Guest Editorial by Bob Hansmann, Director, Security Technologies, Forcepoint
The United States is rapidly heading into one of the most contentious elections in years between candidates Hillary Clinton and Donald Trump.
The stakes are high for any election, but this one seems especially critical with the disposition of the Supreme Court hanging in the balance and two candidates with diametrically opposing views about the direction they want to take the nation.
But in addition to the rhetoric and vitriol of the campaign itself, this election is unique in that hackers seem to be trying very hard to influence the results.
In the lead-up to the election, servers were attacked and information was released in a blatant attempt to sway public opinion.
(Yahoo’s Michael Isikoff broke the news that foreign hackers penetrated election databases in at least two states this summer. Courtesy of MSNBC and YouTube)
Intelligence agencies lay the blame for these attacks on Russia, but whoever was behind the persistent attacks was clearly acting as part of an ongoing campaign.
It’s not that big of a leap to think that they, or other similar groups, would try and take the next step of actually sabotaging the election itself.
It’s certainly a concern within government.
Back in August, Homeland Security Secretary Jeh Johnson held a conference call with election officials from across the country to warn about the possibility of attacks and the need for vigilant cybersecurity.
Johnson offered the help of both the U.S. Election Assistance Commission (EAC) and the National Institute of Standards and Technology (NIST) for that task.
(The Obama administration says it’s “confident” that the Russian government is responsible for recent election-year hacking, including attacks on the email system at the Democratic National Committee and on various state election systems. Courtesy of Yahoo News and YouTube)
NIST and the EAC preemptively developed the technical Voluntary Voting System Guidelines to help local jurisdictions test, certify and protect their systems.
The guidelines are voluntary as the federal government does not run elections, instead leaving it to the states.
But it would be strange for any local government to not consider those common-sense and best-practice type suggestions.
While every election jurisdiction needs to be vigilant, the problems associated with securing voting technology in the U.S. is also one of the reasons why it would be so difficult to attack from the outside, from Russia or anywhere else.
There are over 9,000 election jurisdictions in this country, and you might be surprised to learn how many of them are operating different systems.
We literally have everything to vote with from paper ballots to the huge metal boxes with mechanical pull levers to Scantron sheets to computers with touchscreens and even mobile type devices.
Though in truth, most of the technology is rather old.
A recent study revealed that up to 43 states are planning to use voting machines that are at least 10 years old, with some moving forward with 20 or 30 year old systems.
The aging technology is being used alongside of some states like Virginia, which spent $28 million in 2014 to upgrade all of their machines.
(A report by the Brennan Center for Justice found that most US states are using outdated voting machines and technology, which may have a negative impact on the 2016 presidential election. Courtesy of RT American and YouTube)
Different types of technology can even be deployed within a single state. West Virginia decided to upgrade its populous Harrison County with modern voting machines last year, but has no plans to modernize the rest of the state anytime soon.
Looked at from a hacker perspective, this creates an almost impossible situation.
For a hack to be successful in changing nationwide election results, there would have to be simultaneous, successful and undetected attacks on multiple voting systems across the country.
The attackers would need to learn how each system they were attempting to breach operated, and be able to shift enough votes to actually change the results without it being completely obvious.
They would also have to avoid triggering any of the inborn security systems which are likely as varied as the voting technology itself. And at last count, 30 states have accepted Homeland Security’s offer of election security help, so any hack would have to avoid that direct monitoring as well.
The systems are also not always connected to a network.
They are stored in closets and warehouses for years between elections, so the window of opportunity for an outside hacker would be extremely limited.
Some states like Maryland even make it a point to never connect their voting machines with the outside world, instead keeping everything in a closed system.
The concept of an outside hack changing a presidential election, while not impossible, is thus extremely unlikely given the hodgepodge of voting systems, the adherence to the NIST guidelines, the limited connectivity of the systems to the outside world and help from the federal government with monitoring the process.
But that is regarding an attack from the outside.
In the past few days, candidate Donald Trump has brought up the possibility of a “rigged election,” implying that our 200-year old system, and the foundation of our democracy, could be corrupted from the inside.
One could easily dismiss this as either campaign rhetoric or perhaps deliberate hyperbole, but the fact is that the only way the system could likely be compromised from a technical standpoint would be from the inside.
(5 reasons the risks of voter fraud or widespread election rigging are low, courtesy of The Oregonian and YouTube)
That officials in thousands of election jurisdictions would conspire to swing or rig an election is so unlikely that it’s clearly impossible.
But not all elections are nationwide. Even in a presidential election, there are plenty of local contests, ballot initiatives and matters of state and local interest to decide.
It’s not inconceivable that someone working within an election district or even a specific polling place might have an axe to grind with a specific candidate, or be susceptible to a bribe to help manipulate results.
If that official happens to be in a position like an IT administrator who is familiar with the system that has been used in that jurisdiction for the past decade, they might just have the motive and opportunity to cheat.
Currently, the Voluntary Voting System Guidelines do not call for any type of active insider threat detection program.
It’s admittedly not an incredibly likely threat. But given how important voting rights and the integrity of the system is to our democracy, insider threat detection should be added.
If nothing else, it will allow jurisdictions to counter any claims of possibly “rigged elections” as well as deter anyone from attempting something so abhorrent.
Our democracy is simply too important to not take every possible precaution to protect and defend it.
About the Author
Bob Hansmann is director of security technologies at Forcepoint.
Over his more than 30 year security career, Mr. Hansmann has been responsible for monitoring the trends and directions of malware and the security industry as well as the utility and risks of emerging technologies such as mobile, cloud, and social networking.
He is a popular presenter known to deliver balanced perspectives on cybersecurity problems bolstered by applicable guidance and advice.