With 2018 elections approaching, experts warn that hackers can infiltrate voting machines
Cybersecurity experts, meeting at their Black Hat conference in Las Vegas this week, are divided about how best to deal with the problem, but they are united in joining with U.S. security officials in warning that our nation’s election systems remain vulnerable, and that Russia will seek to undermine the U.S. midterm elections in November.
Meanwhile, an older hacker now turned law professor, who publicly predicated and warned about hacking even before the 2016 elections, still sees the same combination of factors as creating a “perfect storm” for more digital interference in the 2018 and 2020 elections.
More specifically, the easy availability of hacking tools, the exacerbated vulnerabilities crated by the Electoral College, voting machines which leave behind no paper trail and which are also often connected to the Internet, all combine to create a perfect storm our elections are heading into, says public interest law professor John Banzhaf.
In August 2016, the FBI reported that the election systems of two states (apparently Arizona and Illinois) were successfully hacked, and in its warning to other states suggested just how easy it would be for hackers, including those working for a hostile government, to steal an election.
But one of the scariest revelations is that both election system intrusions – one to extract data, and the other to possibly plant malware – did not require much sophistication or secret hacker know how, says Banzhaf.
On the contrary, notes Banzhaf, the intruders used COTS (common off the shelf) hacking tools widely available and easily obtained by anyone searching the Internet for “SQL Injection” (the type of intrusions used) including Acunetix, SQLMap, and DirBuster – all common hacking tools from VPS hosting accounts in the Netherlands, Russia, and Bulgaria.
There is a “perfect storm” – an unusual combination of circumstances creating drastically heightened risk – heading towards our coming elections, perhaps even the presidential election, warned Banzhaf at the time, while noting now that these same risk factors remain today.
One of the elements of this heightened risk is the vulnerability of many voting machines to easy manipulation by readily available and easily obtained programs, says Banzhaf.
Our vulnerability is not limited to a group of master hackers or a foreign country with vast resources. As the FBI report explained in great detail, the necessary software already exists, and can be utilized by a small group of determined people, and with only a fair amount of skill.
The second element of the perfect storm into which our 2020 presidential election may be heading is that we use the Electoral College rather than have a direct election for the president.
Banzhaf started hacking in the late 1950s when he was at M.I.T. His technique for determining the chance that any particular voter or small group of voters could change the outcome of a presidential election – now called “The Banzhaf Index” – has been widely adopted and utilized.
That’s important, he explains, because, under our Electoral College system, any rigging/fraud/hacking which resulted in a change in even a very small number of votes, and perhaps even only a small number of votes in an individual state, could change the outcome of the presidential election, something very unlikely to occur were there to be a direct presidential election.
He reminds us of how the 2000 presidential election was decided by fewer than 1000 votes out of almost 6 million cast in Florida. That election, with its hanging chads and long delays, focused public attention on the many problems of using punch card ballots.
A third element of the perfect storm facing the 2020 presidential election, and well as many earlier state and local ones, is the increased use of electronic voting machines, especially where they leave no paper trail.
While some electronic voting machines do generate paper records so that some type of audit trail is available if hacking is suspected, too many do not. This can create what Wired’s Brian Barrett terms a “technological train wreck” because, if some one tampered with the machine’s software, there would be no way to prove it by comparing real votes with machine tallies.
Still another factor making the storm an even greater threat is that more and more of the computers and data processing devices used in the election process are connected to the Internet.
The hacking of the Pentagon, the apparent hacking of the Democratic Party by the Russians, and the hacking of many large corporations such as Sony by North Korea, shows that even the most sophisticated data processing systems – with strong firewalls and intrusion detection software – can be hacked if any portion is connected to the Internet.
After all, if the Pentagon, Sony, the White House, SWIFT (the international banking exchange system), the State Department, Aramco oil company, and many other large and seemingly impregnable computer systems can be hacked, what guarantee is there that the systems in Chicago or any other large city or county aren’t at least as vulnerable.
If these mighty fortresses of system security can be breached, it seems clear that many state and local systems – which do not have cyber experts watching over them, insuring that all their software is up to date, constantly checking for malware and intrusions, etc. – are at least as vulnerable.
Actually, say some experts, even computer systems which are not connected to the Internet may be vulnerable to hacking. One way is through the use of voting cards – cards which look and act somewhat like credit cards which permit citizens to vote on voting machines into which the cards are inserted.
Simple alterations of the data recorded on such cards can permit a single voter to cast hundreds of votes on one visit to the voting machine. Depending on the sophistication of the software, the proper card in the hands of a hacker might even permit him to alter the software, change the vote totals directly, etc.
Indeed, cybersecurity experts have already demonstrated how easy it is to hack into many of the most common voting machines, notes Banzhaf.
As a very dramatic illustration of just how easy it is to hack an election, at the DEF CON ’18 convention, kids as young as 5 are being challenged to hack election results websites and voting machines. Prizes will be awarded to the first and youngest kids to breach the voting sites and hack equipment.
Jake Braun, former White House liaison for the U.S. Department of Homeland Security, said that the conference decided to invite young hackers because it would be a “waste of time” to demonstrate that cybersecurity experts can hack election results reporting sites. “These websites are so easy to hack we couldn’t give them to adult hackers — they’d be laughed off the stage,” Braun reported.
If youngsters well before puberty can easily hack voting sites and equipment, how safe is our electoral system from their older brothers and sisters, including those who are all grown up and working for a foreign government, asks Banzhaf.