Q&A: The myths and realities of hacking an election

CSO Online asked several experts for their thoughts on the realities of election hacking

Election hacking has become a key topic during this year's presidential elections, more so now that candidates and voters are being actively targeted by actors that are assumed to be acting with Russian support.

In this modified edition of CSO Online's Hacked Opinions series, we explore the myths and realities of hacking an election, by speaking with a number of security experts.

Q: Can the national election really be hacked? If so, how?

"It’s unlikely that the national election could really be hacked to alter the outcome. Voter registration databases have recently proven vulnerable, but adding, modifying, or deleting records doesn’t produce the intended effect (changed outcome); it just raises questions about the integrity of the database on election day," said Levi Gundert, CP of Intelligence and Strategy, Recorded Future.

So if the desired result is tampering, or to call into question the integrity of the system itself, Gundert added, then it’s possible to "hack" a national election, "especially if a majority of voter registration databases were compromised."

Such a task could be accomplished remotely from the internet (as we’ve recently seen in Arizona and Illinois), or by an insider.

Based on state information provided by BallotPedia, the precincts in swing states like Florida that use Direct Recording Electronic (DRE) systems without a paper trail are the only ones that are even remotely problematic, Gundert explained.

"DRE systems are computers so there’s multiple ways to attack them, especially if you have access to components early in the supply chain. However, if the operating system and application hasn’t yet been tampered with, then remote access via the internet on election day is highly unlikely because these systems won’t be connected to the internet."

But, if an attacker has physical access to DRE systems, then additional hardware (Bluetooth, WiFi, GSM, CMDA, etc.) could be added to allow for remote access at a later time, "but again, the scale of hardware additions needed would be impractical," Gundert said.

Should the vulnerabilities in voting machines surprise anyone though? Alex Rice, CTO and co-founder of HackerOne, pointed out that slot machines currently undergo more security assurance and regulation than voting machines.

"The fact that voting machines are vulnerable shouldn't be a surprise to anyone, all technology has been proven vulnerable and these computer systems are no different. Voting computers have not been subjected to basic security best practices such as third-party source code review, vulnerability disclosure, and any level of transparent peer review that a critical system should undergo before they are depended on by our democracy.

Q: What about local elections? Are they the easier target? If so, how can they be hacked?

The answer here all depends on the voting mechanisms in use, Gundert said. DREs introduce complexity, as opposed to paper ballots, but the challenge for someone planning to hijack an election is really the scale of tampering necessary to affect the election's outcome. So on the scale of effort alone, a local election would be easier to coordinate than a national election.

"The same problems exist in both national and local elections, but with a few differing characteristics impacting risk vs reward," Rice said, offering his own take on the question.

"On one hand, the stakes are lower in local elections and therefore the adversaries with a vested interest in the compromise of a local election are likely to be less advanced. On the other hand, the smaller statistical sample and reduced level of scrutiny means that attacks are more likely to go undetected."

Q: How viable is it to hack into a given voting system? Would it be remote hacking or local physical access?

"A sufficiently motivated adversary would have no shortage of feasible strategies for the compromise voting computers," Rice said.

Voting systems, for the most part, run end-of-life Windows XP with no security updates, which is a serious problem. Another layer to attack would be connected systems, "and we've seen no evidence that these computers are universally and permanently air gapped," Rice added.

Additional risks and types of attack include a denial-of-service that could render computers inoperable in a targeted area.

"Most critically, the lack of transparency prevents any reasonable assurance that vote hacking did not occur. This lingering doubt is fertile breeding ground for conspiracy theorists to contest the election results in a manner that can not be strongly refuted. An inability for us to maintain a high degree of confidence in the authenticity of our election process is a threat to democracy in its own right," Rice said.

Q: Assume an attacker does get in and can alter election results somehow, how quickly could they be detected by local election officials or the federal government?

"Detection of tampering with a DRE system without a paper trail is unlikely if the DRE is operating properly. Obviously the unauthorized access to voter registration databases in Arizona and Illinois has already been detected," said Gundert.

Again, Rice adds, the issue of transparency comes into play, because without it, little is known about the controls that would detect such tampering. "This is insufficient," he said.

Q: Realistically, what would be the point of hacking the vote?

"Assuming an attacker could access large amounts of DRE systems (which is highly unlikely) and alter the removable media, potential motives would be numerous. A nation state effort aimed at disruption/chaos is one possibility," Gundert said.

One possible objective could be based on espionage, with a focus on policy shifts between candidates, said Art Gilliland, CEO of Skyport Systems.

[ MORE ON CSO: Can you hack the vote? Yes, but not how you might think ]

"For example Pro-Russian versus adversarial stances would make a huge difference in international relations. Another option could just be to create chaos, selection of David Duke for example. Anarchists and Hacktivists like Anonymous would do it just to make a point."

Q: Why would someone target voting systems during the election cycle? All eyes are on the systems and data, isn't this a bit counterproductive?

"The question assumes we'd detect the compromise," Rice said.

"Even in more mature security systems, we still only detect a minority of compromises and believing that voting systems are immune to this property is hubris. The only prudent route is to both conclude that compromise is possible and that it will be extremely hard to detect."

It's hard to argue with events over the past year. Criminal hackers stole millions of records and millions of dollars from some of the most sophisticated companies and organizations in the world, and they made it look easy.

"Nation States are hacking into sensitive systems all the time with our best and brightest defending us. Modifying the voting systems manned and monitored by volunteers would be essentially 'child's play' for the hacker community," Gilliland said.

Final thoughts

When questioned for this story, Simon Crosby, the CTO of Bromium, offered some interesting perspectives. Cyber paranoia, he said, is leading to a new state of absurdity – where the protagonists are those who could be easily called 'Cyber Luddites.'

"Here’s their narrative: 'The most credible security researchers agree that it is impossible to build a secure voting system. Therefore we should stick with paper, forever.'"

"Sticking to paper-based voting systems has massive drawbacks. Does anyone remember hanging chads? It is impossible to build a perfect voting system. But we are getting very good (collectively) at building computer systems that are massively secure by design. Such systems, appropriately audited and tested by independent professionals, would improve accuracy of voting and move the world forward substantially."

Join the CSO newsletter!

Error: Please check your email address.

Tags Hacked Opinions

More about CSOQ

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place