections Act, would set up a grant program to assist states in securing their systems and solidify some of the federal-state initiatives begun by the DHS.
“I would like to see Congress hold hearings on that and pass it along with additional appropriations,” Schneider says.
Whether it passes, and in what form, still remains to be seen.