Despite all the efforts in order to boost security, there is little doubt that cyber attacks can still hit vulnerable critical areas of the United States’ voting infrastructure.
In about seven months time (on November 6 to be precise), the American people will make their way to the polls in an effort to take part in the US congressional midterm elections.
That means, in the many months leading up to the contest, we are likely to see hordes of hackers from all corners of the world heading towards their keyboards to get to their own line of work.
That line of work will have these foreign hackers trying to influence the US congressional midterm election’s outcome.
But what will their efforts entail?
Let’s just say, their effort will probably include lots of things.
One can simply sum them up by saying that these foreign hackers will try to get inside the United States digital infrastructure which is responsible for supporting the US electoral process.
Of course, security agencies do know that foreign hackers will try to mess up the US congressional midterm elections.
But that isn’t enough to ignore a worrying (and perhaps rightly so) precedent here.
About a year ago, the United States Department of Homeland Security sent a notification to 21 US states informing them that bad actors from Russia had successfully targeted their existing elections systems in the many months that lead up to the eventual 2016 United States presidential election.
The Department of Homeland Security also mentioned that Russian operatives mainly did two things.
One, they scanned computer machines.
Two, they scanned networks.
For discovering security holes.
In other words, they did not try to take advantage of any security flaws that they discovered while trying to hack the US elections.
Even with that, this should not cause the security agencies in the country to show complacency on the issue.
United States Intelligence officials have already warned that Russian operatives will once again try to meddle with the US congressional midterm elections later this year.
Moreover, there is no guarantee that hackers from other neighboring (or otherwise) countries who are hostile to the United States won’t join the overall campaign.
This past week, both the Federal Bureau of Investigation and Department of Homeland Security mentioned that Russia had actually started to lay the groundwork for a broad cyber attack.
Russia will want for these cyber attacks to hit critical United States infrastructure.
This past year, we saw the Department of Homeland Security designate voting technology as a significant part of the country’s vital framework.
Russia doesn’t really need to hack the whole election in order to influence it.
It does not.
A decent interference in a handful of swing areas with close-run contests could actually prove enough to significantly undermine the confidence of the people in the country’s democratic process.
The University of Connecticut director of the Center for Voting Technology Research, Alexander Schwarzmann has cautioned against any complacency.
He told reporters that computers had made things a lot easier for hackers who wanted to influence US elections.
Hackers can now leverage computers to make tasks such as tampering with the US voting system much easier.
Moreover, now hackers can launch and finish off these tasks directly at the most critical and impactful of places.
All of this would eventually help countries hostile to the United States electoral process to influence marginal races.
That isn’t to say security firms in the country haven’t done their part.
In fact, ever since the 2016 United States presidential vote, security agencies and other concerned entities have done a lot in order to enhance election security.
The government has made sure that it significantly stepped up local and state official cybersecurity training.
Additionally, it has already created a body in order to share intelligence related to different threats.
Many reports have mentioned the fact that the United States Congress has managed to allocate $380 million to states recently.
States can use these funds in order to upgrade their aging and inefficient voting technologies.
This will hopefully allow them to perform more rigorous audits after the elections.
Such funds will no doubt help different states take additional steps in order to bolster their cyber defenses as well.
All of this does not mean that the US does not have to worry about any cyber attacks.
Just as security firms in the country have stepped up their game, so have the hackers.
Or at least this is what security firm in the country should assume.
There is little doubt about the fact that hacker will try to exploit all the intelligence that they gleaned from their previous attempts to influence US elections.
Let’s take a look at a brief overview of sorts of where and how could hackers accomplish the greatest amount of damage.
Voter Registration Systems
What’s The Technology.
Voter Registration systems are the systems that help to keep a clean digital record of any and all authorized voters in any given jurisdiction.
Concerned entities use voter registration systems to populate all the, what they call, poll books.
Election officials who are present at precinct polling stations make use of poll books in order to check US voters in.
Most of the time, these voter registration systems run on various desktop computer machines.
These computer machines use standard operating systems.
And these standard operating systems usually have vulnerabilities that hackers can exploit.
By making use of malicious code.
The other problem is that most of these computer machines that run voter registration systems are pretty old.
The Brennan Center of Justice at New York University Law School recently published a report about the problem.
It estimated that of all the states, around 41 still had not upgraded their voter registration systems which were built, at the very least, a full decade ago.
What Are The Risks?
Hackers who are smart enough could exploit these voter registration systems to erase voters and their entries.
They could also use the same systems to create new and fictitious vote entries.
After that, they could mail in votes in order to create more fake personas.
If hackers can carry out this type of attack at a large enough scale then they could easily give away the fact that someone might have tampered with the voting process.
In other words, security firms could spot such discrepancies.
Hence, hackers would not want to delete an entire voter database.
So what could hackers do instead?
They could carry out less blatant but more vicious manipulation.
This type of manipulation could prove harder for security firms to pick up before the actual day of the voting.
These are things that security firms need to take into account especially after what happened in the 2016 US presidential elections.
Back then Illinois had mentioned that hackers had actually successfully accessed the state’s voter registration system.
Interestingly enough, after accessing the voter registration system, hackers did not alter US voter data.
All that hackers did was to download some vote records.
About 76000 in number.
In order to assist US states to try and block such data breaches, the Department of Homeland Security has started to work with several of them.
The Department of Homeland Security has also started to conduct various types of security audits of all the systems that various states have in place.
What’s The Technology?
In a lot of US states, almost all of the precinct poll workers have to use poll books which are basically electronic poll books in the shape of a tablet.
To put it another way, they don’t use paper ones anymore.
Precinct poll workers use the poll book to verify all voters.
These tablet-like poll book machines usually have a connection to other poll book machines via a local network.
What Are The Risks?
Smart enough hackers could go ahead and target the local networks in order to gain vital access to the poll book machines.
After accessing the local network, it shouldn’t be hard for hackers to shut these poll books down.
They could even alter the data that is present on these poll books.
Perhaps that is the reason why most security experts have advised that any and all polling stations must develop backup plans and put them in a place where these backup plans allow polling stations to actually print out provisional ballots in the case of these poll book machines failing.
The poll book devices pose another problem as well:
A year ago, some security researchers discovered that eBay had one of these electronic poll books for sale that contained a trove of US voter data in its memory.
What’s The Technology?
Today, broadly speaking, the US makes use of two types/kinds of electronic voting machines.
There are optical-scan ballot readers.
These readers scan and then record paper ballots but only after voters have filled out these ballots.
The second type of electronic voting machine is the direct-recording electronic machines.
Or, in other words, DRE machines.
These direct-recording electronic machines first display ballot choices to the voter with the help of a screen.
Then these machines record the voter’s choices.
Everything is done electronically.
There are some models of DRE machines that can successfully generate paper records as well.
What Are The Risks?
The main problem with these machines is that most of these machines still run on operating systems which are old.
And that means most of these machines have known vulnerabilities or security flaws.
The other problem with these old machines is that their creators have long stopped rolling out any updates.
What does this do?
This makes these machines particularly weak and vulnerable to cyber attacks.
About a year ago, hobbyist hackers who attended the Defcon conference held in Las Vegas showed the crowd there how they managed to compromise a random number of different devices.
These hackers also summarized their experiences while doing so in a recent report.
Apart from that, more recently, a professor at the University of Michigan, Alex Halderman, managed to stage a mock US election.
Alex Halderman used student voters in order to show the audience how easy hackers would find it to hack voting machines.
And that’s not all.
There are many other types of risk with electronic voting machines.
One of the other dangers associated with electronic voting machines includes hackers possibly compromising all wireless modems.
Some electronic voting machines use wireless modems in order to transmit various type of voting data.
This is where some think that Optical-scan ballot readers are better than DRE machines.
Because in case something goes wrong, Optical-scan ballot reader machines at least have the option of falling back on original paper ballots.
This could prove especially useful if polling station staff suspect that hackers have compromised their systems.
In the case of direct-recording electronic machines, voters never really fill out a ballot with their hands.
This problem has led several election security experts in the country to believe that the government should scrap these types of electronic voting machines.
According to the deputy director of New York University Brennan Center, Lawrence Norden, about 13 US states still have not given up using paperless systems.
He recently remarked that he did not have any hope that most of those 13 states would successfully make changes before the election date, November 6.
Because, Norden added, they don’t have the required amount of time left now.
The other problem is that some US states rely very heavily on these electronic voting machines.
The ones worth a mention are,
- New Jersey
Some reports say that if things don’t change there is a great chance that these states would still use these vulnerable electronic voting machines for the 2020 United States presidential election.
Vote Tallying Along With Vote Reporting.
What’s The Technology?
Vote tallying and vote reporting systems typically run on machines which are running on standard operating systems and software applications.
And since they use standard operating systems, officials may use these devices for lots of other things.
Things that don’t have much to do with vote tallying and reporting US election results.
What Are The Risks?
Similarly to the case with computer machines that most US states use for voter registration, these machines also have vulnerabilities against various kinds of malicious codes and activities.
There is no doubt about the fact that hackers could try to exploit these machines.
Hackers could first identify such machines and then target them for the sole purpose of throwing a huge doubt on the general outcome of the upcoming US congressional midterm elections.
It is true that it may not sound all that likely.
But security experts have publicized their strong suspicions.
Suspicions which have led these security experts to believe that Russian operatives indeed launched cyber attacks which deleted various key files from the central election commission’s computer systems in Ukraine back in 2014.
Fortunately enough, authorities in Ukraine managed to restore all the data from their backups.
This particular section is a bit different from all the previous sections mentioned on this pages.
It is different in the sense that it will not highlight other malicious ways that hackers could use to cause a lot of havoc before, during and after November 6 elections.
Instead of that, this section is here in order to make a very specific point.
A point that the country is going to need robust post-election audits.
These audits will play a more vital role than ever before.
We’re living in a world where hackers have managed to gain the necessary skills to set their sights on everything including voting systems.
In the US, concerned authorities have already conducted audits on poll results.
Despite that, many security experts have started to lobby for a new kind of audits.
They are calling them, risk-limiting audits.
How are they different than usual audits?
Well, first they are more onerous.
Secondly, they are more open-ended when compared to traditional approaches.
These risk-limiting audits involve concerned authorities taking paper ballots and then tallying them.
But authorities have to take these from a random sample of precincts that is statistically significant.
After that, they can compare the results with the actual outcome of the given election that polling stations would calculate using nothing but electronic records.
For this to work, polling stations will have to generate paper ballots.
That would rule out a lot of DRE machines which some states still use.
This risk-limiting audit idea is a new one.
And perhaps that is why very few states have adopted it.
States that have adopted this idea include New Mexico and Colorado.
The other thing about the risk-limiting audit is that, it requires concerned authorities to conduct an audit of every contest.
And not just the ones which are close-runs.
If they discover discrepancies then authorities have to conduct additional manual counts.
This is a low-tech approach no doubt.
But it is also expensive and extensive.
Some may see this option as at odds with some of the high-tech advances.
However, one cannot negate the importance of robust checks which are vital to counterbalance hackers who are only growing in their power to undermine democracy.