Skip to main content

How weak cybersecurity could disrupt the U.S. election

October 7, 2016

Five things to know about the digital threats facing America’s Election Day.

Election Day is still four weeks away but the integrity of the final outcome is under attack now by a pernicious combination of real weaknesses in U.S. cybersecurity and candidate-fueled conspiracy about ballot tampering.

It’s not just Democrats’ charges that Donald Trump-supporting Russians are hacking their systems or the Republican nominee’s insistence that he can only lose if Hillary Clinton’s people actually rig the vote tally. It’s a very real flurry of electronic pokes, pings and prods that more than 20 states have already experienced as cyber criminals try to gain access to one of the crown jewels of this election: the voter registration rolls.

Story Continued Below

“I see this is the Russians trying to screw with democracy,” Sen. Lindsey Graham, the South Carolina Republican who ran a short-lived 2016 campaign for the presidency, told POLITICO.

State and local election officials have the difficult task of trying to manage the more than 120 million voters who are likely to show up to vote for Clinton or Trump, all without allowing for any significant hitches.

Early voting in some states has already begun, and over the final 30 days of this contest, about 10,000 diverse jurisdictions will implement their own election rules and deploy different ballot technologies.

And hanging in the balance is the legitimacy of the win for whichever candidate claims it. That would have been hard enough to attain in this year of toxic partisan politics, but it’s ever more so because of the country’s odd voting infrastructure, a mix of antiquated technology and newer digital methods that have their own demonstrated weak links.

With that in mind, here are five important things to know about the cybersecurity of the U.S. election:

1. Hacking the DNC is not the same as hacking an election.
Like the hacking that got Sony Pictures intotrouble in late 2014, what has caused the Democratic National Committee so much grief centers around the theft and release of embarrassing and compromising internal emails.

But there’s a critical distinction here that election security experts want the country – and cyber criminals -- to understand: The DNC and Sony hacks are different than the kind of operation it would take to break into a voting machine and manipulate its results.

Yes, computer scientists have demonstrated they’re capable of hacking into select voting machines under certain laboratory conditions. Still, federal and state election officials insist that nothing of that sort can happen at any kind of scale to effect the presidential race’s overall results.

That’s in no small part because the election itself is conducted through more than 50 different administrative offices.

“This means that there’s no national system that a hacker or bad actor can infiltrate to affect the American elections as a whole,” Thomas Hicks, the chairman of the U.S. Election Assistance Commission, said during a recent House subcommittee hearing.

Indeed, the bureaucrats are taking some comfort in their bureaucratic ways.

The Homeland Security Department also says it’s ready to keep the election safe by helping states assess any threats to their voting systems. To date, 25 states have taken DHS Secretary Jeh Johnson up on his offer for federal aid, and state officials say they have their own safeguards in place too that will detect any problems before the final results are certified later this year. “Whatever candidate I want to win or lose, I need to have the confidence that the results are actually accurate because otherwise the underpinning of the whole republic goes away,” Colorado Secretary of State Wayne Williams said in an interview.

Most important, election officials insist they can’t be hacked because most parts of the balloting process – with some notable exceptions, like some overseas and military voting -- isn’t connected to the Internet.

“So a bad actor would have to access these systems in person,” Hicks said. “The amount of resources required to carry out this attack would be immense.”

2. Still, the voting process has many weak points.
Of course, the presidential election isn’t 100 percent safeguarded from cyber chicanery.

Arizona and Illinois have already seen hackers crack their voter rolls, and a DHS official recently confirmed to POLITICO that more than 20 states had their public-facing registration systems intensely probed for weak links.

Voting registration lists are not the same as the actual voting machines, a distinction that state and federal officials say can’t be made enough. But the vulnerabilities demonstrated in those two instances have heightened concern about the down-stream consequences. While state officials say they make routine and often nightly backups of who is registered to vote -- and provisional ballots always remain an option if a name isn’t found on the rolls come Election Day -- some lawmakers and election security experts say they’re alarmed now that it has been demonstrated that state election offices aren’t impenetrable.

They warn of long lines if the registration databases have problems, even in small ways, potentially turning off voters who don’t have the time or patience to wait. They also fret that these early hacks are just a precursor to more sinister dirty tricks that tamp down turnout.

“What would happen if emails were sent to all of those voters, or just the Democratic voters, telling them the date of the election has been changed or their precinct had been changed?” said Rep. Zoe Lofgren (D-Calif.). “Wouldn’t that create chaos in a system if even a small percentage of voters believed an email, misadvising them?”

Voting systems have other weaknesses too. Computer scientists say some states use tabulation programs run on older computers with outdated operating systems, including Windows 2000, where security patches are no longer available from the vendors. Even though the official results aren’t required to be certified for several weeks after the election, they warn that the totals being transmitted from local polling precincts up the chain to county and state election headquarters – and out to the public via websites and the media – are susceptible to hackers. And that could cause problems in a heated race where supporters of both presidential candidates have been raising alarms about vote tampering.

“There are significant vulnerabilities where attacking a single point could result in an interesting result,” Dan Wallach, a Rice University computer science professor, told Congress during a recent hearing on election integrity.

This problem is especially critical for a small number of competitive counties and states that use electronic voting machines but don’t produce any kind of paper trail in the event of a recount. In Georgia, much of Pennsylvania, and to a smaller degree in some counties in Florida and Virginia, security experts warn that a manual post-election audit won’t even be possible and that there’s no way to detect mischief if someone attempted to alter the results.

“There’s no fall back if you get hacked if you don’t have a paper ballot,” Rep. Ted Lieu told POLITICO. Despite the assurances that the election isn’t vulnerable because so much of it takes place off line, the California Democrat cautioned, “As a recovering computer science major I can tell you people were hacking computers before the Internet even existed.”

3. Don’t expect major policy changes before Election Day.
Federal and state officials are working to secure voting through various back channels, but they’ve exhausted many of their most public options ahead of Election Day.

Congress left town last month after holding two House hearings on election integrity issues, and lawmakers have no plans to consider any kind of comprehensive update to the nation’s election administration laws any time soon. That’s despite the last successful effort -- signed in 2002 in the wake of the Bush v. Gore clash – coming in an era without iPhones or Facebook and long before cyber espionage was any kind of serious election concern.

Obama’s Homeland Security Department, meantime, has backed away from an idea it floated in August to designate the nation’s election system as critical infrastructure. It’s a move that would open the way to a wider suite of information sharing and federal aid for state and local governments as they deal with potential threats to voting, putting the system on a par with the nation’s electricity grid and banking system.

But several secretaries of state took issue with the idea that the federal government would assume an even larger role in the presidential election’s administration. Then last month Congress’s top four leaders – Paul Ryan, Nancy Pelosi, Mitch McConnell and Reid – put the bipartisan kibosh on the idea, declaring in a joint letter that they would “oppose any effort by the federal government to exercise any degree of control over the states’ administration of elections by designating these systems as critical infrastructure.”

There have been some recent changes in the states and counties using paperless voting without a trail for auditing. In Florida, a state law signed in 2007 required a paper trial in nearly all circumstances, though disabled people can still request electronic machines without a paper trail. Virginia last year banned one specific computerized touch-screen voting machine seen as particularly vulnerable to hackers and it has been phasing out its paperless machines too, though many rural counties are struggling to find the money to purchase new equipment. Pennsylvania’s response includes a seven-page guidance letter blasted out last month to county officials outlining recommended cyber hygiene practices. Meantime, Georgia Secretary of State Brian Kemp told POLITICO he’d consider shifting to a paper ballot approach with a verifiable auditing process “in the future.”

“But it’s not the system we have” for 2016, he said.

4. Putin may be the prime suspect, but he’s not alone.
Russian President Vladimir Putin is getting the brunt of the blame for allegedly ordering up his country’s cyber hackers to meddle with the U.S. election. And perhaps for good reason.

Security experts and senior U.S. intelligence officials have toggled between outright declarations and more informal hints that Russia was the lead DNC hacking culprit, and the top Democrats on the House and Senate Intelligence committees last month called on Putin to “immediately order a halt to this activity.”

But the Obama administration has so far resisted the calls from Democrats and even some Republicans to officially call out Russia for meddling with the U.S. election. "Let's wait and see how this plays out a little bit," National Security Agency Director Adm. Mike Rogers said last week during a cyber summit hosted by MIT and The Aspen Institute.

Making a formal declaration is wrought in both presidential and global politics. Blame Russia so close to the White House campaign’s climax and Obama is exposed to questions that he’s trying to help his preferred successor through diplomatic channels. His administration also must weigh the risks of heightened Russian counterattacks and the effect in several other fluid parts of its relations, including the dual breakdowns in just the last week of cease fire talks over Syria and Putin’s abandonment of a nuclear weapons disposal agreement.

Even some of Clinton’s Democratic backers recognize that Washington is limited in its ability to formally finger any one country.

“The simple fact of the matter is attribution is very hard,” said Rep. Jim Langevin (D-R.I.), a co-founder of the Congressional Cybersecurity Caucus. “There are multiple layers of removal of the actual source that doesn’t give you that 100 percent accuracy or confidence that it’s a nation-state you believe it to be.”

Putin has denied Russian involvement in the DNC hacking, though he noted in a Bloomberg News interview last month that the release of the information did serve a purpose. “Listen, does it even matter who hacked this data?” the Russian leader said. “The important thing is the content that was given to the public.”

It’s also the case that Russia may not be the only player trying to muddle with the U.S. election. Trump was mocked during the first debate when he suggested China or even “somebody sitting on their bed that weighs 400 pounds” could be behind the DNC hacking. Still, he’s not alone in stating that the circle of possible suspects should be wider than just Russia.

“The Russians are certainly very adept, as the Chinese and Iranians are very good about cyber breaches,” said Rep. Trent Franks, an Arizona Republican who initially resisted Trump’s candidacy but has warmed to his party’s nominee.
Likewise, Lisa Monaco, Obama White House homeland security adviser, said during an event Thursday hosted by the Washington Post that she’s “struck by the breadth” of the cyber threats she must brief the president about on a daily basis, including China, Iran, North Korea and plenty of individuals who are tied to no specific country.

“We’ve got to be concerned about nation-state and non-state actors trying to breach our critical systems, whether to generate insights for their use later, whether to develop a greater intelligence picture to use in the future or whether to sow doubt or confidence in our systems,” she said.

5. Messing with the election’s integrity: Mission accomplished?
Even without the U.S. registering any formal culpability, there’s considerable alarm that the 2016 campaign hackers – Russian or otherwise -- may have already inflicted their damage on the election and the next president.

“They’ve succeeded certainly in raising more concern,” said Rep. Gerry Connolly, a Virginia Democrat. “Whether they’ve actually succeeded in undermining the perception of integrity of the process remains to be seen. I don’t think so. But we’ll see.”

Michael Podhorzer, the political director at the AFL-CIO, said he’s paying particular attention to the narrative surrounding potential threats to the security of the election, whether it be charges of rigging, hacks or other mischief. “Anything that cast doubt is going to be seized upon by the Trump supporters, if they lose, to discredit the election,” he said.

One particularly troubling sign: Trump’s recent comments to The New York Times backing away from an initial pledge during the first presidential debate to accept the election results if he loses. “We’re going to have to see,” the Republican nominee told the newspaper. “We’re going to see what happens. We’re going to have to see.”

“That’s further evidence,” Podhorzer warned, “that Nov. 9 could be a holy terror.”