Keeping Our Heads as We Approach the 2020 Election

Breath, everybody… breath. The 2020 election is approaching, and people are starting to hyperventilate about foreign hacker interference in the voting process. There is a threat, to be sure, but it may not look quite like what we fear the most.

For one thing, this is not a remotely new topic in the United States. Concerns about ballot box stuffing and election interference go back to the very beginning of the republic. Many colorful examples from our history can illuminate what’s happening today. For instance, in 1857, members of the American Party (who?), including people from the “Plug Uglies” (remember them? I don’t) caused sufficient mayhem at Washington DC polls that President Buchanan called out the Marines to quell the violence.

Yes, American politics and elections have always been sleazy, idiotic and potentially violent. It’s worth keeping this in mind as we parse the current threat, or threats. Right now, politicians and media personalities are warning of looming election disasters, including:

• Foreign entities (e.g. Russian intelligence operatives) hacking voting machines to change the vote tallies in specific states
• Foreign interference in voter registration
• Foreign disinformation and other tactics that cause confusion and chaos that affects the ability of people to vote

American election infrastructure is vulnerable, to be sure. A recent report from Valimail finds that only 5% of the largest voting counties in the U.S. are protected against email impersonation and phishing attacks. They are concerned that hackers could disrupt the upcoming election by shutting down voting equipment, stealing data, changing it or deleting it. Many other reports and disclosures have highlighted comparable vulnerabilities.

“State and local governments are badly exposed to the risks of ransomware and CEO/BEC (Business Email Compromise) attacks.” – Colin Bastable, CEO of Lucy Security

Colin Bastable, CEO of Lucy Security, the security awareness and training company, voiced a similar concern. He said, “State and local governments are badly exposed to the risks of ransomware and CEO/BEC (Business Email Compromise) attacks.  In our customer testing, we consistently find that around 30% of spoof emails are delivered to the email inboxes of local government staff.” The problem here is that relying on technical defenses like firewalls and DMARC alone lead to a situation where the attackers only need to get lucky once.

How Real is the Threat of Hacking Voting Machines?

When we vote, how confident should we be that our vote is counted accurately? The answer to this question is multi-faceted. At the level of an individual voting machine, there is great potential for mischief. Hackers at DefCon 2019, for example, were able to show how easy it was to hack voting machines.

According to Tom DeSot, of the vulnerability and threat management firm Digital Defense, it is possible—even easy—to hack a touch screen voting machine and cause it to render a voter’s selections invalid or inaccurate. “You can tamper with the machine so a vote for one party goes to the opposing party,” DeSot said. “It’s surprisingly easy to invalidate votes by hacking the machines.” DeSot also warned about the risk of vote tallies being changed by hacking. “A machine might get 1000 votes for party A, but tallies it out as 950 votes when election officials export data from the machine.” When the numbers are shaved slightly like this, no one may notice the discrepancy.

“You can tamper with the machine so a vote for one party goes to the opposing party,” DeSot said. “It’s surprisingly easy to invalidate votes by hacking the machines.” 

DeSot and other experts, however, are skeptical that foreign hackers could actually swing an election in total. “You might be able to change results in a single county, which could have an impact in the sort of tight races we have today, but it would be incredibly hard for hackers to change vote counts on a statewide or national basis,” he said.

The reasons for this skepticism have to do with the complexity and variation inherent in America’s voting systems. Take the issue of hacking voter registrations. While it is possible for a malicious actor to modify a registration database, one would imagine that a significant hack in this category would be spotted pretty quickly. If, say, 20% of voters turn up and find out their registrations have been deleted, it would cause an immediate scandal and response.

The number and variety of people involved in the election process are also factors limiting the impact of hacking. American elections comprise a system of systems, with many moving parts. Voters are registered, ballots are created, voting machines programmed, polling places set up and staffed, ballots handled and counted at the local and then state levels and on and on. If a hacker penetrates one element of this interlocking set of processes, there’s no guarantee he or she will be successful in affecting other areas.

As Joseph Carson, chief security scientist at Thycotic, put it, “Hacking a single election voting machine is easy, however, hacking many voting machines to change the outcome of an election is quite difficult.”

As Joseph Carson, chief security scientist at Thycotic, put it, “Hacking a single election voting machine is easy, however, hacking many voting machines to change the outcome of an election is quite difficult. To do this at scale, across many geographical locations which are decentralized is a major challenge would require a coordinated effort with physical access in multiple locations. While not impossible, it would be highly visible and not a stealthily hack to perform.”

Another reason it’s hard to imagine a massive, effective vote hacking scheme has to do with the auditability of the process. In the 45 states with paper ballots, or machine-generated paper receipts, election officials can do reasonably accurate recounts. The states without paper ballots are Louisiana, Georgia, South Carolina, New Jersey, and Delaware. The election recount and auditing processes are not without deficiencies, but there is at least a verification step possible to catch widespread election fraud and abuse.

Don’t Forget the Insider Threat

A system run by state and local-level officials, that depends on physical access to multiple machines can be hacked can most easily be hacked by insiders. If the government entity responsible for elections has the intent to change an election outcome, they are far better positioned to do so than foreign-based hackers. A friend of mine, who seems unaware of the concept of irony, calls this the “Al Gore-ithm.” And, given the American experience with its “Plug Uglies” and the like, we may be more vulnerable to this than to fiendish interference from across the seas.

The Bigger Threat: Disinformation and Generalized Disruption

The low risk of systematic cyber vote rigging aside, we should still be quite concerned, and highly vigilant, about interference in America’s democratic process. Russia, in particular, is actively seeking to disrupt American elections. Their path to success just probably doesn’t involve actual voting processes. Rather, they are attacking all of the vital peripheral functions of voting to change and/or taint the final outcome. This might include cyberattacks on municipalities just before or during election day. The 2019 ransomware attacks on more than 600 government entities, healthcare service providers and school districts, colleges and universities (with Russia as a leading suspect in many cases) offers a clue as to what this malfeasance might look like.

As Joseph Carson noted, “Hacking the elections is about disinformation, targeting the candidates that you don’t want to become the next president, rather than trying to persuade citizens to vote for your preferred candidate.” He added, “Hacking the elections also starts early, especially during the primaries because if you divide the political party early enough, then you have to do less during a general election hack and this way it is also harder to determine any interference.”

“Their goal is not to elect a particular candidate. Their goal is to destroy the integrity of the American democratic process.” – Richard Henderson, Head of Global Threat Intelligence at Lastline

Richard Henderson, Head of Global Threat Intelligence at Lastline, offered an unsettling perspective that aligns with the broader geopolitical events surround the 2020 election. “Russia’s goal in 2020 is to cause so much uncertainty that both sides will feel fully justified in claiming that the election was stolen from them,” he said. “Their goal is not to elect a particular candidate. Their goal is to destroy the integrity of the American democratic process.”

Why would the Russian government want to do this? No one outside of Russia knows for sure, but geopolitical thinkers like Timothy Snyder, author of The Road to Unfreedom: Russia, Europe, America, place Russia’s intent to ruin American elections in the context of justifying their own election rigging. To paraphrase Snyder, the Russian’s want America democracy to look like a sham so that Russian citizens will not complain about what he calls “managed democracy”—a state where elections take place, but almost every aspect of them is fake, in order to guarantee power for a rich, select few.

Photo Credit: jenwuk Flickr via Compfight cc