Vote hacking is a legitimate concern, and election officials need to take it seriously.
Right alongside immigration, healthcare, and the minimum wage, cyber security has emerged as a major – and contentious – issue in this year’s presidential election. First, the Democratic National Convention’s email server was hacked, and thousands of embarrassing emails were published on WikiLeaks. Now, concerns about vote hacking have arisen in light of breaches of voter databases in Illinois and Arizona, which compromised the personal information of as many as 200,000 voters.
It’s important to note that these breaches involved state voter databases, not voting machines themselves, and there is no evidence to suggest that cyber criminals have ever managed to breach voting machines. However, between disturbing results from recent studies on voting machine cyber security, including one by Princeton researchers that found some machines to be less secure than iPhones, another study showing that nearly all Americans are “unsettled” about data breaches in general, and GOP candidate Donald Trump suggesting that the election could be “rigged” and encouraging his supporters to “monitor the polls,” American voters are understandably concerned as they prepare to go to the polls.
The notion that cyber criminals could influence the outcome of an election is a legitimate concern that must be addressed with proactive cyber security.
How safe are voting machines?
Unfortunately, not very. Many voting machines are very old, dating back to just after the infamous Bush-Gore race of 2000, when they were – ironically – embraced as an allegedly “safer” and “more accurate” alternative to paper votes. Those claims may have been true when the machines were first built, but voting machines run on computers, and computers need to be updated. Many voting machines never were. Thus, there are situations where voting machines still run antiquated, unsupported systems such as Windows 2000 and XP. Even worse, some machines provide no paper audit trail, which means that allegations of vote hacking can be neither proven nor disproven.
Some election officials argue that voting machines are generally not connected to the internet, thus enjoying “security through isolation.” But “security through isolation” is no match for a determined cyber criminal; the Stuxnet virus made its way into an air-gapped industrial control system at an Iranian nuclear plant through an infected thumb drive brought into the facility by a malicious insider.
Others who seek to downplay the possibility of vote hacking point to the logistics of manually installing malware; there are tens of thousands of voting machines across the U.S., and getting to every one of them would be nearly impossible. However, it would not be necessary to compromise every single voting machine in the country to alter the election results. Cyber criminals could focus on swing states, and then hone their targets even further to specific voting districts where the results are expected to be very close.
Vote hacking isn’t the only way to influence the election or call the results into question.
Hackers could also choose not to actually hack votes at all, and instead seek to cause enough havoc to discourage some Americans from voting and sow widespread doubt regarding the election results. Cyber criminals could, for example, delete or alter voter registration data, which would prevent some voters from being able to cast ballots. They could also launch Election Night DDoS attacks on polling places that use the internet to verify voter records or hack media feeds and prevent news networks from accessing exit poll information and election returns.
Election officials need to take proactive cyber security measures immediately.
A good first step to combat allegations of vote hacking are two bills recently introduced by Rep. Hank Johnson (D-Ga.), the Election Integrity Act of 2016 and the Election Infrastructure and Security Promotion Act of 2016. The first bill would address the cyber security vulnerabilities that make voting machines susceptible to vote hacking by prohibiting the machines from being connected to the internet and requiring regular audits, frequent software updates, and the ability to produce a paper audit trail. The second bill would designate voting machines as part of the nation’s critical infrastructure, which would put them under the authority of the Department of Homeland Security and put them in the same category as the U.S. power grid and water supply.
However, cyber security efforts cannot stop with voting machines; voter databases and polling places must be secured. Since election officials are not information security experts, the help of qualified cyber security experts should be sought to identify and patch vulnerabilities. In this volatile political climate, the integrity of our electoral system is a matter of national security. If American voters refuse to accept the legitimacy of November’s election results, irreparable damage could be done to our nation. Time is short, and election officials need to act immediately to secure voting machines, voter databases, and polling places, and reassure a nervous voting public.
The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure its systems.