Widespread hacking fears surface as US poll date nears

10 Oct 2016

With the US election day still four weeks away, the integrity of the final outcome is under attack by a combination of real weaknesses in US cybersecurity and candidate-fuelled charges about ballot tampering, reports Politico magazine.

It's not just allegations that Donald Trump-supporting Russians are hacking systems or the Republican nominee's insistence that he can only lose if Hillary Clinton's people actually rig the vote tally. It's a very real flurry of electronic pokes and prods that more than 20 states have already experienced as cyber criminals try to gain access to one of the crown jewels of this election: the voter registration rolls.

''I see this is the Russians trying to screw with democracy,'' Sen Lindsey Graham, the South Carolina Republican who ran a short-lived 2016 campaign for the presidency, told Politico.

The threat to the presidential election was brought home on Friday when the Obama administration gave its most definitive statement yet that it is ''confident'' the Russian government is the main actor responsible for recent hackings into the Democratic National Committee and other political organizations.

It's against that backdrop that state and local election officials have the difficult task of trying to manage the more than 120 million voters who are likely to show up to vote for Clinton or Trump, all without any significant hitches.

Early voting in some states has already begun, and over the final 30 days of this contest, about 10,000 diverse jurisdictions will implement their own election rules and deploy different ballot technologies.

Hanging in the balance is the legitimacy of the win for whichever candidate claims it. That would have been hard enough to attain in this year of toxic partisan politics, but it's ever more so because of the country's odd voting infrastructure, a mix of antiquated technology and newer digital methods that have their own demonstrated weak links.

With that in mind, Politico underlines some important things to know about the cybersecurity of the US election:

  • Hacking the Democratic National Convention is not the same as hacking an election.
  • Like the hacking that got Sony Pictures into trouble in late 2014, what has caused the Democratic National Convention much grief on the theft and release of embarrassing and compromising internal emails.
  • But there's a critical distinction here that election security experts want the country – and cyber criminals - to understand: the DNC and Sony hacks are different than the kind of operation it would take to break into a voting machine and manipulate its results.
  • Yes, computer scientists have demonstrated they're capable of hacking into select voting machines under certain laboratory conditions. Still, federal and state election officials insist that nothing of that sort can happen at any kind of scale to affect the presidential race's overall results.
  • That's because the election itself is conducted through more than 50 different administrative offices.

''This means that there's no national system that a hacker or bad actor can infiltrate to affect the American elections as a whole,'' Thomas Hicks, the chairman of the US Election Assistance Commission, said during a recent House subcommittee hearing.

The Homeland Security Department also says it's ready to keep the election safe by helping states assess any threats to their voting systems. To date, 25 states have taken Jeh Johnson up on his offer for federal aid, and state officials say they have their own safeguards in place too that will detect any problems before the final results are certified later this year.

''Whatever candidate I want to win or lose, I need to have the confidence that the results are actually accurate because otherwise the underpinning of the whole republic goes away,'' Colorado secretary of state Wayne Williams said in an interview.

Most important, election officials insist they can't be hacked because most parts of the balloting process - with some notable exceptions, like some overseas and military voting - isn't connected to the internet.

''So a bad actor would have to access these systems in person,'' Hicks said. ''The amount of resources required to carry out this attack would be immense.''

Still, the voting process has many weak points.

Of course, the presidential election isn't 100 per cent safeguarded from cyber chicanery. Arizona and Illinois have already seen hackers crack their voter rolls, and a Department of Homeland Security official recently confirmed to Politico that more than 20 states had their public-facing registration systems intensely probed for weak links.

Voting registration lists are not the same as the actual voting machines, a distinction that state and federal officials say can't be made enough.

But the vulnerabilities demonstrated in those two instances have heightened concern about the downstream consequences. While state officials say they make routine and often nightly backups of who is registered to vote - and provisional ballots always remain an option if a name isn't found on the rolls come Election Day - some lawmakers and election security experts say they're alarmed now that it has been demonstrated that state election offices aren't impenetrable.

They warn of long lines if the registration databases have problems, even in small ways, potentially turning off voters who don't have the time or patience to wait. They also fret that these early hacks are just a precursor to more sinister dirty tricks that tamp down turnout.

''What would happen if emails were sent to all of those voters, or just the Democratic voters, telling them the date of the election has been changed or their precinct had been changed?'' said Republican Zoe Lofgren (D-Calif.).

''Wouldn't that create chaos in a system if even a small percentage of voters believed an email, mis-advising them?''

Voting systems have other weaknesses too. Computer scientists say some states use tabulation programs run on older computers with outdated operating systems, including Windows 2000, where security patches are no longer available from the vendors. Even though the official results aren't required to be certified for several weeks after the election, they warn that the totals being transmitted from local polling precincts up the chain to county and state election headquarters – and out to the public via websites and the media – are susceptible to hackers. And that could cause problems in a heated race where supporters of both presidential candidates have been raising alarms about vote tampering.

''There are significant vulnerabilities where attacking a single point could result in an interesting result,'' Dan Wallach, a Rice University computer science professor, told Congress during a recent hearing on election integrity.