It won’t take Russian hackers or a wide-scale attack to undermine the November election, cyber security experts warn. What they fear most is something far easier to pull off: Smaller, targeted attacks on a few voting systems that create widespread doubt among voters.
In the age of social media, even a small cyber-attack could explode into chaos by casting doubt on the election’s integrity, experts warn.
“Today we have social media, where a lie can circle the globe before the truth can reach the keyboard,” said Gregory Miller, co-founder of the Silicon Valley non-profit OSET Institute. “It doesn’t take very long for incredible chaos to break out over the presumption that something has gone wrong.”
Both President Obama and the FBI have warned of possible tampering with this year’s election process. Miller says that sets the stage for potential turmoil with or without an actual attack on Election Day.
In July, state-backed Russian hackers successfully stole and published embarrassing DNC emails, prompting concerns that outside forces were attempting to influence the election.
The following month, the Federal Bureau of Investigation issued warnings to county election officials after illicit attempts to gain access to voter registration information in Illinois and Arizona.
And on Monday, a domestic hacker going by the pseudonym “Fear” claims to have gained access to a trove of state databases from across the country, including voter registration information. Though the exact nature of the alleged hack remains, Miller says the claim alone is enough to get the internet-fueled echo chamber firing on all cylinders.
“We are actually concerned about social hacking than we are about physical or digital hacking,” Miller said. “Because it only takes the prospect that there’s been tampering.”
When referring to the term “social hacking,” Miller says he means spreading misinformation that the election has been rigged or manipulated in some way. He says it’s easy to do – as simple as making false claims on social media that a voting machine cast the wrong vote.
But Miller also says electronic voting systems themselves can be vulnerable.
The electronic machines still in use today are the same systems purchased by counties throughout the United States after the hanging chad debacle in Florida during the 2000 presidential election. Elections officials began buying the new PC computer -based system with funds provided by the Help America Vote Act, passed by Congress to avoid a repeat of the 2000 election problems. Those issues are why Miller co-founded the OSET Institute in the first place, a nonprofit election research and development institute created to increase confidence in elections and their outcomes.
Doctor Herb Lin, Senior Research Scholar for Cyber Policy and Security at Stanford University, fears the prospect of contested elections across the country. Losers of close races, he said, might be tempted to challenge vote counts by claiming the system may have been hacked. It could be especially problematic in local elections decided by a small number of votes.
“Nobody [in the U.S.] is willing to say, ‘No, no, the majority was wrong!” Lin said. “But they are willing to say, ‘I was robbed! I was cheated!’ At least one candidate is talking about a rigged election right now.”
Like Miller, Lin agrees the perception of a hack on Election Day alone could cause mayhem.
“Do you really need a large-scale attack to wreak havoc on the system?” Lin said. “Do you have to hack thousands of voting machines? Probably not. Probably all you need to do is hack a few and prove that they were hacked. Then you start saying, ‘how do you know about these other guys?’”
It’s been proven time and time again that individual voting machines can indeed be hacked. Just ask UC Davis professor Matt Bishop, who co-directs the University’s Computer Security Lab. In 2007, California Secretary of State Deborah Bowen tasked Bishop to lead a team of faculty and grad students to test the security of three electronic voting systems that were being used in California.
“We were able to compromise the accuracy and security of the machines fairly quickly,” Bishop said.
Bishop said potential hackers with more resources could likely do it even faster.
“It wasn’t particularly hard,” Bishop said. “The students were able to do it fairly quickly. We had two-and-a-half weeks, and given access to the machines, we were able to compromise all of them completely.”
When Bishop’s team proved the systems were vulnerable, Bowen decertified the machines until additional security was added.
For Lin, who said hackers would probably only need to compromise a few machines to impact the election, that’s troubling.
“As good as our graduate students are, I don’t think they’re as good as the FSB,” Lin said. “The FSB are pretty good at this stuff. Russian hackers are first rate. At the very least, it has to be secure against graduate students.”
“This election, I believe, is going to test this system to its full extent,” Miller said. “It’s a system that relies on a diet of spare parts and software patches.”
The OSET Institute is in the process of developing elections software they say will address the problems created by the ancient voting systems in place today. The initiative, called the “Trust the Vote Project,” seeks to create an operating system that will run the electronic voting systems of the near future. Miller said the software will be secure, transparent, and publicly-owned.
California Secretary of State Alex Padilla agrees voting systems need to be replaced in California. The machines, based on technology from the late 1990’s, are ancient by technological standards. Padilla likens using these old voting machines to using a cell phone or personal computer from the 1990’s or early 2000’s.
The machines tend to break down, don’t offer a great voting experience, and could be more transparent and secure, Padilla said. Although Padilla says election officials need to stay one step ahead of nefarious actors, he says a substantial hack in November is unlikely.
“California has among the strictest security standards for voting systems anywhere in the country,” Padilla said. “So I feel very confident in saying this election will not be hacked.”
By law, voting machines in California can’t be connected to the internet, meaning a hacker would need physical access to each machine they want to infect. Every voting machine in California also generates a paper trail, which could be compared to the computer vote tally in the event there were any concerns. Padilla said those protections are enough to safeguard the system against would be cyber intruders.
“If there’s a failure in our election system, it won’t be because of a systematic hack or widespread compromising of our elections systems,” Padilla said. “What we hope to avoid is just machines getting old.”
But Miller said his team has demonstrated that even machines not connected to the Internet can be vulnerable to the right attack.
“It’s not possible, I think, to know what’s happening in all (58) counties to the level of being able to say, ‘I guarantee it,’” Miller said. “You want to say that. You have to say that.”
Even so, Padilla said he’s more concerned with voter turnout than he is a cyber-attack.
“We’re just a couple months now from November’s general election and still close to seven million people who are eligible to vote are not registered.”