FBI: Election Systems Too Easily Hacked – “Perfect Storm” Nov 8th?

COTS Hacking Tools, Electoral College, No Paper Trail, Connected to Internet

The details of the FBI’s report that the election systems of two states (apparently Arizona and Illinois) were recently successfully hacked, and its warning to other states, suggest just how easy it would be for hackers, including those working for a hostile government, to steal an election, perhaps even the 2016 presidential election, warns public interest law professor John Banzhaf.

Election fraud hackers
Photo by Nomaan!

One of the scariest revelations is that both election system intrusions – one to extract data, and the other to possibly plant malware – did not require much sophistication or secret hacker knowhow.

On the contrary, notes Banzhaf, the intruders used COTS (common off the shelf) hacking tools widely available and easily obtained by anyone searching the Internet for “SQL Injection” (the type of intrusions used) including Acunetix, SQLMap, and DirBuster – all common hacking tools from VPS hosting accounts in the Netherlands, Russia, and Bulgaria.

There is a “perfect storm” – an unusual combination of circumstances creating drastically heightened risk – heading towards our coming elections, perhaps even the presidential election, says Banzhaf.

One of the elements of this heightened risk is the vulnerability of many voting machines to easy manipulation by readily available and easily obtained programs, says Banzhaf.

Our vulnerability is not limited to a group of master hackers or a foreign country with vast resources. As the FBI report explained in great detail, the necessary software already exists, and can be utilized by a small group of determined people, and with only a fair amount of skill.

The second element of the perfect storm into which our presidential election may be heading is that we use the Electoral College rather than have a direct election for the president.

Banzhaf started hacking in the late 1950s, and his technique for determining the chance that any particular voter or small group of voters could change the outcome of a presidential election – now called “The Banzhaf Index” – has been widely adopted and utilized.

That’s important, he explains, because, under our Electoral College system, any rigging/fraud/hacking which resulted in a change in even a very small number of votes, and perhaps even only a small number of votes in an individual state, could change the outcome of the presidential election, something very unlikely to occur were there to be a direct presidential election.

He reminds us of how the 2000 presidential election was decided by fewer than 1000 votes out of almost 6 million cast in Florida. That election, with its hanging chads and long delays, focused public attention on the many problems of using punch card ballots.

A third element of the perfect storm facing the presidential election, and well as many state and local ones, is the increased use of electronic voting machines (especially where they leave no paper trail).

While some electronic voting machines do generate paper records so that some type of audit trail is available if hacking is suspected, too many do not. This can create what Wired’s Brian Barrett terms a “technological train wreck” because, if some one tampered with the machine’s software, there would be no way to prove it by comparing real votes with machine tallies.

Reportedly Delaware, Georgia, Louisiana, New Jersey, and South Carolina use voting machines which leave no paper trail. The same is apparently true in some parts of Arkansas, Florida, Indiana, Kansas, Kentucky, Mississippi, Pennsylvania, Tennessee, Texas, and Virginia.

Still another factor making the storm an even greater threat is that more and more of the computers and data processing devices used in the election process are connected to the Internet.

The recent hacking of the Pentagon, the alleged hacking of the Democratic Party by the Russians, and the hacking of many large corporations such as Sony by North Korea, shows that even the most sophisticated data processing systems – with strong firewalls and intrusion detection software – can be hacked if any portion is connected to the Internet.

After all, if the Pentagon, Sony, the White House, the Iranian nuclear centrifuge control system (which was reportedly not even connected to the Internet), SWIFT (the international banking exchange system), the State Department, Aramco oil company, and many other large and seemingly impregnable computer systems can be hacked, what guarantee is there that the systems in Chicago or any other large city or county aren’t at least as vulnerable.

If these mighty fortresses of system security can be breached, it seems clear that many state and local systems – which do not have super experts watching over them, insuring that all their software is up to date, constantly checking for malware and intrusions, etc. – are at least as vulnerable.

Actually, say some experts, even computer systems which are not connected to the Internet may be vulnerable to hacking. One way is through the use of voting cards – cards which look and act somewhat like credit cards which permit citizens to vote on voting machines into which the cards are inserted.

Simple alterations of the data recorded on such cards can permit a single voter to cast hundreds of votes on one visit to the voting machine. Depending on the sophistication of the software, the proper card in the hands of a hacker might even permit him to alter the software, change the vote totals directly, etc.

Another on-line vulnerability is that some states permit residents to cast their votes from home over the Internet. Thus, in addition to sending in fraudulent votes from a hacker’s computer, scammers might be able to trick voters into sending in their votes for a different candidate, or to providing scammers with the necessary information to send in a phony vote – just as scammers now get their victims to provide credit card and other vital information, or even to have their home computers serve as “slave” computers.

It was said in the Godfather movie that “The lawyer with the briefcase can steal more money than the man with the gun.” Today what’s even more scary is that a hacker with malware can steal more votes than any corrupt mayor or governor.

So, to the extent that we worry (or are at least concerned) when experts warn that hackers – including those working for a foreign government – could hack into and even take over our electrical distribution system, banking and stock trading computers, flight control operations, etc., we should take the threat of a hacked 2016 presidential election at least as seriously.

CNN reluctantly reports that “we’ve officially entered the era of the hackable [presidential] election.” Mother Jones reports that “the concern that somebody might try to hack voting machines no longer seems outlandish.”

Politico says a computer expert remarked that if some of the more susceptible voting machines hadn’t yet been hacked, “it was only because no one tried.” Money magazine says we’ve officially entered the era of the hackable election.

Wired claims that the move toward electric voting machines turned out to be a “technological train wreck.” And ABC TV News featured a piece entitled “Yes, It’s Possible to Hack the Election.”