Now that the election is behind us, the discussion has turned to potential involvement by foreign governments and whether they had their hand in altering the course of US democracy by tampering with the integrity of our election systems. The CIA has all but admitted that there was definite Russian interference aimed at tilting our election.
The Green party has begun a paper ballot recount effort in both Wisconsin and Michigan and in parts of Pennsylvania, although these efforts are likely to be futile, and in my opinion takes the focus off the real problem at hand. Paper ballots are actually the solution to the problem of vote tampering as they provide an audit trail that cannot be disputed.
Anything that leaves a paper trail would be looked at as problematic to manipulate, therefore hackers would likely focus their energy on other methodologies that would offer more favorable outcomes. In fact, there are actually quite a few attack surfaces that one could utilize to tamper results that don’t involve manipulating paper ballots. Below, I outline what I will consider to be the most plausible methods that could potentially be used. Keep in mind, I am by no means an elections expert – I merely write the following based on my many years of experience in the cybersecurity realm as well as my involvement as an Elections Officer in Fairfax County during the 2004 and 2008 Presidential Elections.
Two attack surfaces that are most likely to be exploited are the following: 1) Electronic Voting Machines and 2) State Canvassing Boards:
Electronic Voting Machines
It’s been said that you could leave these machines in broad daylight in Moscow’s Red Square and they couldn’t be hacked. And while that’s not entirely true (see How to Hack an Election in 7 Minutes), a brute force hack during an election is highly unlikely. Elections Officers are trained to look for any abnormalities, and anyone popping the hood of a voting machine to gain access to the circuit boards and computing components would certainly raise suspicion.
However, one method that could potentially be used is to alter the firmware/software update that is loaded onto these machines prior to an election. In order to populate the screen with the proper ballot information, each machine needs to be updated via a software update. This typically gets loaded onto the machine by an election worker a few days before the election via software that is distributed via USB media. If a hacker were to be able to access this software before it was placed on the media, it’s entirely possible that malicious code could be inserted such that it could manipulate inputs. As a result, records that are stored on the machine could be altered as voters input their selections.
Although one would think the code would be audited prior to placement on the USB media, that code could go undetected if it were concealed well enough making it essentially invisible to the untrained eye. And if one doesn’t think that this is conceivable, one only needs to look at the issue with Juniper’s Netscreen line of products that unknowingly allowed a backdoor into these platforms for many years (See New Discovery Around Juniper Backdoor Raises More Questions About the Company).
As you can see, it’s entirely possible, indeed plausible, for unauthorized surreptitious code to be inserted that goes undetected for a very long time, especially if it’s written by a creative programmer who takes precautions to properly obfuscate his code. Now granted, the code affecting Juniper’s Netscreen platforms was probably planted by the NSA using programmers placed inside Juniper – however, the point is the code went undetected for many years, and was never revealed during normal code reviews and audits. Furthermore, it shows that if these actions are taken by state-sponsored agencies, copious resources are made available to enact such a hack.
State Canvassing Boards
Another attack surface which could well be exploited is to hack into the State Canvassing Board and alter the vote totals as they come in from each individual county.
At the end of the evening, vote totals are tallied in each precinct and uploaded to the County Canvassing Board, typically via modem. The County Canvassing Boards collects all the data from the individual precincts in that county, certifies the results, and then likewise sends those totals to the State Canvassing Board.
All of these systems typically communicate via modem, a sort of Out of Band network that should be resistant to hacking. However, all of these locations are typically “connected” office facilities, with modern Internet connections that will allow them to do normal government business. As a result, it’s possible that hackers could find a way into these systems in order to gain access to the databases that collect the results and attempt to manipulate them.
With the pervasiveness of Advanced Persistent Threats, a hacked network could go undetected for a very long period of time, allowing an adversary or a foreign government free reign while altering data and covering their tracks.
The only feasible and foolproof way to guarantee the integrity of election systems in the modern era is to use machines that either tally paper ballots or produce some form of paper receipt that can be counted in the event of a discrepancy. Optical Scan Voting Machines are superb in this regard, as they allow voters to fill out a paper ballot by filling in bubbles which are then scanned by the machine to tally results. However, the original paper ballots remain which provide an audit-trail.
Fully electronic voting machines as they exist today do not provide a satisfactory audit trail — they do not produce a paper receipt showing a record of each individual result. Although it is true that a final receipt may be printed containing vote totals, if code was inserted to manipulate these results, there is no way to ascertain if these results are valid or not — in other words, garbage in, garbage out.
In closing, recount efforts taking place right now in Wisconsin, Michigan and Pennsylvania are entirely missing the point. Instead of focusing on manual ballot recounts, full forensic analysis should be performed on the voting machines, as well as any USB media that contains the firmware/software update that was used to update those machines. An full analysis of the systems inside the County and State Canvassing Boards should be undertaken, and moving forward, acute precautions should be taken to ensure that any technology used to process votes be completely separated and cut off from normal systems used for day to day business.