If you go to your polling place on Election Day in full faith that your vote will be counted, you obviously didn’t see Kill Chain, the new HBO documentary about election security in the United States.
The eye-opening film will forever shake your confidence in how we vote, how vulnerable our systems are to hacking and other malicious actions, and the state of our democracy.
We’re all familiar with how Russians sowed disinformation through Facebook and Instagram in 2016 and to this day—and if you’re someone who pays a little attention to election security, you might remember headlines about how some state officials uncovered evidence of attempts by Russian hackers to get access to their voting systems.
We’ve always been told that these efforts failed and that not a single vote was changed.
The truth is a lot more disturbing.
Kill Chain reveals that individuals and foreign states used low-cost techniques to gain access to voting systems in every state. Just before the 2016 election, the FBI alerted Florida election officials that a foreign state had targeted a vendor that runs voter registration in eight states. At the same time, a Russian-speaking hacker named—you can’t make this up—Rasputin hacked into the Election Assistance Commission, an advisory group that maintains real-time data on every state in the country. The film also shows how vulnerable and aged systems, such as one hacked by cybersecurity researcher Harri Hursti back in 2005, are still being used across the country in the 2020 election. In fact, Hursti was able to buy numerous AccuVote TSA machines that will be used in this year’s election on eBay. The filmmakers also interview a hacker in India who gained full access to Alaska’s voting system on Election Day in 2016 and could have easily changed vote totals or deleted any candidate.
In the end, Hursti advises viewers to think of the dozens of seemingly unrelated security breaches in recent years as part of a “kill chain,” a military term for a long-game strategy that seeks to undermine the public’s trust in elections.
As the country grapples with the coronavirus crisis, which has upended the 2020 election in ways that could impact turnout and the voting process, I spoke to director Sarah Teale and Hursti, who plays a major role in the documentary, to discuss the film’s revelations and their significance for the future of our democracy.
How do you think the current coronavirus crisis could impact election security? Not in terms of misinformation, but in terms of cyberattacks that take advantage of the fact that we’re all distracted and changes to the voting process that are less secure?
Harri Hursti: We’re seeing malware for mobile phones that come through texts or emails purporting to be coronavirus maps. Those enable a malicious payload to be downloaded, whether it’s stealing credentials or enabling bank fraud.
There already are proposals to increase voting by mail and mobile voting, though there are lots of vulnerabilities with mobile voting. What are the benefits and risks of those methods?
HH: There is no secure way to do mobile voting right now. We don’t have the technology to make mobile voting or online voting possible–the underlying basic issues are the same ones that challenge digital cash technology. Mobile voting involves secret ballots and auditability and digital cash involves anonymity and auditability. At this point, top researchers tell me that they think those issues can be solved, but not in their lifetimes, so in 40 to 50 years.
I’ve seen a discussion in a number of places about doing voting by mail, doing everything by absentee ballots. That’s not optimal but it’s 10 times better than mobile voting.
Sarah Teale: Hopefully, they will move more to paper ballots and mail-in voting, which would be the better way to go. And hopefully this film will be seen by people who run elections and they will be a little more nervous about online voting.
For voters who aren’t familiar with election security issues, what are the biggest takeaways of the film?
ST: The biggest takeaway is that we really need to move, state-by-state, to risk-limiting audits—to audit just a percentage of every single election. If it’s clear, we just have to audit a tiny percentage of votes. And if it’s not clear, you keep going until it is clear who has really won. So it might mean that you only hand-count a few, but you always randomly hand-count a few.
And paper ballots. It’s too important. There’s no machine that is completely secure—as Harry likes to say, everything is hackable. You’re sending from every precinct to a central system and you’re sending those results by the internet. That has to stop. In New York, the paper ballots—the paper itself—gets delivered to the central counter by police van, if you can believe it. But the digital version goes via the internet to the central counter and nobody ever looks at the paper. So, what’s the point?
HH: The hack of the Election Assistance Commission was extremely troubling, more so than people realize. It’s a clearinghouse of all the information that state election officials are processing–it’s standard practice in the criminal underworld that you download everything and then sell off bits, like access credentials, separately. And they’re not expensive. It’s not like Dr. Evil in Austin Powers demanding millions of dollars. [Russian-speaking hacker] Rasputin was seeking $5,000 for credentials.
Why can’t states build their own machines, instead of relying on these private companies, which are secretive about their technology, consistently refuse to allow access to cybersecurity researchers, and often are prone to corrupt deals with politicians?
HH: What’s reasonable would be to use public funding to build an open-source voting system, which is free to use by everyone who wants to use it. Companies would still have an opportunity to do business and make money. The current system is so old and outdated that maintaining the machines is extremely expensive.
What you need to use are hand-marked paper ballots. In most of Europe, they’ve dropped voting machines and are using paper ballots, and using computers at the tail end of the process to count the paper.
ST: I don’t understand why they can’t build their own machines. Actually, you could just go to Staples and buy a scanner off the shelf. Not hard, right? These are pretty simple machines. They could just go to paper and store-bought scanners.
There have been a lot of stories about the voting machine companies taking people on junkets to Las Vegas. A lot of backhand deals, that sort of thing.
Is the system in better shape, in terms of election security, than it was in 2016?
HH: There have been improvements because more states and jurisdictions have moved into paper ballots, so when it comes to the actual casting of the ballots. But what is not getting better is the new technology from new vendors who don’t have history in this area. So, overall security has been going down and the malicious actors have gotten smarter and have better tools at their disposal. It’s been a lost opportunity since 2016 to try to make a bigger overhaul of the system. There’s lot of denial in this area, with voting machine companies claiming there has been no problem.