Hacking elections is easy, says critical infrastructure group
Next month’s presidential election is the most divisive in living memory. It is also the one most certain to face a cyber attack - which could conceivably swing its outcome.
That’s the alarming consensus emerging in Washington DC as political commentators ponder the the consequences of a re-run over the “hanging chads” fiasco in Florida in 2000. Yet the technology picked to replace the old punchcard voting machines has its own vulnerabilities: in particular being open to invisible sabotage.
Potential attackers range from hostile governments - Russia has already attempted to alter election outcomes in Ukraine by targeting software used to aggregate votes - to foreign terrorist groups and home grown libertarian lone wolves.
In a series of reports called Hacking Elections Is Easy, the Institute for Critical Infrastructure Technology (ICIT), a US think tank, points out that cyber attack on different aspects of the election process does not require sophisticated actors or technology.
“Any hacker with enough time, a basic ability to navigate Deepweb, and access to YouTube, can impact public perceptions, control political conversations, and undermine the democratic process,” the study warns.
By focusing on the machines in swing regions of swing states, “an election can be hacked without drawing considerable notice”. In a tight contest, a US president could be chosen by a handful of votes - as little as 400, in the case of George Bush’s victory over Al Gore in 2000.
Ironically, part of the problem is the technology introduced to overcome the problems caused by punchcard voting machines. In 2002, Congress provided $4 billion to incentivise all 50 states into upgrading voting machines to e-voting systems of one form or another. For the 2016 election, the US will use 36 different systems from 15 manufacturers, including Premier/ Diebold, Sequoia, ES&S, Microvote General Corporation, and Hart Intercivic.
In theory, the multiplicity of systems and the fact they are not connected to the internet provides some security. However, ICIT says the view is profoundly mistaken. At least 43 states rely on voting machines which are at least 10 years old, running obsolete proprietary operating systems for which vulnerabilities are widely available to be downloaded for free from Deepnet.
“Manufacturers and voting officials have constructed an illusion of security based on the semblance of complexity when, in reality, voting machines are neither secure or complex. In general, these stripped down computers utilising outdated operating systems possess virtually every conceivable vulnerability that a device can have,” the study says.
In addition, the lack of security at public polling places creates ample opportunity for tampering. “Elections are held in the same churches and schools that are regularly victimised by malware and run by the same retirees and secretaries who regularly fall prey to phishing emails.”
ICIT notes that, even before voting begins: “Catastrophically disrupting the campaign of just about any political candidate can be done with little more than a DDoS attack on fundraising links and web properties, spam widgets on social media platforms, an insider threat who delivers a malicious payload on a USB drive or unsuspectingly by clicking a link in a spear phishing email, and a ransomware variant to encrypt important donor lists to further cripple fundraising.
"A pseudo tech savvy adversary could create a network of spoofed sites to confuse voters, and this is just the beginning. By combining attack vectors and layering attacks, an adversary can manipulate the democratic process by inciting chaos, imbuing suspicion, or altering results.”
Too late to change
Despite well publicised vulnerabilities, there is little political pressure in the US to improve voting security. Security researcher Matt Blaze comments: “We tend to have this discussion a few months before general elections, when it's too late to make substantive changes. Basically, public concern about e-voting integrity peaks at roughly the point when the choice is, use existing tech or postpone the election.”
It is possible that if November’s highly charged presidential race produces a close result, election security will climb up the agenda. However, the very passions that may be aroused could make rational policy-making difficult.
In the meantime, ICIT says that the prospect of attack in 2016 is more likely than not: “Why wouldn’t an enemy nation state try to corrupt the United States elections if all it cost were a few hundred dollars and a few hours of work?”