Hacked U.S. Elections: the Probabilities and Defenses
When our nation’s election systems are used this November, how vulnerable are they to manipulation by foreign nation-state actors? The answer depends on how close the election will be.
Consider Bush vs. Gore in 2000. If an attacker, knowing it would be a very close election, had found a way to specifically manipulate the outcome in Florida, then their attack could have had a decisive impact. Of course, predicting election outcomes is as much an art as a science, so an attacker would need to hedge their bets and go after the voting systems in multiple “battleground” states. Conversely, there’s no point in going after highly polarized states, where small changes will have no decisive impact. As an attacker, you want to leave a minimal footprint.
How good are we at defending ourselves? Will cyber attacks on current voting systems leave evidence that can be detected prior to our elections? Let’s consider the possible attacks and how our defenses might respond.
Voter deregistration: The purpose of many attacks is simply to break things. Applied with partisan intent, you’d want to break things for one party more than the other. The easiest attack would be to hack a voter registration system, deleting voters who you believe are likely to support the candidate you don’t like.
For voters who have registered for a political party, you know everything you need to know to decide who to delete. For independent voters, you can probabilistically infer their political opinions based on how their local precinct votes and on other demographic variables. (Political scientists do this sort of thing all the time.) Selectively destroying voter registration databases is likely to be recoverable. Such voters could demand to vote “provisional ballots” and those ballots would be counted as normal once the voter registration databases were restored.
At this point, it’s far too late to require non-trivial changes in election technologies or even most procedures.
Vote flipping: A nastier attack would require an attacker to access the computers inside DRE voting systems. (“Direct recording electronic” systems are typically touch-screen computers with no voter-verifiable paper trail. The only record of a voter’s ballot is stored electronically, inside the computer.) These voting systems are typically not connected to the Internet, although they do connect to election management computers, and those sometimes use modems to gather data from remote precincts. (Details vary from state to state and even county to county.)
From the perspective of a nation-state cyber attacker, a modem might as well be a direct connection to the Internet. Once you can get malware into one of these election management computers, you can delete or flip votes. If you’re especially clever, you can use the occasional connections from these election management computers to the voting machines and corrupt the voting machines themselves. (We showed how to do these sort of viral attacks as part of the California Top–to–Bottom Review in 2007.)
If a competent nation-state actor attacks paperless DRE systems, there will be no reason to believe any of the electronic records are intact. A competent attacker would presumably also be good enough to clean up on their way out, so there wouldn’t necessarily even be any evidence of the attack.
The good news is that paperless DRE systems are losing market share and being replaced slowly but surely with several varieties of paper-ballot systems (some hand-marked and electronically scanned, others machine-marked). A foreign nation-state adversary can’t reach across the internet and change what’s printed on a piece of paper, which means that a post-election auditing strategy to compare the electronic results to the paper results can efficiently detect (and thus deter) electronic tampering.
Where would an adversary attack? The most bang for the buck for a foreign nation-state bent on corrupting our election would be to find a way to tamper with paperless DRE voting systems in a battleground state. So where are the likely targets?
Check out the New York Times’ interactive “paths to the White House” page, wherein you can play “what-if” games on which states might have what impact in the Electoral College. The top battleground state is Florida, but thanks in part to the disastrous 2006 election in Florida’s 13th Congressional district, Florida dumped its DRE voting systems for optically scanned paper ballots; it would be much harder for an adversarial cyber attack to go undetected. What about other battleground states?
Following the data in the Verified Voting website, Pennsylvania continues to use paperless DREs, as does Georgia. Much of Ohio uses DRE systems with “toilet paper roll” printers, where voters are largely unable to detect if anything is printed incorrectly, so we’ll lump them in with the paperless states. North Carolina uses a mix of technologies, some of which are more vulnerable than others. So let’s say the Russians want to rig the election for Republican candidate Donald Trump. If they could guarantee a Trump win in Pennsylvania, Georgia, Ohio and North Carolina, then a Florida victory could put Trump over the top. Even without conspiracy theories, Florida will still be an intensely fought battleground state, but we don’t need a foreign government making it any worse.
So What Should These Sensitive States do in the Short Term? At this point, it’s far too late to require non-trivial changes in election technologies or even most procedures. They’re committed to what they have and how they’ll use it. We could imagine requiring some essential improvements (security patches and updates installed, intrusion detection and monitoring equipment installed, etc.) and even some sophisticated analyses (e.g., pulling voting machines off the line and conducting detailed/destructive analyses of their internal state, going beyond the weak tamper-protection mechanisms presently in place). Despite all of this, we could end up in a scenario where we conclude that we have unreliable or tampered election data and cannot use it to produce a meaningful vote tally.
Consider also that all an adversary needs to do is raise enough doubt that the loser has seemingly legitimate grounds to dispute the result. Trump is already suggesting that this November’s election might be rigged, without any particular evidence to support this conjecture. This makes it all the more essential that we have procedures that all parties can agree on for recounts, audits, and what to do when those indicate discrepancies.
In case of emergency, break glass. If we’re facing a situation where we see tampering on a massive scale, we could end up in a crisis far worse than Florida after the 2000 Bush/Gore election. If we do nothing until after we find problems, every proposed solution will be tinted with its partisan impact, making it difficult to reach any sort of procedural consensus.
Nobody wants to imagine a case where our electronic voting systems have been utterly compromised, but if we establish processes and procedures in advance for dealing with these contingencies—such as commissioning paper ballots and rerunning the elections in impacted areas—we will disincentivize foreign election adversaries and preserve the integrity of our democracy.
Addendum: Contingency planning was exactly the topic of discussion after Hurricane Sandy disrupted elections across the Northeast in November 2012. It would be useful to revisit whatever changes were made then, in light of the new threat landscape we have today.
Related reading:
- David Dill on why online voting is a bad idea.
- David Jefferson on why online voting is a bad idea and why voting security is a national security issue.
- The Boston Globe covered this story with quotes from Barbara Simons and Ron Rivest.
- The Christian Science Monitor ran an op-ed by Jason Healey, suggesting many possible responses, including hacking back at the Russians, and another op-ed by Scott Shackelford, discussing cybersecurity “codes of conduct” and the need to treat voting equipment as “critical infrastructure.”
A version of this piece first appeared on the Freedom to Tinker blog at Princeton’s Center for Information Technology Policy.