Newsletters
Risk Central
Digital Edition
Presidential Election
Cyber Vulnerabilities Threaten 2016 Election
Nearly two-thirds (64 percent) of registered voters believe the 2016 presidential campaign will be compromised by a cyber breach in some way, according to a poll conducted by data security firm PKWARE and Wakefield Research.
Their concerns are not unwarranted; at a time when breaches and data theft make headlines on a regular basis, much of the voting process remains unprotected.
“There is a lot of vulnerability in paperless voting systems, whether they are direct reporting electronic machines, or email return ballots,” said Pamela Smith, president of Verified Voting, a nonprofit organization that advocates for accuracy, transparency and verifiability of elections.
Most polling places use paper ballots that are tabulated by a scanner. Even if the scanner goes haywire, there is a paper record of voters’ intent and officials can take a manual count. In fully paperless systems, no such backup exists.
“In a situation like that, there’s no way to demonstrate that the software is working properly. If something seems amiss or there is an unexpected outcome, you really wouldn’t have a way to go back and correct it because you don’t have an independent record of voter intent,” Smith said.
Electronic systems, then, offer a prime target for hackers looking to influence elections.
A few years ago, Smith said, Washington D.C. ran a pilot program of an online voting system that would enable overseas military personnel and other expats to cast their ballots remotely. It opened up a test version of the system to the public, inviting hackers to try and breach the system.
“If organizations the size of Google and Sony can get hacked, how can small townships without even an IT staff prevent a breach?” — Pamela Smith, president, Verified Voting
“Within 36 hours, some white hat hackers from the University of Michigan were able to fully breach the server. They could change votes; they had access to the PIN numbers assigned to the intended users. Nobody even knew they were in there,” Smith said.
“And while they were in there, they noticed the server was being pinged by IP addresses from places as far away as Iran and China, so they set up a firewall while they were at it.”
After the hackers confirmed the ease with which they were able to hack and manipulate the system, D.C. bagged the program.
Most jurisdictions, though, don’t run such tests. Standard polling place equipment undergoes federal testing and certification before jurisdictions can buy them, but online and email systems do not have to meet any federal or state standards.
Often, the counties and townships managing the voting process in their areas do not have the resources to test or fully protect their systems.
“If organizations the size of Google and Sony can get hacked, how can small townships without even an IT staff prevent a breach?” Smith said.
DOS attacks could also directly hit the online voting portals. While deadlines for registration could be extended, changing voting time frames on Election Day would likely not be possible.
In addition, more states are turning to email attachments and online portals as a way for absentee voters to return ballots.
“These methods are not secure. And it may be, overall, a very small number of ballots, but there are any number of contests in any number of states that are decided by a small proportion of the vote, and the inability to conduct a legitimate recount or audit on votes returned in this manner could become a significant issue,” Smith said.
Miller Newton, President & CEO, PKWARE
Voter registration records are another probable target for a breach. A denial-of-service attack could crash registration sites right before deadline, blocking last-minute voters from the process. Records could also be hacked to change voter status or delete records altogether.
DOS attacks could also directly hit the online voting portals. While deadlines for registration could be extended, changing voting time frames on Election Day would likely not be possible.
“In the last 12 months, we’ve seen one of the biggest breaches of a federal government agency in the breach of the Office of Personnel Management, when millions of security clearance documents were stolen,” said Miller Newton, president and CEO of PKWARE.
“If those documents are vulnerable, then voter registration is absolutely vulnerable.”
Using Cyber for Smear Campaigns
In addition to breaches of electronic voting systems and registration records, hackers could also compromise the election by targeting candidates’ email servers or other vulnerable campaign platforms, and publicizing confidential information.
“We could see some very damaging personal or campaign-related information revealed.” — Miller Newton, president and CEO, PKWARE
“It’s inevitable,” Newton said. “In this environment, with the mudslinging between candidates like we haven’t seen in years, it seems like the perfect recipe for disaster.
“We could see some very damaging personal or campaign-related information revealed.”
Bad press could potentially remove a candidate from the race. Newton offered the example of former Sen. Gary Hart, who was in the midst of a strong run for president in the 1988 election when proof of an affair became public, essentially removing him from the race in the face of public disdain.
“Depending on how severe the personal information is, it could definitely take down a candidate and throw off the whole campaign, which ultimately impacts the election,” Newton said.
Theft of candidates’ private information, he said, is more likely than a direct attack on voting systems.
Solutions
The root of election-related cyber vulnerability lies in old, out-of-date technology.
“The government is wrought with antiquated technology,” Newton said. “Budgets are tight. The government does not spend as much on IT as the private sector does. As a result, the information in these systems is not properly protected.”
When the federal government sought their insight on the development of a cyber security framework, Pamela Smith and Verified Voting proposed including elections as a part of critical infrastructure. This way, more resources would be targeted for system updates.
Newton said the problem is solvable as long as government officials have a “paradigm shift in thinking” about cyber security. Once they accept that their systems will inevitably be breached by adversaries, they will approach the problem more rigorously.
The solution, he said, lies in the encryption of confidential data so that even if it falls into the wrong hand, it will be useless.
While debate remains active over the privacy and transparency implications of encrypting government information, it may be more secure and less expensive to “approach the problem from the information out, rather than from the network in,” Newton said.
As the presidential election draws closer, the time to make these changes is running out.
