Two Years After the Presidential Election Hack: Can Our Election Systems Be Trusted?
By Balakrishnan Dasarathy, Ph.D.
In October 2016, as a lead-in to the November presidential election, I posted a blog that examined whether or not our election systems could be hacked. Back then I said that the short answer was, “yes, it’s possible,” but unlikely that the effect of a breach would be catastrophic.
As we approach the 2018 mid-term elections this November, it’s a good time to revisit this question. Since 2016, we have more information on the attacks, how they happened, who was behind them and what steps various government entities are taking steps to help ensure election security moving forward.
To answer this question thoroughly, we must understand the various systems supporting our elections. That’s because an election isn’t a single event in isolation, but rather a series of events taking place within interconnected systems—campaign, voter registration, voting or ballot-casting and vote-tallying systems—all working together to make up our election system, as illustrated in the following figure:
A closer examination of each constituent system depicted gives a more complete picture of the prospect—and ramifications—of an election hack.
We also must understand external entities, specifically social media, which are not technically parts of election systems, but could have undue influence on the outcome of an election, as we have seen with the 2016 presidential election.
First, let’s examine campaign systems. They periodically obtain voter information from voter registration systems at the state and county levels to support canvassing, fundraising and compliance-reporting functions. In general, such systems maintained by a political party or candidate are not cyber-attack proof because they normally allow various forms of Internet and remote access, including browser-based, email and command-line access.
But campaign systems do not send information back to voter-registration or the ballot or tallying systems. That is a good thing. If these systems were to be exploited, as in the case of the Democratic National Committee (DNC) systems that were hacked with the support of the Russian government, the integrity of the voter registration database would not be automatically compromised or affect the votes cast or tallied. However, an attack or even the persistent threat of an attack can sow mistrust and might even result in voters changing their minds when picking a candidate or a political party to support.
The primary motivation for hacking the systems maintained by the Democratic Party in 2016 was to hurt Hillary Clinton’s candidacy in both the Democratic primary race and against Donald Trump in the general election, according to recent New York Times’ and The Washington Post’s coverage on the Mueller and CIA investigations into Russian election hacking.
After the 2016 election, Democratic and Republican Party officials alike are certainly taking the security of their systems seriously. The DNC, for example, has hired two well-known technology and cybersecurity experts, Raffi Krikori, and Bob Lord, as CTO and CISO, respectively. Their jobs are to fundamentally change the cybersecurity culture and beef up security of the DNC’s general and campaign systems at the national and local levels. For their part, the Republican National Committee (RNC) tech personnel are also enhancing security with activities such as increasing resiliency against phishing attacks, conducting cybersecurity training for staff and implementing two-factor authentication for their systems.
Next, state voter registration systems allow eligible voters to register online and, in addition, acquire registered-voter information from other state-maintained systems, such as the Registry of Motor Vehicles. In general, then, voter-registration systems also are not cyber-attack proof. Voter files were lifted from voter-registration systems in Arizona and Illinois, for instance. Just recently, in Georgia, a private researcher discovered that the records of more than six million registered voters in the state as well as password files and encryption keys could be accessed online by anyone looking.
Initially, it was thought that individual actors seeking critical information to create identities and commit credit card and other financial fraud were behind the voter-registration system breaches. We also now know the attack on the Illinois voter-registration systems—and likely other state systems as well—was carried out by Russian agents, primarily to sow distrust in the minds of voters and make them lose confidence in our election process and outcomes.
The hackers in the Illinois case employed a well-known attack technique known as SQL Injection, most likely using stolen or easily guessable passwords—certainly not rocket science. The good news is that Illinois has since put in place many effective mechanisms, including enhanced password requirements, two-factor authentication, better firewall rules and technology to prevent repeated intrusion attempts. Every state and local government should put into effect these types of simple yet effective techniques to bolster the defense of their voter registration system.
Finally, our voting or balloting systems are not connected to the Internet, at least during voting, and that prevents them from being hacked. Isolating voting machines from the Internet was one of the most important recommendations made by the Department of Homeland Security (DHS).
A smart card with a memory chip containing a vote-total report is ejected from a voting machine, and this card with cryptographically protected data is then securely handed over to a central location that houses vote tally systems. The vote report may also be transferred in a magnetic medium or secure wireline or wireless connection.
Though these central-location systems themselves may be vulnerable, because there are few of them, it’s possible to mitigate the prospect of a hack by practicing good “cyber hygiene,” which includes using long and complex passwords, updating virus definitions, running security scans, updating software and backing-up data. Those central locations should also be protected with good physical security features such as smart-card access, video surveillance, and two-factor authentication for all users and the logging of all activities.
By keeping proper records of voter tallies in all precincts, any breach of these systems or in the data handover can be detected, and its effects can be nullified during vote review and certification.
Although 30 states allow online voting, its scope is limited. For example, in 20 states and the District of Columbia, only certain voters living abroad will be allowed to return their absentee ballots via email or fax.
A Question of Trust
So what have we learned since the 2016 election? For starters, we have learned a lot about who hacked various systems and what motivated them. Prior to 2016, we emphasized securing ballot systems and vote-tallying systems by not connecting them to the Internet, by transferring data in a secure manner, and by generally limiting physical access to these machines.
But, mainly, we have learned that these measures are not enough. We need to secure every system involved in—and every process associated with—our elections for citizens to keep their faith in the fairness of our election system and, thus, in our democracy.
Arguably, perhaps, the critical question we should be asking post the 2016 election hack is: “should U.S. citizens trust our election results?”
Prior to the 2016 general election, about 34 percent of likely voters believed that the election could be rigged, according to a Bloomberg Politics Poll. The Russian state actors who hacked DNC systems and voter registration systems in various states have succeeded too well in sowing distrust. It is likely that more people have lost faith in our election outcome since the 2016 presidential race.
The pressing issue is not just one of balloting and vote-tallying systems information security. It is about assurance and the trustworthiness of all voting-related systems and processes.
There is no direct evidence that Russian hackers manipulated the voter rolls in the 2016 election, but this does not mean a cyberattack will not lead to such manipulation next time. There should be concern that hackers might attempt to delete or manipulate voter rolls, thus disrupting elections by causing long lines at the polls and delays in vote counting.
In addition, though registered voters whose names are missing from the voter rolls may exercise the right to cast a provisional ballot, there is no guarantee that that vote will be counted. It should be stressed, though, that the impact of voter-roll manipulation could be minimized. A process should and can be put in place to detect, daily, any alteration to the voter database. Also, the voter-registration deadline occurs several weeks in advance of an election, allowing plenty of time to detect and correct any voter-roll hacks.
Rigging an election by tampering with voting machines would be nearly impossible if adequate processes are put in place. For starters, a public test of a voting machine in every polling booth and every tallying system should be conducted before each election to ensure that it is functioning as expected, and to assure the public that these systems can be trusted. However, we need to monitor access to these machines during each demonstration to prevent bad-actor incidents, such as the injection of malware using a thumb drive.
The diversity of vendors also helps with election security. Voting machines used throughout the country come from different vendors—all with different proprietary operating systems and voting application software, which makes an election hard to manipulate in any coordinated way. We should continue to maintain diversity in voting machines.
One other major voting-system concern exists at present. In some states, many direct-recording electronic (DRE) voting machines that do not produce any paper record remain in use. Georgia and New Jersey are two examples here.
When a voter pushes a button or lever, a DRE machine records voting data in its volatile memory components. At the end of—or a few times during—the election day, the DRE machine produces a tabulation of voting data to a removable memory component, such as a thumb drive. In the case of a machine failure, however, the contents of the volatile memory will be lost if there is no paper trail back-up. Some DRE machines in use are old, so patches for operating systems may not even be available for them. This certainly puts such machines at risk for crashes and lost votes.
Trustworthiness demands that we maintain a paper trail, that officials and party representatives verify all voting systems are working, and that all tally results in each precinct—or at least randomly selected precincts—are reviewed with paper ballots.
There are also election systems external factors that state actors, specifically Russians, continue to leverage to affect our elections processes and shake trust in our elections, such as social network campaigns launched from Russian accounts designed to convince voters to support—or reject—a certain candidate, political party or issue.
On October 3, 2017, CNN reported that a number of Russia-linked Facebook ads were geographically targeted to reach residents of Michigan and Wisconsin. President Trump defeated Clinton by a narrow margin in both battleground states. Social media companies such as Facebook, Twitter and Tumblr continually must be vigilant in identifying and preventing such postings from foreign accounts to mitigate their influence and sway over voters.
In addition, Microsoft recently reported the creation of fake sites by a group affiliated with the Russian government. Fake sites are likely to be used in spear-phishing attacks on users who are only too trusting, and it’s vital that our information and network technology enterprises remain vigilant in detecting and removing them.
The bottom line is that many of our government and private institutions have learned a lot about what went wrong with the 2016 presidential election, but more must be done to protect our election systems and maintain the trust of voters. As an important first step, Congress should immediately pass the bipartisan Secure Elections Act, which mandates a paper trail and post-election audits, and also includes voluntary cybersecurity guidelines for states. Congress also needs to set aside money for states to comply with this bill if it were to become a law.
The cybersecurity of our election systems and trustworthiness of our election processes are certainly getting more attention, and many right steps are being taken to help ensure systems integrity—and our trust. But, as we approach the 2018 mid-term elections, a good question to ask now is this:
Are we doing enough to make citizens believe in the fairness of our elections?
About the Author
Balakrishnan Dasarathy, Ph.D., is professor and program chair of Cybersecurity and Information Assurance at University of Maryland University College (UMUC). Prior to joining UMUC in September 2012, he spent 30 years in industry R&D. He has worked in both telecommunications—at GTE Laboratories, now part of Verizon, and at Bellcore and Telcordia, now part of Ericsson—and in finance at JP Morgan. Dasarathy has applied his information assurance, cybersecurity, software and network engineering skills to commercial and military systems. He has published extensively in the areas of information assurance, communication networks, middleware and distributed computing. Dasarathy received his doctorate in computer and information science from the Ohio State University and is a Certified Information Systems Security Professional (CISSP).