NEWS ANALYSIS— -- After reports of alleged Russian hacking into Democratic Party computer networks, some commentators have suggested that the Russians could hack the results of the U.S. elections. Other analysts have, well before this year’s campaign, suggested that election results in the U.S. could be electronically manipulated, including by our fellow Americans. So could an American election’s outcome be altered by a malicious actor on a computer keyboard?
I have had three jobs that, together, taught me at least one thing: If it’s a computer, it can be hacked. For Presidents Bill Clinton and George W. Bush, I served as the White House senior cybersecurity policy adviser. For President Barack Obama, I served on his five-person post–Edward Snowden investigative group on the National Security Agency, intelligence and technology. And for over a decade I have advised American corporations on cybersecurity.
Those experiences confirm my belief that if sophisticated hackers want to get into any computer or electronic device, even one that is not connected to the internet, they can do so.
The U.S., according to media reports, hacked in to the Iranian nuclear centrifuge control system even though the entire system was air-gapped from the internet. The Russians, according to authoritative accounts, hacked into the Pentagon’s SIPRNet, a secret-level system separate from the internet. North Koreans, computer forensics experts have told me, penetrated SWIFT, the international banking exchange system. Iranians allegedly wiped clean all software on over 30,000 devices in the Aramco oil company. The White House, the State Department and your local fast food joint have all been hacked. Need I go on?
Now consider that a majority of states use some kind of combination of electronic voting and a type of paper trail, but there is no standard nationwide. In most states the data that are used to determine who won an election are processed by networked, computerized devices. There are almost no locations that exclusively use paper ballots. Some states allow direct from home voting over the internet. Others employ electronic voting machines that produce no paper trail, therefore there is nothing to count or recount and no way to ensure that what a voter intended is what was recorded and transmitted.
Some systems produce a paper ballot of record, but that paper is kept only for a recount; votes are recorded by a machine such as an optical scanner and then stored as electronic digits. The counting of the paper ballots of record — when there are such things — is exceedingly rare and is almost never done for verification in the absence of a recount demand.
The verification systems in place in most states can check only two things well. First, they can provide a basis for comparing the number of people who showed up and were allowed to vote at a location with the voter total reported at the end of the day by that precinct. Second, they can compare the total votes for a candidate reported by each precinct to the state capital against the number that the capital says it received from each location.
What they cannot verify without counting paper ballots (if they exist at all) is that your vote for Candidate A showed up in the electronic device tabulating the totals as a vote for Candidate A. The process of recording which person got your vote can — almost always — be hacked.
The ways to hack the election are straightforward and are only slight variants of computer system attacks that we see every day in the private sector and on government networks in the U.S. and elsewhere around the world. Malware can be implanted on voting machines. Almost none of these machines have any kind of malware detection software like those used at major corporations and government agencies. Even if they did, many of those cybersecurity tools are regularly defeated by today’s sophisticated hackers.
At this year's Black Hat cybersecurity conference, the cybersecurity firm Symtantec had a voting booth to demonstrate the various ways to trick the system.
In America’s often close elections, a little manipulation could go a long way.
In 2000 and 2004, there were only a handful of battleground states that determined which presidential candidate had enough Electoral College votes to win. A slight alteration of the vote in some swing precincts in swing states might not raise suspicion. Smart malware can be programmed to switch only a small percentage of votes from what the voters intended. That may be all that is needed, and that malware can also be programmed to erase itself after it does its job, so there might be no trace it ever happened.
I have to emphasize that we have no evidence that such hacking has ever taken place in the U.S. or that it is about to occur. What we do know is that it could happen. There is nothing to stop it from happening in many parts of the country, and there is not even an effort to see if it is happening.
It does not have to be this way. Congress could create voting security standards for the election of its members and of the president. It has not done so, leaving it instead to the states to protect the integrity of the democratic process.
Minimal election security standards could be simply stated: 1) No vote recording machine shall be connected electronically to any network — including but not limited to local area networks (LANs), Wi-Fi, the internet and virtual private networks (VPNs). 2) Every voting machine must create a paper copy of each vote recorded, and those paper copies must be kept secured for at least a year. 3) A verification audit by sampling shall be conducted within 90 days on a statistically significant level by professional auditors to compare the paper ballots of record with the results recorded and reported.
There are other things that would be nice to have to provide additional levels of assurance. One of the best ideas is that the software used to run voting machines be restricted to open source applications, whose code could be publicly examined. Another proposal that makes sense is that voting machines be required to run a certified malware detection software application before, during and after the voting process.
Some states will, of course, say that there is no risk justifying these proposals. (Many of the states that will claim this will be the same states that passed voter ID fraud laws although there was no evidence of any significant voter fraud.) They will claim that it is not the federal government’s job to regulate the democratic election of federal officials. Finally, many states will protest that verifying our democratic processes would be too expensive for them. That last complaint could be answered by Congress’ paying for its own elections and for the president’s.
If someone makes the charge after this election that the results were altered by hackers, our country has almost no way of credibly refuting that claim. Thus American voters will have no way to know if they can trust the results of the election, unless it is a landslide, so large that it seems unlikely that the winning margin was purely the result of malicious activity.
In any close election, because we have not done the simple things that could protect the integrity of our democratic process, there will be room for doubt.